Republicans and cybersecurity experts warned that the United States must move faster and act more aggressively to counter foreign cyber threats during a Jan. 13 hearing held by the U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection.
As foreign nations increasingly target U.S. critical infrastructure, the subcommittee members examined how the federal government and private sector can better partner to build what lawmakers described as a “proactive, coordinated, and forward-leaning” cyber posture.
“The subcommittee is meeting to examine a reality that the United States can no longer afford to avoid, namely that deterrence in cyberspace does not exist without credible, lawful, and operational offensive cyber capabilities,” said subcommittee chairman U.S. Rep. Andy Ogles (R-TN). “Defense alone is not sufficient. Resilience alone is not sufficient. Public attribution alone is not sufficient.
“Our witnesses will help us assess how offensive cyber capabilities can be responsibly integrated into a modern homeland security framework,” he added.
Hearing participants called for closer public-private collaboration, expanded authorities, and a shift from reactive defenses to proactive disruption of adversaries, according to their testimonies.
Witnesses included Drew Bagley, chief privacy officer at CrowdStrike; Joe Lin, co-founder and chief executive officer of Twenty Technologies; Emily Harding, vice president of the defense and security department at the Center for Strategic and International Studies; and Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University.
In his testimony, Bagley outlined a series of steps he said are necessary to meet the growing cyber threat, and emphasized both defense and deterrence.
Bagley recommended that public and private organizations take reasonable actions to defend themselves with a focus on threat hunting and identity security, and that the cybersecurity community “radically increase the operational tempo of malicious infrastructure disruptions and take downs.”
“Given its stakeholder engagement functions, CISA should be central to coordinating public and private actors to this end,” he said.
Additionally, federal law enforcement, along with Title 10 and Title 50 entities, should work to increase deterrence, and America must defend AI systems and leverage AI to defend enterprises, Bagley said.
“As we adopt new technologies, features and abilities, we must adapt how we secure them,” he said. “Today, this means we must think about how we detect, prevent, and defend an attack surface that now includes AI.”
Ogles asked the panelists about what policies Congress should prioritize to empower the private sector to play a more direct role in deterring cyber adversaries.
Lin said that authorities already exist but need to be used in a more sustained, scaled manner.
“The ability to use law enforcement authorities in combination in concert with Title 18, Title 10, and Title 50 is absolutely critical,” Lin testified. “But number two. I think what needs to shift here is a mindset, not just around doing episodic one-off operations of disruption, which are important and critical and can be successful, have been proven to be successful… But what does it take to match the speed and scale of our adversaries, to match the scope of what it is that they’re conducting against us?”
Ogles later asked about the distinction between deterring intelligence collection and deterring disruptive cyber operations. Harding said not all intrusions are equal.
“Ideally, yes, you’d be able to establish deterrence in an intelligent sense, and you’d be able to say, ‘okay, if you penetrate our networks, then you will feel consequences for that,’” Harding said. “It also is sort of a normal spy versus spy tit-for-tat. A very clear distinction, however, is between the Salt Typhoon kind of activity and the Volt Typhoon kind of activity. There is zero intelligence value in penetrating water networks, power networks — especially around military bases. That is there for one reason and one reason only: to disrupt the United States military in the case that we had to deploy suddenly.”
U.S. House Homeland Security Committee Chairman Andrew Garbarino (R-NY) questioned witnesses about the evolving role of the Cybersecurity and Infrastructure Security Agency (CISA) and what policies are needed to strengthen the nation’s cyber strategy.
Lin said cyber capabilities must be treated as integral to government operations across agencies.
“So, when HSI is conducting investigations, they should have the ability, the authority, the resources needed to be able to leverage cyber capabilities as part of their work,” Lin said. “When the Coast Guard is conducting missions, given their unique authorities — as my panelists have said — they should be able to leverage. They should have the capabilities and the toolsets needed to be able to leverage cyber, offensive cyber, as part of their core responsibilities.”
Cilluffo pointed out that there’s a strong need for clear authorities and stronger collaboration frameworks, and pointed to pending legislation.
“I think there are some authorities and some protections that are needed,” said Cilluffo. “Firstly, WIMWIG [the Widespread Information Management for the Welfare of Infrastructure and Government Act], you’ve got to get that over the goal line. That is essential.
“You can’t trust — the government is going to lose all confidence in the private sector if we can’t even get the basics,” said Cilluffo. “Imagine kicking us back a decade. That’s what we’re looking at here. That’s unacceptable.”
Cilluffo also said that the industry cannot act alone. “You do need to also look to what that combined operation could look like from a collaboration standpoint, not industry on its own, in conjunction with government,” he said.
U.S. Rep. Vince Fong (R-CA) asked how Congress could help build the future cyber workforce and reduce barriers to information sharing.
Lin emphasized the value of private-sector visibility, saying that private-sector companies, especially those in the cybersecurity domain, have extraordinary global sensor networks that rival those of even other signals intelligence agencies.
“So, it makes enormous sense for there to be very robust information sharing bidirectionally,” he said. “And it has to be bidirectionally.”