[ad_1]
But, first, we’re going to be joined by Dmitri Alperovitch. He is the coach‑‑the co‑founder‑‑the founder of the Silverado Policy Accelerator. Before that, he had been the co‑founder of the cybersecurity firm, CrowdStrike.
Dmitri Alperovitch, welcome back to Washington Post Live.
MR. ALPEROVITCH: Thanks so much, Tim.
MR. STARKS: It’s a lot for us to discuss, so let’s get started. We’ve seen Russia escalating its war in Ukraine with some attacks in Kyiv, with some attacks on critical infrastructure there, particularly energy facilities. Do you expect Russia to also simultaneously escalate its cyber ambitions in Ukraine?
MR. ALPEROVITCH: I don’t think that they’re going to dramatically increase the rate of cyberattacks in Ukraine, because frankly they’ve been targeting Ukraine at a pretty high clip of–high ratio of attack tempo since the war began.
But what I do think we’re about to enter is probably one of the most dangerous times that we’ve had in the history of the cyber domain when it comes to our infrastructure here in the West, both because of what Russia may be doing against us as well as China, where we are both simultaneously entering a time of confrontation with both countries.
And when it comes to Russia, what is clear now is that Putin is steadily escalating this conflict, not just vis‑a‑vis Ukraine and many war crimes by targeting civilians and destroying their critical infrastructure, but also vis‑a‑vis the West. If it is proven that Russia was behind the destruction of the Nord Stream 1 and Nord Stream 2 pipelines that provided gas to Europe, that is a very ominous sign that they’re willing to directly attack infrastructure that could have potentially been of use down the road to the West.
And I think it shows that as he’s escalating his rhetoric, including the use of nuclear threats, as he’s mobilizing the Russian public, he may be willing to target the West, and cyber probably is going to be his first weapon of choice.
MR. STARKS: That’s what I was just about to ask you about, in fact. We have not seen a whole lot in terms of Russian attacks during this period on the U.S. in cyberspace. We did see some pro‑Russian hackers recently take credit for knocking down some airport websites in the U.S. Have you been surprised that not much has happened, and what do you think it would take for something‑‑for Russia to escalate in cyberspace with the U.S.?
MR. ALPEROVITCH: I have. You know, one of the things that surprised me since the war began is how little we have seen in terms of Russian retaliation vis‑a‑vis the West, both in cyber domain and even economically. Remember that Russia supplies not just energy to Europe but also lots of critical materials, everything from aluminum and nickel and uranium and titanium that is used in many of our industries. They have not worked hard to cut that off so far, and obviously, they have not targeted our infrastructure through cyberattacks either, despite these really aggressive sanctions that we have put on Russia in response to their invasion of Ukraine.
So I do think that we are entering a new phase of the conflict, though, where Putin is starting to realize that the war is not going well for him, and he’s steadily losing territory, including territory that he has recently tried to annex, and that may mean that he’s going to be much more willing to confront not just Ukraine, but also the West, who he believes, wrongly of course‑‑but he believes are controlling Zelensky and are controlling this conflict.
MR. STARKS: With those geopolitical dynamics in mind, kind of a three‑part question. What kind of attacks do you think Russia would be capable of pulling off against United States? What are perhaps the most probable kind, and what kind of attacks would you expect to get the most bang for their buck if they were to carry them out?
MR. ALPEROVITCH: Well, they’re very much obsessed with energy. You know, if you look at their rhetoric, if you re look at the rhetoric of the CEO of Gazprom, Alexey Miller, they talk about Europe freezing this winter, and of course, they are doing their part to help that by cutting off the Nord Stream I pipeline that is providing gas to Europe by claiming that their turbines have all magically gone out of service in the last couple of months.
But, you know, they may also engage in cyberattacks to try to target the LNG facilities that are absolutely critical in compensating for the lost Russian gas that the Europeans are now receiving from other parts of the world. They may be targeting storage facilities. So they may be looking for ways to increase the pressure on Europe specifically and perhaps even on the United States and drive further prices.
They were very much obsessed when we had gas prices at $7 a gallon in some parts of the country early in the summer. That was making headlines all over Russian media, state‑sponsored media, state‑controlled media, I should say, and they may be looking for ways to drive that further.
They, of course, noticed that when one of the Russian‑based ransomware groups attacked the Colonial Pipeline last year, that that caused shortages and long lines on the East Coast. So that may be a blueprint that they may try to replicate going forward.
MR. STARKS: Right. You mentioned U.S. sanctions earlier. I want to come back to that. What kind of impact do you think the U.S. sanctions have had on Russia’s approach in cyberspace, its strategy, its ambitions, its goals?
MR. ALPEROVITCH: I don’t think it has. Obviously, the sanctions are crippling their financial sector and disconnecting from the rest of the world, and probably the most impactful measures that we have taken on the economic front has been the use of the so‑called “foreign product direct rule,” which is actually not a sanction but an export control measure that prevents the export of semiconductors into Russia. That is crippling their industry.
Semiconductors, of course, are essential to virtually every means of modern production these days, from military equipment to cars and microwaves and air conditioners and the like‑‑and electronics. And Russia has had a hard time importing chips. They’re not completely cut off. They’re still getting it from other sources, including China. They’re able to reuse chips from e‑waste. So you’re seeing a lot of washer and dryers in Ukraine being stolen by Russian troops. It’s not because there are no washers and dryers in Russia and they need to bring them back home. It’s because a lot of that equipment has valuable chips that you can reuse, including in military equipment.
MR. STARKS: So, given those limitations, I want to talk about what kind of deterrence you think could work. Back in April for The Post, you wrote “The most effective response would meet two potentially conflicting objectives, deterring further attacks, but not pushing the United States and Russia into an escalatory spiral that would lead to a hot war between the world’s two largest nuclear powers.” So what does that look like in practice?
MR. ALPEROVITCH: So what we try to articulate is a strategy for potential destructive cyberattacks, and of course, we’ll have to see whether their attacks that they launched are impactful or not. If they’re nuisance types of attacks, like what we saw from this group against the airline industry, that really does not, in my opinion, deserve much of a response. It doesn’t really have much of an impact, and we should not be risking escalation over that.
But, if there’s something that’s truly destructive or disruptive to our economy, that’s a different matter entirely. But instead of getting into a tit‑for‑tat in cyber with Russia, because obviously they can hit us back in many ways a lot harder than we can hit them because they’re going to be unconstrained by the rules of war‑‑we’ve already seeing that, of course, in Ukraine. They’re going to target our hospitals. They’re going to do things to us that we would never do to them. And the best way to do that is to demonstrate our ability to actually take them offline and to‑‑as a show of force, if you will, to do a demonstration where we could take their internet offline for 30 minutes or an hour. That wouldn’t cause significant impact to them but would show them what we are capable of if they don’t stop this activity.
MR. STARKS: It sounds like you were starting to get into a little bit of what I was about to ask you next, in fact, which is, at what point would you advocate for the U.S. to get more aggressive on offense in cyberspace? It sounds like you were talking about a big economic impact. Are there other sort of triggers that you would look?
MR. ALPEROVITCH: Well, I think you have to look at cyber in the context of the overall conflict and what you’re trying to achieve. Cyber is a means to an end, and at the end of the day, unless you tie it with other measures, whether it’s kinetic weaponry or it’s economic measures, you’re not going to have much of an effect. So, even if you look at the most effective cyberattacks, arguably in history‑‑I believe it was the Russian hack of Viasat that occurred on February 24th when they were able to shut down satellite communications across Ukraine via cyberattack. If they had only just done that cyberattack, it wouldn’t have had a whole lot of impact, but it was done in conjunction with kinetic action, with jamming action for other communications channels that the Ukraine were using, and as a result, you had, as Ukrainians themselves were reporting, near complete blackout of communications on the front lines, just as Russia was invading their country.
So that shows you how cyber can be very effective but only if it’s coordinated with other attacks and actions across other domains.
So we have to be very thoughtful about what we’re trying to achieve, what signal we’re trying to send, and how cyber can or maybe not play a role into that.
MR. STARKS: Bringing that Viasat hack up is interesting to me because we have seen Ukraine after some initial discussion of how effective that was. Simply kind of walk back how effective they thought it was. Is that spin from them, or has that been a reevaluation that others would agree with?
MR. ALPEROVITCH: Yeah. I mean, you have to remember what happened a few days later, which is that Elon Musk had come to their rescue and provided Starlink, which has become absolutely essential to their communications. So, yes, in the overall scheme of things, they were able to recover quickly because of, in part, help provided by SpaceX. But there’s no question that in those initial days, they were severely impacted by both that hack and other measures that the Russians were taking.
We now know that there was quite a bit of electronic warfare that the Russians were conducting, jamming operations, et cetera, that were quite effective.
MR. STARKS: You mentioned Russia’s willingness to go a little further than the U.S. would. There is, by some consensus, a general lack of consensus on the gray areas of cyber norms, and I’m wondering if you think that lack of real institutional cyber norms has given Russia more impunity to operate.
MR. ALPEROVITCH: Well, I actually disagree with the premise of your question. There’s actually quite a bit of consensus on cyber norms. In fact, you had a so‑called “group of 20 UN experts,” major countries like China, Russia, and United States come together and articulate norms of responsible cyber behavior a few years ago that was then approved by the UN General Assembly.
The issue is not that we lack norms. The issue is that we lack enforcement of norms. So, when those norms are violated, nothing tends to happen, particularly to great powers, and that’s of course not just a problem in cyber. It’s a problem in the physical world as well, as we’re witnessing in this conflict in Ukraine where the Russians are committing all sorts of horrible atrocities‑‑torture, rape and murder‑‑and they’re getting away with it so far at least.
MR. STARKS: Okay. I see that‑‑I see that distinction you’re raising.
Can we turn to China for a little bit? You have recently discussed President Biden’s export measures against the Chinese semiconductor agency‑‑sorry, semiconductor industry. You’ve talked about that being an act of‑‑a declaration of economic war. Why is that such an important step, and what do you expect China’s response to be? Will it move from just an economic response to include cyberspace, especially as it pertains to China’s historical theft of intellectual property?
MR. ALPEROVITCH: This is absolutely a huge action and completely unprecedented with that. We’re no longer targeting just individual companies. Of course, in the past, we have targeted companies like Huawei and ZTE in telecommunications sector and prevented them from importing U.S. technology or technology with U.S. intellectual property, like semiconductors that have‑‑that’s had crippling effects on a company like Huawei. But this is now targeting the entire sector, and it is not only about preventing them from accessing advanced technology, including equipment that they would need to manufacture their own chips. It is also preventing them from access to U.S. talent. So any U.S. permanent resident or a citizen or anyone actually living in the United States is prevented from working with a huge number of Chinese companies and universities and research facilities on anything related to semiconductors, and that is going to have huge effects on China, because you have a lot of expats, American citizens. They’re currently working in the Chinese sector. You have a lot of Taiwanese citizens that hold U.S. passport‑‑dual citizenship with the U.S., have U.S. passports, also work in China. All of those people are either going to have to give up U.S. citizenship, which I don’t doubt they will do, or leave that industry at the risk of prosecution under U.S. law.
So this is, I believe, a declaration of economic war. It is absolutely going to basically crush Xi Jinping’s plans to achieve chip independence by 2025, a key goal that he has had for more than a decade now, and is going to absolutely destroy their efforts at advancing their advanced technology industry over the coming decade.
I doubt that they’ll take it sitting down. Of course, they’re preoccupied this week with the party congress, and I don’t think that there is going to be any retaliation in the near term. But once they get past the Congress and the changes that Xi Jinping is implementing within the party, I think you will see retaliation, both against American companies in China as well as potentially through cyber operations to try to compensate for the loss of access to technology with IP theft. I don’t think it’s going to be enough, but they’re going to keep trying.
MR. STARKS: I know you’ve paid close attention to what’s happening between China and Taiwan right now. What role do you expect cyber might play were China to invade Iran‑‑I’m sorry‑‑invade Taiwan? And I know it’s not something that might happen in the near future from what I read from your comments, but what role do you think it would play if it did come to that?
MR. ALPEROVITCH: Well, I think cyber can play a role in preparing the battlefield. So China, unlike Russia, is convinced that it has potential to take Taiwan without firing a shot. I think they’re completely wrong on that, but they may try to use propaganda and disinformation, including the cyber domain, to try to convince the population that if war is coming, their best choice is to stop resisting and to acquiesce and join China. They may also use cyber to try to cut off communications if that initial effort fails and if they’ve actually decided to go to war.
And, you know, the unique vulnerability that Taiwan has, unlike Ukraine, is that it’s an island. There is no connection to the outside world except through undersea water‑‑undersea cables. They’re supplying much of the communications currently to the island. Those cables could be cut. It is within the power of China to do so if it launches an invasion. It can use jamming to try to block radio and satellite communications with the outside world. Cyber also will play a role in that and‑‑as we’ve seen in Ukraine‑‑and that is one of the biggest problems that the Taiwanese are going to have.
If you look at what Ukraine has done so incredibly well since this invasion began is they were able to communicate with outside world. They were able to showcase the pain that their population is suffering. They were able to galvanize the world opinion to their side. President Zelensky is putting out videos every single night that are watched by millions of people around the world.
If Taiwan is cut off from the outside world, it will not be able to do that, of course, and that may make China’s job much, much easier.
MR. STARKS: So this will probably be our last question. Looking more generally, is there a kind of attack that you think U.S. companies and the U.S. economy might be least prepared for right now?
MR. ALPEROVITCH: Well, any type of disruptive attack that targets our financial sector or targets our energy sector, of course, is going to be impactful. But the one thing to remember and the one thing that the Ukraine conflict shows uniquely well is that no cyberattack is likely to have long lasting impact. There’s always workarounds, and even as we’ve talked with Viasat, there was a workaround with Starlink being able to provide service. We’re going to get through this. It may be painful for a few days, but ultimately, the good thing about cyber is that it rarely causes physical destruction.
It is possible in a few occasions, particularly in the operational technology side, if you’re targeting turbines and if you’re targeting electric substations.
But outside of that, you can always rebuild. You can always, if you have backups, restore from backups, and even Colonial Pipeline was operational within a few days. So that’s the nice thing about cyber is that the effects are rarely permanent.
MR. STARKS: Yeah. There’s been some alarming discussions we’ve had here, but that’s a good positive note to end on, on what is not as dangerous.
We are, unfortunately, out of time. I want to thank you so much for joining us, Dmitri.
MR. ALPEROVITCH: Thank you so much, Tim.
MR. STARKS: So, up next, we’re going to hear from Congressman Jim Langevin but first a video. Please stay with us.
MS. KELLY: Hi there. I’m Suzanne Kelly, CEO and publisher of The Cipher Brief, a national security‑focused media publication.
We talk a lot at The Cipher Brief about cybersecurity, and today we’re going to talk about the intersection of digital innovation and cybersecurity. And joining me to talk about this is Ivan Shefrin. He is executive director of Managed Security Services at Comcast Business.
Ivan, thanks for being here.
MR. SHEFRIN: Good morning, Suzanne, and Happy Cybersecurity Month. It’s great to be here.
You know, everyone in the business community is talking so much about digital innovation and the benefits of it, but what they’re talking a little bit less about are the inherent cybersecurity risks that come with that innovation. So I thought I might ask you first off this morning, Ivan, how should businesses be thinking about managing the risk that comes with innovation?
MR. SHEFRIN: That’s a great question, Suzanne. So digital transformation at the end of the day allows us to go faster, bring new products and features and services to our customers or constituents and stakeholders.
But, in terms of cybersecurity, that comes at a slight cost, which is the risk of complexity. Complexity ends up being sort of the enemy of cybersecurity because we don’t always know‑‑and it’s not always easy to identify‑‑who has access to our crown jewel data and who’s processing that data.
We buy services that allow us to go faster from companies in‑‑public cloud providers, for example. But there are four main ways that hackers get into our systems to steal or destroy data, and that’s credentials, credential theft, phishing vulnerabilities or exploiting vulnerabilities in software bugs, and then botnets of compromised computers on the internet worldwide.
So, as business and government transform and digitize their organizations, it’s equally important to build in ways to prevent and detect threats from those four main ways that companies get attacked.
MS. KELLY: And, Ivan, you know, hybrid work, I think we all know has really accelerated the adoption of cloud‑based technologies. How does that present a whole different set of cybersecurity challenges? And then more importantly, how are enterprises adapting to that?
MR. SHEFRIN: That’s a great question. So, at the end of the day, hybrid work means people working from home or offices that really aren’t protected by the standard cybersecurity controls that we’re mostly used to in the office, whether it’s a small business, midsize business, or large enterprise.
So one of the fundamental ways‑‑or pillars of cybersecurity is network security, of course, along with application security and user security and email security. Network security is a pretty critical component to make sure that the bad guys don’t get in. And, of course, when you’re working from home, you are using your home network, and it’s not ever going to be secured as well as the corporate network that you’re used to at work.
So we have to‑‑instead of just using remote access technology to VPN into our company environment, we’ve got to make sure that’s secured and that the traffic is also inspected.
I hope that answers your question.
MS. KELLY: It does, and it leads to another one, funny enough. We’ve seen such a growth of network‑connected devices, as you were talking about, particularly with employees having their own devices, the Internet of Things. How are these presenting new challenges?
MR. SHEFRIN: That’s a great question too. So it kind of goes back to my first answer, which is complexity is a challenge for cybersecurity.
So, when those devices are manufactured and built, it’s very difficult to understand the risk involved because we don’t know always who built them. We kind of have to take a leap of faith and trust that the firmware and software running on those devices, which may or may not be managed devices, allow us to do our work securely.
Many of those devices often contain vulnerabilities, and it’s up to the user themselves to patch those vulnerabilities and keep the software up to the date‑‑up to date. And many of the devices, it’s just not possible to update them. In fact, if it’s some, you know, IoT device or a smart refrigerator, the ones that aren’t as good just don’t have that kind of security built in.
So it means that we have to educate our users to keep our systems updated or keep their own personal systems updated and transfer some of that cybersecurity risk out to our user base. And, of course, users are the most vulnerable population of all. So that’s a challenge with remote work and hybrid work.
MS. KELLY: Yeah, one of many challenges. I agree.
Ivan, last question for today, how can business leaders be thinking more holistically really about digital growth and cybersecurity strategies?
MR. SHEFRIN: Yeah, that’s a great question too.
So, you know, digital business allows us to roll new and innovative features out much more quickly than ever before, right? We can serve business, lower cost to increase revenue and so forth through digital transformation and innovation, but it’s really important when rolling out these new technologies, not just to consider the feature itself, but also the infrastructure on which they run. And good security not‑‑involves not only the technology but also the people and process.
So we call this‑‑in cybersecurity, we call this “shifting left” and building security in from the start, not just on the technologies, not just on the third‑party systems that we depend on, but also the people and the processes on which they all depend.
MS. KELLY: I’m going to remember that phrase, “shifting left,” because this is something that every business out there right now is thinking about and trying to plan for, for the future.
Ivan Shefrin, executive director of Managed Security Services at Comcast Business, thanks so much for being here.
MR. SHEFRIN: Thanks, Suzanne. It was my pleasure. Have a great day.
And now back to our colleagues at The Washington Post.
MR. STARKS: Welcome back, or if you’re just joining us, welcome to Washington Post Live. I am Tim Starks. I’m the Cybersecurity 202 author here at The Washington Post.
I’m now joined by Congressman Jim Langevin. He is a Democrat from Rhode Island. He is also the co‑founder of the Congressional Cybersecurity Caucus.
Representative Langevin, welcome.
REP. LANGEVIN: Tim, great to be with you.
I know we just saw a little bit from you in Russia in that video, and we were just talking about it with Dmitri as well. Can we talk about what you’re seeing from Russia in terms of its capabilities, its goals, its strategies, and how that might have evolved since the invasion of Ukraine?
REP. LANGEVIN: Sure. Well, we know that cyberthreats still remain a significant challenge. What we haven’t seen is the massive cyberattacks that perhaps we had expected or the blowback here against the United States that could have happened because of our involvement and support of Ukraine and the work we’ve done, that President Biden has done to really rally the international community behind Ukraine.
But we can’t let our guard down. We know that that cyber is still a significant threat, both to businesses, to our economy, and to our national security, and that’s why I’m so pleased that CISA has been so forward‑leaning on the direction of Director Jen Easterly with this Shields Up program, a constant reminder to businesses that we need to be vigilant and really have shields up and be ready.
MR. STARKS: More broadly, can you talk about the need for international rules of the road on cybersecurity?
REP. LANGEVIN: Yeah. International rules of the road are really important, especially among partners and allies and then joining together and being willing to respond when bad actors violate those norms. So think about the idea of not attacking another nation’s critical infrastructure in peacetime or a financial system and those types of things. Beyond that, if nation states or proxies do violate those norms, we need to be ready to use all‑source intelligence to identify those violations, call out the bad actors, and then shorten the timeline between identifying the bad actor and the punishment consequence that would result from those actions.
So it takes close coordination and communication with partners and allies, but calling out bad actors and then punishing them appropriately when they when they violate those norms is a critical part of that effort.
MR. STARKS: Do you have thoughts on what you think those norms should look like, what they should actually be
REP. LANGEVIN: Sure. Well, as I identified a couple of them already, not attacking another country in times of‑‑in peacetime. Of course, the situation in Afghanistan, in Ukraine right now is clearly a war situation. We are trying to walk a very fine line, President Biden especially trying to walk a fine line between supporting the country of Ukraine, the Ukrainian people, and I admire their courage. We are grateful for their‑‑certainly their resilience, but at the same time not going so far as to get the United States into a war with Russia.
So we need to make sure that we continue to support all efforts to build up our resilience here at home and out of our partners and allies but recognizing that we could face a significant challenge in the cyber realm going forward.
MR. STARKS: We did recently hear from Albania’s prime minister in response to a cyberattack from Iran that he would have‑‑he contemplated invoking Article 5, NATO’s Article 5. That’s the principle of collective defense. When, or if, do you think that should ever be invoked for a cyberattack?
REP. LANGEVIN: Yeah. It’s a good question, Tim, and I would say in those areas where there is the loss of life or there is a disruption or destruction of national critical functions and to critical infrastructure, I think that would constitute an Article 5 violation. You know, this is always, of course, subject to interpretation, but when you specifically see significant damage or loss of life, that’s when the red line has been crossed.
MR. STARKS: Right. The next question I have for you is, who is it that you think poses the greatest threat to United States in cyberspace right now? And where do you think we’re the most vulnerable?
REP. LANGEVIN: Sure. Well, no shortage of bad actors or their proxies, but clearly, Russia, China, Iran, North Korea are among the top four of the bad actors out there that we have to worry about. Russia has significant cyber capabilities and could use them against us or our allies. We haven’t seen, as I said earlier, that level of cyber action or cyberattacks that we had expected, but we’re not out of the woods. I’ve said that many times before.
But I would say one of the biggest threats to our economy comes from China. China uses cyber not only for espionage but also for theft of intellectual property. Director Wray has identified China as the biggest threat to our economy because of the intellectual property that they’re stealing to the tune of probably trillions of dollars, and that leads to loss of productivity. It costs American jobs, and China has been, unfortunately, relatively unrestrained, and I think that’s an area we need to work harder to push back on China and their malicious cyber activity.
But the Iranians also play a role in cyber operations, and we’ve seen that in Montenegro and Albania, as you mentioned just recently.
MR. STARKS: Yeah. Speaking of China, some colleagues and I recently reported about FBI warnings to state political party headquarters in various states about Chinese scanning of those targets. At the same time, we’ve also heard from the administration that there are no specific or credible threats to the midterms right now. Can you talk about what fears or lack thereof you have about threats to the election infrastructure right now?
REP. LANGEVIN: Yeah. Look, great question there, and something that should concern all of us and, again, why we need to double down on our vigilance, making sure that our election systems and election equipment is protected.
They, right now, are priority customers, if you will, with CISA, and I know CISA is working very closely with state and local governments to make sure that whatever resources the federal government can bring to bear to assist and shoring up those defenses and that security of election systems and equipment. We are doing that.
I know that the administration has an all‑hands‑on‑deck approach right now with monitoring and watching out for bad actors trying to interfere with our elections.
But even the idea of posing doubt about the integrity of election could have severe consequences, and so that’s why we need to be ever vigilant. And I’m pleased that the steps that are being taken within the administration, CISA in particular, to make sure that those efforts are robust and working with state and locals to protect and‑‑or shore up our election systems.
MR. STARKS: We’re now going to go to a question from our audience. Jay Tanner asks, “How does Congress plan to support municipalities and smaller units of local government, many of which have extremely tight budgets in the ongoing cybersecurity conversation? Is there a role for public‑private partnerships in this space?”
REP. LANGEVIN: Yes. There’s absolutely a role for public‑private partnerships. We have provided some resources to a state, local, territorial, and tribal governments for building and resilience, and I’d like to see more done as we encourage states and municipalities to migrate data to the cloud where there can be stronger cybersecurity efforts, leaving cybersecurity efforts to those who are really good at it.
Look, the state and local governments will never have the resources to be able to detect against a pushback, a nation state intrusion or attack. We can buy down the risk of state and locals by, again, migrating data to the cloud, providing cloud security companies to do what they do best. I think it’s a partnership that we need to encourage.
But the federal government has a strong role to play. I know we provided some resources already, but we’re going to need to do more because we’re not meeting the need of what state and locals really need for resources to be able to accomplish that goal.
MR. STARKS: Over the time you’ve been in Congress, as your career here is winding down, you’ve been definitively one of the most authoritative voices on cyber. Can you talk about how Congress has evolved on that issue over your time?
REP. LANGEVIN: Sure. Well, I can tell you that the awareness level has been raised significantly, and we recognize that it’s an ongoing threat. I’ve often said that cybersecurity is never a problem that we’re going to be able to solve, but we can buy down our risks to something that is much more manageable. I’d say the big game changer on cybersecurity and Congress’s‑‑the ability and the willingness of Congress to act came as a result of the Cyberspace Solarium Commission. I was proud to be one of the commissioners on that, that commission, that was co‑chaired by Senator Angus King and Congressman Mike Gallagher, and it was a truly nonpartisan, bipartisan commissioner, where we just all rolled up our sleeves and did the hard work to come up with an overarching strategy to better protect the United States against cyberattacks of significant consequence. As a result of our efforts, there was some 80 recommendations that were produced. We were able to change‑‑put many of those recommendations into legislative form and get them enacted, a significant number of over 27 or so now, and I believe we’re on track to do even more in this‑‑in this next National Defense Authorization Act where we see many of those provisions included. So Congress has done more, and in terms of funding, per se, shoring up CISA, which is vitally important, we need to make sure that that is‑‑that that is the country’s premier cybersecurity agency for protecting the dot‑gov network and being a partner with the private sector. Again, we need to continue to grow that partnership because the public‑private partnership is essential. Government cannot do this on its own. Private sector can’t do it on its own. We need to be a stronger partner with the private sector and bringing resources to bear wherever possible.
But the Congress has done a lot in terms of raising its own awareness and providing funding to government agencies as well as state and local governments, but it’s an ongoing effort. We can’t let up now.
MR. STARKS: What would be the top thing Congress could, do you think, to tackle the difficult problem of the big cybersecurity workforce gap that we’re seeing?
REP. LANGEVIN: Yeah. Great question there, and that’s something that I have often tried to champion and call attention to, the fact that we are woefully under‑resourced right now in our workforce. We can have all the right policies in place, but if we don’t have the people to implement them, we are still not effectively protecting the country in cyberspace.
So we need to encourage more people to go into the field of cybersecurity. We need to recognize that it doesn’t always mean that you need a four‑year‑‑a traditional four‑year degree at a college or university. In cyber, it could be something of akin to a two‑year cyber degree at a community college or even a certificate program to help someone get their foot in the door to a meaningful career in cybersecurity. It’s a good‑paying job and providing an important service to the country or to state and local governments or in the private sector.
So, on the government side, we have the CyberCorps program, which had been a huge champion of‑‑because it’s a Scholarship for Service program. It helps pay for the tuition of those who are going into this field while they’re in college, and then when they come out, they agree to serve in federal, state, or local government for a period of two years to pay back their service. In the meantime, when they’re in school, not only is their tuition paid for, but they’re getting a stipend of over $30,000 a year.
So it’s a great program that I’ve been trying to expand. We have met with some success, but we need to continue to grow that program and also look at other efforts, especially at the high school level and encouraging our young people who, by the way, are digital natives growing up, understanding technology better than probably any of us ever will because we are learning about it, where they’re living it. And we need to harness that, that talent, the skill, and encourage them to put those skills to use in the field of cybersecurity.
MR. STARKS: I know one thing you’ve been working hard to get across the finish line here this year is the concept of systemically important critical infrastructure. This is the idea of finding these entities that are just the very most important parts of the critical infrastructure and doing more to protect them. There has been some pushback from industry on this. I wanted to see if you could explain why this is an important thing to get done and specifically what you might be doing to respond to the industry criticism.
REP. LANGEVIN: Sure. Well, I think industry is probably always leery about more requirements being put on them.
You know, I look at it more in terms of how could we better partner with industry and have greater situational awareness to understand what the systemic cyberthreats are and how we can mitigate those threats and share that information more broadly, more effectively, and more quickly.
So the idea of these SIEs, systemically important entities, would basically start off with what are the criteria of what qualifies as an SIE. I would argue that it’s those companies that are mature enough to do something with the threat information that is given, and also it’s those companies that if they were hit, that’s not just the company having a bad day as a result of a cyberattack, but the country would have a bad day as a result of a cyberattack. And so, again, that’s the kind of criteria that we need to look at for, I believe, SIE. I’d like to see some more specifics in terms of what qualifies or what companies would constitute being an SIE.
But then we also need to have some additional requirements, kind of a new social contract. That’s why I think that a joint collaborative environment is so important. Creating an entity that has basically a common operating toolset for giving broader situational awareness and being able to share information in real time, not just passing emails back and forth, but being able to actually see threat information and understanding that in context and being able to share it again in real time as opposed to just passing emails back and forth.
The SIEs, joint collaborative environment, of course, the JCDC, making sure that we’re doing effective cyber planning, those are the things where I think government and industry can and should partner more closely together.
MR. STARKS: What are your thoughts on the Biden administration’s approach that seems to be a bit more regulatory than past administrations on some key sectors? Today we saw them talking about‑‑or I guess yesterday we saw them talking about rail carriers and wanting to put more guidelines in place for them. Do you think that’s an appropriate approach?
REP. LANGEVIN: Sure. It’s a balance, right? In some way, it’s always best that we have the public‑private partnership and things are voluntary. When that fails, legislation or regulation might be appropriate.
I’ve often harkened back to why do we have the safest airline industry in the world. Well, you know, certainly, the airline companies want to get their passages safely from point A to point B, but, you know, good intentions and hope is only going to get you so far. And that’s why you have the FAA or the NTSB that does, in some cases, provide appropriate regulation.
And so where it’s necessary through regulation, it should be considered, but always the front lines should be the public‑private partnership, wherever possible, or incentives wherever we can.
But, in some places‑‑first of all, I applaud the Biden administration for their work in cyber. In all the years that I’ve been doing this, I have not been more impressed than what I am with the Biden administration and what they’ve done. And that goes across other administrations, Democrat or Republican administrations. The Biden administration has done more than any other, and we finally now have the right structure, policies, and people in place to do the job of effectively‑‑more effectively protecting the country in cyberspace.
But, again, we need‑‑we need to continue to focus on the people because growing the workforce is very essential.
By the way, I’m pleased that Chris Inglis is on the job as our first national cyber director. It’s a position that I worked for over a decade to create, and finally, Chris is in place. And he’s the quarterback for helping to coordinate our cyber defensive policies especially, and he’s been a very effective voice in that role.
MR. STARKS: We have to leave in just one moment. Should we expect to see you working on cyber issues after you leave Congress now?
REP. LANGEVIN: You know, I’m sure I will be involved in cyber issues in some way, shape, or form. It’s been the highlight of my career to have served in Congress for 22 years, and it is certainly bittersweet as the end of the year approaches. And I am personally very proud of the role I played in cyber. It’s one of those areas where not many people were doing it, and I was able to grab onto this issue and work in a bipartisan way with colleagues, including Mike McCaul and Mike Gallagher and people like Dutch Ruppersberger on our Democratic side and several others to advance the cause, better protect the country in cyberspace.
So I’m sure that I’ll be involved in cyber in some way, shape, or form. What that will be yet, I’m not sure. But I’ll always at the ready to assist in any way I can. It’s such an important issue and, again, not going away anytime soon, but we’ve got to get this right. It’s just too important to the country not to continue to focus.
MR. STARKS: I’m sure people are glad to hear you say that.
Unfortunately we are out of time. Thank you so much for joining us, Congressman Langevin.
REP. LANGEVIN: Thank you, Tim. Great to be with you.
MR. STARKS: So I want to thank all of you for joining us for this conversation. To check out what interviews we have coming up, please head to Washington Post, WashingtonPostLive.com to find more information about all of our upcoming programs.
I’m Tim Starks, and again, thank you so much for joining us.
[ad_2]
Source link
