WASHINGTON, D.C. –– Last week, the House Committee on Homeland Security held two hearings to address America’s cybersecurity vulnerabilities and examine potential solutions for the estimated two million cyberattacks the nation could face this year alone. On Wednesday, the Committee held a hearing with government witnesses to examine the nation’s cybersecurity workforce shortage of 500,000 vacancies and help the United States maintain an edge in the cyber domain. On Thursday, Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) led a hearing to examine the United States’ critical infrastructure vulnerabilities and the role that cyber insurance can play in planning, response, and recovery efforts. 
 
In Wednesday’s hearing, Members questioned witnesses from the Department of Homeland Security (DHS), the Department of Defense (DOD), the National Institute of Standards and Technology (NIST), and the Office of the National Cyber Director (ONCD) on the gaps in federal hiring authorities, desired competencies for cyber professionals, ways to establish more accessible career pathways, and the effectiveness of public-private partnerships.

In Chairman Green’s prepared opening statement, delivered by Subcommittee Chairman Garbarino, he highlighted the need for legislative solutions to tackle the challenges facing America’s cyber talent pipeline:

 
“As an Army veteran, I believe an ROTC-like program would be an effective and rewarding way to build a prepared cyber workforce across the federal government. Although we have programs that fall under this category today—such as the CyberCorps Scholarship for Service program—we must maximize and scale these efforts, improve retention, and potentially establish other ROTC-like programs quickly to fill specific skills gaps and critical positions.
 
“As Chairman of the Committee on Homeland Security, I know that protecting the cyber border is just as important as our efforts to secure our physical border. That is why accelerating the United States’s efforts to address the cyber workforce gap has been my top priority this year––so much so that I will soon be introducing legislation to grow our cyber workforce and sustain a steady pipeline each year.”

Subcommittee Chairman Garbarino then questioned ONCD’s Assistant National Cyber Director Seeyew Mo on how to creatively recruit cyber talent: 
  
“I’ve spoken to countless [chief information security officers], fortune four-hundred, fortune five-hundred members, they are all moving to skills-based hiring, away from degree-based hiring. For the federal government, what are some of those effective pathways for skills-based training and hiring that you’ve seen or explored?” 
  
Mo answered: 
  
“When we travel around the country, we see things like registered apprenticeships—it’s one of the models. Work-based training is another model that we really like. When you take a skills-based approach, we need a fundamental shift in thinking about not on an individual basis, but more of creating a team with complementary skills. So, some of the successful companies––they’re trying to build teams with advanced people with advanced cyber skills and people with early career skills. Then you kind of map out and have a team that can do the job and deliver on the mission.” 
 
Chairman Garbarino continued: 
 
“Has there been any work with community colleges or technical schools to accrue talent?”
 
Mo answered: 
 
“The very first visit that a national cyber director did was to the community college of Baltimore County to essentially elevate cyber, to make sure that people with two-year college degrees understand that there’s a pathway into a cyber career. And then we also went to Fayetteville Technical Community College, because they kind of have a pathway for veterans and their spouses to get into cyber as well. The key here is it’s more than just one institution. This only works if the two-year colleges are working with four-year colleges and universities, and they are also working with the K-12 school districts locally, and the private sector employer involved in telling the schools what they need, so that all of them come together to figure how to build a pipeline, and that’s the approach that we’re pushing here.”

Subcommittee on Counterterrorism, Law Enforcement, and Intelligence Chairman August Pfluger (R-TX) questioned witnesses on how rural areas can be better represented in the cyber domain: 
 
“I represent Angelo State University, it is a Cyber Center of Excellence. They’ve taken steps in partnership with the NSA and other government agencies to start developing the workforce in a way. Here’s why this is important to me: when we think about the areas that provide that type of workforce, I think one of the big areas that is really missing is rural America.” 
 
“I’d like to hear, really from each of you, how can a school like Angelo State, a rural serving institution with 11-14,000 students throughout the entirety of its programs––how can they be successful, and what’s the advice or what’s the vector that they need to go and other institutions like them to provide this workforce for our country.” 
 
DHS’ Chief Information Officer Eric Hysen answered:  
 
“I strongly agree on the importance of building relationships with rural communities and pathways into public service. We are participating in the NSA Centers for Academic Excellence in Cybersecurity. We’re a proud partner with the NSA on that program. I would also say, for any training institution right now, recognizing the pace of new developments in this field, and ensuring that we are training our workforce, not on any one specific technology that may be out of date very quickly, but on how to stay current. How to leverage increased automated AI-based systems, and how to really stay on top of new and emerging threats is the most important thing these organizations can be doing.”

Congressman Mike Ezell (R-MS) questioned witnesses on how to fill the nation’s 500,000 open cybersecurity jobs: 
 
“I’d really like to focus a little more on our national security implications, even though cybersecurity jobs will be paid and offer high levels of job security, I think the lack of public awareness plays a role in our current workforce shortage. Mr. Petersen, what can Congress and institutions like this one in my district do to enhance public awareness and encourage students to see cybersecurity as a vital role in defending our country.” 
 
Rodney Petersen, director of the National Initiative for Cybersecurity Education at NIST, answered:
 
“I’m pleased to say I actually visited Gulf Coast Community College last year, and they were hosting an event along with the Department of Commerce and the Department of Education on raising the bar. What was impressive to me is how they brought together the stakeholders, not just locally, but across the state and across the region, to really focus on the opportunities that exist not only at community college, but in local communities to helps individuals who are below the poverty level have a career and opportunity in cybersecurity.” 

In Thursday’s hearing, Members questioned witnesses from the McCrary Institute for Cyber and Critical Infrastructure Security, the American Gas Association, the cyber insurance company Cowbell, and the risk advisory firm Guy Carpenter & Company. Members examined stakeholder responses to catastrophic cyberattacks on various critical infrastructure sectors, such as energy and water, and assessed the state of public-private partnerships and incident reporting regimes for critical infrastructure entities.
 
In his opening testimony, Matthew McCabe, a managing director at Guy Carpenter & Company, emphasized the growing threat of cyberattacks against the private sector and a way to improve risk mitigation:  
 
“The cyber threat to critical infrastructure is undeniable. We referenced the Volt Typhoon attack and in the joint cyber security advisory about that threat the agencies warned that nation state threat actors were pre-positioning themselves already on IT networks to enable lateral movement and to disrupt functions. Just last year the FBI tallied 193 complaints of ransomware from companies that operate critical infrastructure. Critical infrastructure companies encounter this threat every day. Increasingly, cyber insurance serves as an essential component for mitigating that risk.” 

Congresswoman Laurel Lee (R-FL) asked Kimberly Denbow, vice president of security and operations at the American Gas Association, about the benefits of the Chemical Facility Anti-Terrorism Standards (CFATS) program. Congresswoman Lee is leading the fight to reauthorize CFATS through introducing the “Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2023:”  
 
“First, let’s start with what are the benefits of the program and what do you find to be useful about it?” 
 
Denbow answered:  
 
“The program sets a foundation for operators to work from, and one of the biggest values of the program––I was around when the program first came out, and it was a very different model than what it is now. It has actually migrated to a model that is extremely functional. Where we talked about trust, trust cannot be mandated, trust must be earned. And that requires an investment of resources on both sides, the operator and the government partner or the government regulator…Through the Chemical Facility Anti-Terrorism Standards program, they have been able to help operators learn what they can do to maybe minimize or reduce the amount of quantities they have on site or to substitute for that. But more importantly, to provide the securities in place, the physical securities in place, to protect, detect, and mitigate…We’ve been pushing for [reauthorization] for a long time.” 

Congressman Ezell asked Denbow about the energy sector’s view on the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) by the Cybersecurity and Infrastructure Security Agency (CISA):  
 
“In May this Subcommittee held a hearing on private-sector perspectives regarding the proposed rule to implement the Cyber Incident Reporting for Critical Infrastructure Act. While this rule aims to establish a standard for incident reporting, several agencies have developed their own cyber incident reporting regulations. How do entities within the gas sector view this regulatory landscape in terms of their ability to respond to a catastrophic cyberattack?” 
 
Denbow answered:  
 
“CISA does not have the authority to incentivize the other agencies to follow suit and to follow CISA’s lead…The problem is that, at the end of the day, it becomes the responsibility of the operator to make sure all of these government entities are harmonized and so it’s almost like the teenager trying to get the parents to act appropriately and it is just not going to happen. I speak from personal experience because at the American Gas Association, through the Oil and Natural Gas Subsector Coordinating Council, we intentionally tried to harmonize CFATS with the Coast Guard cyber security assessment plans.” 

###