Opening Statement by Ranking Member Reed at SASC Hearing on Defending the Nation from Cyberattacks
Thank you, Mr. Chairman, for holding this hearing, and I welcome our witnesses today. The cyber threat facing our nation does not respect organizational nor jurisdictional boundaries in the government. The Defense Department, the Intelligence Community, the FBI, and the Department of Homeland Security are all critical in countering the cyber threat, but each agency functions in siloes under specialized laws and authorities. In order to be successful, we must develop an integrated, whole-of-government approach to strategic planning, resource allocation and execution of operations.
This problem is not unique to the cybersecurity mission. Violent extremism, narcotics and human trafficking, trans-national crime, proliferation of weapons of mass destruction, and other challenges require an effective whole-of-government response that cuts across the missions and responsibilities of departments and agencies. As issues become more complex, these cross-cutting problems are becoming more numerous and serious over time.
There have been various approaches to this problem, but with little demonstrated success. White House “czars” generally have few tools at their disposal, while a “lead agency” designated to address a cross-cutting challenge must also remain focused on the mission of its own organization.
Last year, President Obama signed PPD-41, the United States Cyber Incident Coordination Policy. It established a “Cyber Response Group” to pull together a whole-of-government response in the event of major cyber incidents. But these are ad hoc organizations, with little continuity, that come together only in response to events.
I believe what is needed instead is a framework with an integrated organizational structure authorized to plan and operate in peacetime against the constant aggression of cyber opponents. This arrangement has precedent. The Coast Guard is a service branch in the Department of Defense, but it is also a vital part of Department of Homeland Security. It has intelligence authorities, defense responsibilities, customs and border enforcement, and law enforcement authority. The Coast Guard exercises these blended authorities judiciously and responsibly, and enjoys the confidence of the American people. Therefore, we can solve this problem.
Last year’s National Defense Authorization Act created cross-functional teams to address problems that cut across the functional organizations in the Defense Department. These teams are composed of experts from the functional organizations, but rise above the parochial interests of their bureaucracies. The team leads would exercise executive authority delegated by the Secretary of Defense. Such an approach might be a model for the interagency to address a cross cutting problem like cybersecurity.
There is urgency to our task. Russia attacked our election last year. They similarly attacked multiple European countries, the NATO Alliance, and the European Union. The Intelligence Community assures us that Russia will attack our upcoming mid-term elections. So far, we have seen no indication that the administration is taking action to prepare for this next inevitability.
Finally, the government cannot do this alone. As former Cyber Command and NSA Director, General Keith Alexander, testified, “While the primary responsibility of government is to defend the nation, the private sector also shares responsibility in creating the partnership necessary to make the defense of our nation possible. Neither the government nor the private sector can capably protect their systems and networks without extensive and close cooperation.” In many ways, the private sector is on the front lines of the cyber threat, and the government must work with them if we are to effectively counter that threat. We need a government strategy, but it must be in cooperation with the private sector.
I thank Chairman McCain for holding this hearing and for cosponsoring my legislation that is in the Banking Committee’s jurisdiction, S 536, the Cybersecurity Disclosure Act, which through disclosure and our federal securities laws tries to encourage companies to focus on avoiding cybersecurity risks before they turn into costly breaches.
I look forward this morning’s testimony on how to develop and implement an effective whole-of-government strategy to address the cyber threat facing our nation.