WASHINGTON, D.C. — This week, the House Committee on Homeland Security, led by Chairman Mark E. Green, MD (R-TN), held a hearing to examine global cybersecurity threats to the homeland, featuring testimony from the private sector. Witness testimony was provided by Adam Meyers, senior vice president of Counter Adversary Operations at CrowdStrike; retired Rear Admiral Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies; Brandon Wales, vice president of cybersecurity strategy at SentinelOne; and Kemba Walden, president at Paladin Global Institute.

In the Committee’s first hearing of the 119th Congress, retired Rear Admiral Montgomery revealed the startling extent of the Chinese Communist Party’s (CCP) ongoing access to our networks, as well as the sinister reason behind China’s pre-positioning efforts in our critical infrastructure. Meyers further outlined how threat actors, such as China, Russia, and North Korea, find and exploit known or zero-day vulnerabilities in American technology. As America’s adversaries increasingly use cyberspace as a battlefield, every witness called for enhanced cyber readiness across the government and private networks. Witnesses agreed the danger lies in failing to prioritize cybersecurity efforts––whether defensive or offensive. 

In his opening statement, Rear Admiral Montgomery focused on bolstering America’s cyber workforce and highlighted Chairman Green’s legislation, the “Cyber PIVOTT Act”:

“We have to recruit and develop an effective government cyber workforce. We need to hire more talent for federal, state, and local governments. We need a program that focuses on hiring graduates from vocational schools and community colleges, where students can earn skills and certifications. The ‘Cyber PIVOTT Act’ from last Congress answers this challenge and should be attacked this Congress. In the past, the United States has had the luxury of thinking about how to handle a threat from an adversary state over there, in their backyard. Things are different today. To make America secure, we’ll have to make investments in cybersecurity and critical infrastructure that America has postponed for far too long.”

In his opening statement, Wales stressed the private sector’s responsibility to prioritize cybersecurity:

“Business leaders, particularly in our nation’s critical infrastructure, need to understand that the government cannot save them from all threats. Cyber risks are core business risks, and, therefore, companies are ultimately responsible for their security and resilience. More importantly, if they are not already preparing for a crisis with China, they’re late.”

In his opening line of questioning, Chairman Green detailed numerous cyber intrusions by the People’s Republic of China (PRC) and probed China’s methods for cyber intrusions: 

“Can you explain the PRC’s playbook on how each of the ‘Typhoon’ operations, or how China’s cyber war against the United States is—how they’re doing it?”

Meyers answered:

“China has engaged in maturation in how they conduct these operations. Today, they’re using exploits that target external facing devices that are connected directly to the internet that effectively bridge enterprises to the internet. These devices are often unmanaged. In many cases, they may be legacy or have proprietary capabilities that means that they don’t run modern security tools.”“They’ve nationalized their vulnerability research program in 2018. For example, they changed the national security law in China, and all vulnerability research has to be submitted through the Chinese government. Whereas, here in the United States, we follow something we call responsible disclosure, where if I find a vulnerability in a product, I notify that product vendor in order to try to get it fixed. They’re effectively nationalizing that resource so they can use that for exploits against American technology and American companies. Once they gain that access, they attempt to remain stealthy and either conduct espionage in order to inform political and military decision-making, or in the case of ‘Vanguard Panda,’ also known as ‘Volt Typhoon,’ the prepositioning that we’ve discussed here, which would be potentially useful to bring down some of these networks that Mr. Montgomery mentioned in time of conflict.”

When asked by Vice Chairman Michael McCaul (R-TX) how the CCP pre-positions inside U.S. critical infrastructure and what can be done to combat these tactics, Rear Admiral Montgomery answered:
 
“This operational preparation of the battlefield, it is a war-making action––and we have to take it much more seriously. I think the idea that they’ve pre-positioned malware or that they have capabilities that lie in wait that can come out at the right time, as we’re making a decision to respond to a crisis in Taiwan or crisis in the Baltic States. TRANSCOM operates on these unclassified networks with civilian systems. This is why I think former Representative Waltz is right, in the sense that we have to go on the offensive. We now have to actually publicly execute operations against Chinese cyber infrastructure to say: ‘We know you did this; we know you use this infrastructure to do this, and we’re going to remove that infrastructure from your capability.’ Otherwise, the Chinese are going to keep doing what they’re doing.”

Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) emphasized the need for effective and actionable information sharing between the private and public sectors, to which Wales answered: 

“There are always ways that we can improve information sharing. It has improved dramatically over the past eight years, but there is a long way to go. It’s also a question of, do you have the right private sector in the room? Are you sharing information at a speed at which it can be effective in the cybersecurity context? And are people capable of using that information to improve their security in real time? And I think there is a lot of work to do to make sure that happens.”

Subcommittee on Counterterrorism and Intelligence Chairman Pfluger (R-TX) asked witnesses which bad actors are currently lying in wait and what potential next attacks keep them up at night, to which Rear Admiral Montgomery answered:

“I think all of the axis of authoritarians could lie in wait. That’s China, Russia, India, North Korea. I think realistically, the countries that are thinking that they need to stop an American ability to mobilize forces are really weak in our economic productivity, it’s China and Russia. I think China is the predominant actor right now. I think Russia is distracted by other things. I have no doubt that there’s Russian malware in our systems with access, with an ability to be accessed at a later date.” 

Meyers answered: 

“These incidents are not over. ‘Salt Typhoon’ is an ongoing activity by an adversary, as is ‘Volt Typhoon,’ or what we call ‘Vanguard Panda.’ So this is something [on which] we need to continuously engage; we need to continuously identify, root them out, and put a stop to them––cut off their access.” 

Representative Marjorie Taylor Greene (R-GA) cited shocking cybersecurity statistics and asked Rear Admiral Montgomery about offensive and defensive solutions to America’s cybersecurity shortfalls:

“Cyberattacks on critical infrastructure globally increased 30 percent in 2023. One in three Americans, and this is shocking, were affected by healthcare data breaches [in 2023]. Government agencies were the third-most targeted sector from ransomware attacks in 2023, and there are roughly 500,000 vacant cybersecurity jobs in the United States. Mr. Chairman, that is a serious issue. Most cyberattacks fall into a never-ending pattern. A threat actor, often sponsored by a nation state, exploits vulnerabilities in the system. They exfiltrate sensitive data or encrypt it for ransom. Then there is an investigation into how it happened, who was involved, and what measures should be taken to prevent it from happening again. And then it happens again, and the cycle repeats. We’re all in a very serious dilemma.

“Mr. Montgomery, in your testimony you talk about some specific offensive and defensive solutions that we can take to address the needs of our cybersecurity shortfalls. Could you elaborate a little more on that?”

Rear Admiral Montgomery answered:

“First, we absolutely have to invest in our Sector Risk Management Agencies to make sure they’re doing their job. It’s shocking sometimes when you look at [what] our Department of Energy spends, what I think is probably the right amount, somewhere between $15-$100 million a year on being Sector Risk Management Agency, helping energy companies protect themselves. Then you go to the Department of Agriculture and they’re spending $500,000. Our Department of Education, they’re spending $250,000. Most of us understand that’s two full-time equivalents or one full-time. It’s one human or two humans—and that’s just website management. You’re not helping the 8,000 farms and food distribution networks out there with one person manning a website. And you’re not helping our 9,000 districts out there with one person manning a website. We need more consistent, focused leadership from the top down, cabinet members down, on cybersecurity as a responsibility they have as a cabinet member. Then, when appropriate, the funding to do that kind of thing. So to me, that’s the number one. 

“I spoke earlier about military mobility. If I could only focus on three things, it would be rail, aviation, and ports. Because if we don’t get that right—China, Russia—doesn’t matter. If they initiate combat operations that we’re gonna be involved in, we won’t get there fast enough.”

###