There is a growing recognition on Capitol Hill that the United States has to develop offensive cyber capabilities.
Members finally are beginning to realize how grave the situation is, experts say.
“Are we prepared for a cyber attack or cyber 9-11?” asks Rep. Mike McCaul (R-Texas), ranking member of the Homeland Security Committee. “We are being attacked. There have been massive intrusions into our federal networks. There has been espionage taking place. This goes beyond the federal government.”
Rep. Heather Wilson (R-N.M.) says maybe its time Congress changed the laws that govern national security.
Technology has outpaced policy and Congress needs to consider how to develop policies that can adapt as the cyber threat changes, she says.
This drum beat over the past few years, particularly from the Homeland Security Committee, has led the House to create a cybersecurity caucus. Rep. Jim Langevin (D-R.I.) announced the entity Tuesday. Langevin has been one of the most vocal critics of the federal cyber posture.
He says Congress and the administration must deal with this threat with urgency.
Thursday, the Intelligence Committee joined him in openly expressing concerns about how cyber attacks are affecting the federal government and industry.
This was the first open hearing the Intelligence Committee has held on cybersecurity this session.
One big question committee members asked was: When is it appropriate to use military force in response or ahead of a potential cyber attack?
Paul Kurtz, a former White House cybersecurity advisor and now a consultant with Good Harbor Consulting, testified that it is very difficult to know who or from where the attacks are coming from.
“Until we start to get clarity in that piece, it will be difficult to contemplate the military option,” Kurtz says.
John Nagengast, a former NSA official and now an executive director for strategic initiatives for AT&T, says the United States needs an offensive doctrine.
“We need to consider what are the deterrent factors and how do we package that for consumption on an international basis,” he says.
Beyond offensive capabilities, lawmakers’ support is growing for the upcoming recommendation by the Cyber Security Commission for the 44th Presidency of moving the oversight and policy functions around cybersecurity to the White House.
All of the witnesses at the hearing are on the commission, which is due to release its report in November.
McCaul calls the idea of elevating cybersecurity to the White House a good one.
Rep. Anna Eshoo (D-Calif.) says without top level leadership, cybersecurity will have no direction.
Eshoo even wants the Intelligence Committee to develop a white paper on cybersecurity for the next administration.
“We need to consider Congress oversight to make sure we have the right coordination,” she says. “We should examine our structure to allow for things to move forward.”
Patrick Howard, the chief information security officer at the Nuclear Regulatory Commission, also says he supports the move to the White House. Howard spoke at the AFFIRM lunch in Washington Thursday.
“The focus is needed on cybersecurity so it may be a good thing,” he says.
Jerry Davis, NASA’s CISO, says he too supports such a move. But Davis warns that the government cannot afford to start over with a number of initiatives that are beginning to make progress.
“The key thing to this initiative is it gives rise to the importance of cybersecurity,” Davis said after the AFFIRM lunch. “The key is resources. Do we have enough resources? The threat is getting smarter and smarter and resources are more of a short supply. To have a focus at that level is a good thing.”
Good Harbor’s Kurtz says there is a cybersecurity advisor now in the White House. But the position is focused on homeland security and not national or international security of the country’s cyber assets.