It's been a bleak April for the nation's cybersecurity. With hacks reported in the U.S. electrical grid and the Pentagon's Joint Strike Fighter program -- not to mention the continuing specter of debilitating worms and viruses -- officials are facing a battery of new questions about a persistent problem.
Rep. Jim Langevin, D-R.I., co-founded and co-chairs the House Cybersecurity Caucus, and he recently co-chaired a cybersecurity report from the Center for Strategic and International Studies for the 44th presidency. In a recent interview with National Journal's Winter Casey, Langevin discussed the importance of a national cyberspace office in the White House and a comprehensive security effort throughout not just the government, but the private sector as well.
Edited excerpts follow. Read the Insider Interviews archives for more discussions in the series.
NJ: What do you know about spies from Russia and China penetrating the U.S. electrical grid?
Langevin: I would rather not get into any classified intelligence information. But I will say that the threats to our electric grid and our vulnerabilities to potential cyber attack in general are very real, and they continue to grow, and they do concern me. I spent a great deal of time in the last year on this issue and will continue to pay a lot of attention to it.
NJ: Have spies penetrated other U.S. infrastructure?
Langevin: We know that there have been and still are a number of cyber penetrations across all levels of government. Some of those have been incidents where our computers have been probed. Others have actually resulted in terabytes of digital information being exfiltrated from our computer networks.
NJ: What do you think of the government's response to the Conficker worm, which has infected millions of Windows-based computers?
Langevin: I was pleased to see that the Department of Homeland Security's Computer Emergency Readiness Team was prepared for attack and released a detection tool for federal agencies, state and local governments, and critical infrastructure operators. Unfortunately, of course, the patch was provided without much lead time, so I'm hopeful that in the future we can provide some additional time for action. However, I applaud the overall effort and hope that this time of response to the private and public sectors can be a model to build on in the future.
NJ: What's the biggest problem the country faces on the cybersecurity front as you see it?
Langevin: Where the most damage can be done is the area of protecting critical infrastructure. I think we particularly need to focus there first as a top priority.... Organizational overlap, bureaucratic infighting, confusion over jurisdiction -- these are failures that keep our defenses from being as strong as they could be.
NJ: What should the role of Congress be in ensuring the nation's networks stay as safe as possible?
Langevin: Congress in general does have a strong oversight role to play, and it's going to be vitally important that we work with the administration to make sure that the right strategy is adopted on how best to do cybersecurity, and I certainly look forward to working with the administration to do that -- and with Melissa Hathaway, of course, and my colleagues in Congress.
NJ: Should the White House be in charge of ensuring cybersecurity in both the public and private sector?
Langevin: With respect to public and private sector, I believe that that relationship is, in many ways, going to be dependent on a collaborative relationship between public and private. And certainly with respect to protecting government networks, there should be a special assistant to the president for cybersecurity and someone that has budgetary and policy authority across the various departments and agencies. Now, each department and agency will still have its own responsibility to carry out the policy, the recommendations and the directions from the White House for what they need to do to secure their own departments and agencies. So the CIOs and CISOs [chief information security officers] are still going to have a strong role to play and responsibilities to carry out to ensure cybersecurity. And then there's going to have to be some direction -- maybe legislation, regulation, but most especially partnerships -- that will be required between public and private sector, including critical infrastructure, which can be quasi-government, quasi-independent.
NJ: What kind of requirements should be placed on the private sector?
Langevin: Clearly, incentives are not enough to govern what's done in the private sector.... I think that a new partnership with more clearly defined responsibilities and emphasis on building trust among the partners and a focus on operational activities is going to result in more progress.
NJ: Do you see the efforts this year both on the Hill and in the administration as complementary?
Langevin: I think that there is finally a good understanding both in Congress and the administration of just how serious this issue is, how great the threats are to our nation's security, and how urgent it is that we shore up our cyber vulnerabilities across all sectors: government, critical infrastructure and also the private sector.... We've got to work harder to stay one step ahead of the bad guys.
NJ: What do you think of the resignation of Homeland Security Department cybersecurity chief Rod Beckstrom?
Langevin: I thought that the resignation of Rod Beckstrom was unfortunate. Rod was a great asset to our cyber efforts and I really enjoyed working with him, and it's certainly a shame to lose him. Unfortunately, he was given the nearly impossible task of coordinating cyber policy from within one agency, and I don't know that he had the resources or the support that he really needed to get the job done.
NJ: You are not in favor of putting the National Security Agency in charge of cybersecurity?
Langevin: I think that the NSA has a lot to offer with respect to cybersecurity. The NSA has a number of incredibly talented people, and it has a strong role to play in protecting our nation from cyber attacks. However... I believe that an issue which is as large and complex as cybersecurity shouldn't be the domain of just one agency, and these efforts really need to be coordinated both at a policy and budgetary level from the White House.
NJ: What legislation might you support on cybersecurity?
Langevin: I think we're going to need to see a mix of legislation, regulation, incentives and awareness-raising steps to improve the security of our networks. I'm waiting to see the release of the administration's 60-day review on cyber policy, and I hope that will help guide our efforts in the months and years to come and highlight some security gaps that need to be filled. I will additionally be working to implement the recommendations of the CSIS Commission on Cybersecurity, of which I was proud to be a co-chair, and if that means introducing legislation to more directly codify the findings of the CSIS commission to see those enacted to law, then I will do that.
NJ: What do you think of the Rockefeller-Snowe bill?
Langevin: Well, I'm still reviewing the legislation, but it's unlikely that I would support putting the responsibility for cybersecurity in the Department of Commerce. I would still stand by the findings of the CSIS report that said that cybersecurity needs to be coordinated at the highest levels of the White House within the administration so that both policy and budget authority can be coordinated across agencies. This issue is too big, I believe, and too important for it to reside in just one single agency, including the NSA. It is my strong preference that the administration follow the recommendations of the CSIS report and create a special assistant to the president for cyberspace and that there be a national office for cyberspace within the White House. I know that the administration right now is conducting a 60-day review, I've had the opportunity to talk to Melissa Hathaway, and I support the administration's efforts of the 60-day review.
NJ: The private sector seems nervous about some of the legislation in Congress. Do you think it's important to make sure the private sector doesn't face any extra burdens with any of this legislation?
Langevin: The private sector has to understand that they control a lot of our nation's critical infrastructure. It's not just about shutting down their business. If our banking sector is affected, that means our economy is affected. If the electric grid is shut down, it's not just about shutting down a business entity that doesn't have other consequences; this could seriously impact a whole sector or region of the country -- if not the entire country itself -- and we can't just sit back and allow the private sector to say, "Don't worry, we've got this one." Critical infrastructure is just too important to our security and to our economy.... The Y2K issue is a good model to follow....
I hope that the country never faces a cyber 9/11, but certainly that is something that keeps me up late at night, something that concerns me, and I'm going to do everything I can to work with my colleagues and the administration to prevent a cyber 9/11 from occurring in this country.
CongressDaily's Chris Strohm also contributed to this report.