The road to better cybersecurity for government and the private sector looks like a long, uphill climb, with no concept of a finish line.
That was the sobering tone of the testimony heard today by the House Homeland Security Committee at its hearing on assessing cyber threats and building resilience against them.
Committee Chairman Bennie Thompson, D-Miss., talked about improving the government’s ability to assess threats and improve the resilience of networks to withstand cyberattacks, and said Congress now has a “ready and willing cybersecurity partner” in President Biden.
In particular, he noted that the White House has proposed “much needed” additional funding for Federal cybersecurity improvement and IT modernization efforts as part of his $1.9 trillion coronavirus relief plan. However, the status of at least some of that additional funding appears to be in jeopardy – at least for near-term legislation – based on statements earlier this week from Rep. Gerry Connolly, D-Va., who said IT modernization funding in the relief bill is being blocked in the Senate.
Nonetheless, Rep. Thompson said “we must work quickly to make up for lost time” in engineering further security improvements. That road ahead won’t be easy, he said while explaining that the implications of the Russia-based hack of thousands of government and private sector networks via SolarWinds Orion products will still take “months” to understand and to root enemies from networks that were penetrated.
The Federal government, he said, must “raise the baseline” on cyber defense, and “must treat cybersecurity as a national priority, and not a boutique add-on.”
Testifying at the hearing, former Cybersecurity and Infrastructure Security Agency Director Chris Krebs said the cybersecurity landscape is now “more complicated than ever,” and said that the aged conditions of many networks means that “even the basics of cybersecurity are out of reach.”
He offered a list of recommendations that include installing “stronger cybersecurity leadership in industry, and more centralized oversight in government.” Krebs also said he favors making more support available for Federal IT modernization, and increasing cooperation between government and industry beyond current threat data-sharing arrangements.
“Meaningful progress will take time, and we may never see the finish line,” Krebs said, while adding, “but progress is possible.”
Sue Gordon, former principal deputy director of National Intelligence, said that offensive cyber capabilities have become a widely available “global commodity … the tool of anyone who wants to do harm.”
She offered several principles for improvement, including realizing that cybersecurity is not the exclusive responsibility of government, industry, or the United States. She also said that solutions cannot be exclusively technical, but need to address “the entire operating ecosystem.”