Members Encourage Flexible Policies over Top-Down Government Mandates
WASHINGTON, DC – The Energy and Commerce Committee and its Communications and Technology Subcommittee today held back-to-back hearings examining cyber threats and security solutions in an ever-evolving technological landscape.
“Cyber attacks have grown in scope and sophistication to include nearly every industry and asset that makes America work. That is why this committee is well-positioned to lead, oversee, and review policies and solutions to these wide-ranging and evolving threats,” said Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-TN), who chaired the hearing.
“As the nation becomes more reliant on digital communications technology, we also increase our exposure to cyber threats,” said Committee Chairman Fred Upton (R-MI). “But combatting such threats requires a cybersecurity regime that provides ample flexibility to afford owners and operators of critical infrastructure the ability to protect against and respond to rapidly evolving threats. A one-size-fits-all approach to cybersecurity is ill-suited for the diverse range of critical infrastructure sectors, each of which has its own complex characteristics.”
The full committee hearing focused on steps the federal government and the private sector are taking to bolster the security of our nation’s critical infrastructure and mitigate exposure to cyber attacks. Members discussed the president’s Executive Order to improve critical infrastructure cybersecurity, including the latest on the order’s implementation and the administration’s development of a voluntary cybersecurity framework. The committee also examined security solutions to better protect against cyber threats, including enhanced information sharing, public-private partnerships, and greater industry collaboration.
“Any efforts to better protect critical infrastructure need to be supported and implemented by the owners and operators of this infrastructure. It also reflects the reality that many in the private sector are already doing the right things to protect their systems and should not be diverted from those efforts through new requirements,” said Dr. Patrick D. Gallagher, Director of the National Institute of Standards and Technology (NIST).
Dave McCurdy, President of the American Gas Association and former chairman of the House Intelligence Committee, explained the need for reliable information sharing, telling the committee that improving the flow of information will allow the private sector to adequately prepare and respond to cyber threats. McCurdy said, “There is no single solution for absolute system protection. However, through a combination of cybersecurity processes and timely and credible information-sharing amongst the government intelligence community and industry operators, America’s natural gas delivery system remains protected, safe and reliable, and will remain so well into the future.”
Dr. Michael Papay, Vice President and Chief Information Security Officer of Northrop Grumman Information Systems, added, “We must be mindful, however, that our nation’s cybersecurity cannot be fixed with one law or policy change. Effective cybersecurity policies should be risk- based and as adaptable as the threat itself.”
Dr. Phyllis Schneck, Vice President and Chief Technology Officer of the Global Public Sector at McAfee, Inc., similarly called for “outcome based” approaches that allow for innovation and flexibility as technologies and threats evolve. “The problem is that sometimes regulation is overly specific about a technology and ends up hindering rather than helping companies to be optimally secure,” said Schneck. “Innovation, such as treating networks as smart, adaptive ecosystems that both produce and consume intelligence about threats, is also key.”
Speaking to the president’s Executive Order and its resulting framework, Duane Highley, President and CEO of the Electric Cooperatives of Arkansas, explained that a public-private partnership will aid both sides in their work to secure critical infrastructure. He said, “The framework should be focused on a much broader task, leveraging the federal government’s capabilities and expertise with that of the nation’s private sector critical infrastructure owners and operators, to ensure cybersecurity protection and resiliency through rapid sharing and adoption of voluntary standards, guidelines and best practices and close cooperation with our federal government partners.”
The Subcommittee on Communications and Technology hearing examined how to secure the communications network supply chain, focusing on potential vulnerabilities and the wide-ranging impacts on national security and the economy.
Subcommittee Chairman Greg Walden (R-OR) said, “Supply chain risk management is essential if we are to guard against those that would compromise network equipment or exploit the software that runs over and through it.”
Mark Goldstein, Director of Physical Infrastructure Issues at the Government Accountability Office, discussed the magnitude of our nation’s communications and technology networks and explained the vital role these networks play in the safe and secure operation of our country. He said, “The United States, like many other nations, is reliant on commercial communications networks for business and personal communication as well as for matters of national and economic security… Government, industry, and the public rely on communications networks to such a great degree that federal policy has included them in a category of national assets deemed critical infrastructure, making their protection a national priority. Many other critical infrastructure sectors such as banking and finance, energy, transportation systems, and water also rely on communications networks to sustain their operation.”
Dean Garfield, President and CEO of the Information Technology Industry Council, urged the government to tread lightly, as history shows that communications and technology companies have best innovated and responded to threats without government involvement. “The government has long recognized that taking a light touch approach to regulating the telecommunications industry has fostered innovation and competition, to the benefit of the American consumer,” said Garfield. “And all the while, the communications industry has been consistently cited as one of the leading sectors in cybersecurity. We encourage Congress to continue this light-touch approach when looking at the communications supply chain and thereby, to enable industry to respond to evolving threats with innovation, flexibility, and the most updated and appropriate global standards and best practices.”
To further examine ways to secure our nation’s communications supply chain, Subcommittee Chairman Walden today launched a bipartisan working group.