PALO ALTO, Calif. –– This week, the House Committee on Homeland Security held a field hearing at the Hoover Institution at Stanford University to examine issues impacting the U.S. cybersecurity posture—including critical infrastructure resilience, technological innovation, and regulatory harmonization—and solutions to address those challenges. 
 
Witness testimony was provided by LTG (ret.) H.R. McMaster, Fouad and Michelle Ajami Senior Fellow at the Hoover Institution; Wendi Whitmore, chief security intelligence officer at Palo Alto Networks; Jeanette Manfra, global director for security and compliance at Google Cloud; and Jack Cable, chief executive officer and co-founder of Corridor.
 
Amid pervasive cyber intrusions into U.S. networks from adversaries and cybercriminals, members asked how Congress can help ensure the federal government, through agencies like the Cybersecurity and Infrastructure Security Agency (CISA), is a productive partner for industry that increases visibility and promotes collective defense across sectors. Whether it’s enhancing information sharing for action, investing in our cyber defenders, flipping the economic model for cybersecurity, or harmonizing the cyber regulatory landscape, witnesses and members called for better teamwork––from the U.S. Capitol to the tech capital in Palo Alto.

In his opening statement, McMaster highlighted the value of building a strong cyber defense and attracting talent to the cybersecurity field: 

“This hearing is timely because, as has already been mentioned, in recent years responses to adversaries’ state attacks have been slow and inadequate. Strengthening deterrence will require the rapid imposition of costs on cyber attackers that go far beyond those that those attackers anticipate prior to acting against us. We must also improve the resilience of our systems through a combination of defensive and, as you mentioned, Mr. Chairman, offensive capabilities, as well as the capacity for rapid recovery. 
 
“We must maintain competitive advantage in artificial intelligence, quantum computing, and other technologies relevant to cybersecurity and the associated protection of critical infrastructure. Chairman Green, as you already mentioned, particularly important is going to be removing barriers to implementation of cyberspace solutions and AI models, and I think that’s a particularly important aspect of getting from information to action, as you mentioned. And we must improve dramatically the security of our critical technologies and research enterprises from the threat of relentless state-based espionage. Accomplishing these tasks will require close cooperation between the public and private sectors and academia and with international partners as well as investments in research and I would say especially human capital.”

In her opening statement, Whitmore gave an overview of the cyber threats facing America and the policies needed to protect against future threats:
 
“As recent campaigns like Salt and Volt Typhoon have reinforced, our cyber adversaries – China, Russia, Iran, North Korea, and others – are more active and aggressive than ever. They are leveraging AI to increase the speed and scale of their attacks, to enhance tactics like phishing, exfiltrate data faster, and execute complex multi-stage attacks that are increasingly disruptive to the American public. Consider this: every single day, Palo Alto Networks blocks up to 31 billion cyberattacks. Up to nine million of those daily attacks represent novel attack methods never previously seen. To stay a step ahead, relentless innovation must be central to our cyber defenses. Innovation with AI at its core has the potential to disrupt the legacy status quo of chasing each new threat with an isolated disjointed solution. Instead, we can leverage AI to analyze security data in real time and then automate our responses. This evolved approach can simultaneously, one, deliver transformative cybersecurity outcomes; two, drive much needed cost rationalization; and three, eliminate inefficient manual processes.”

Chairman Green asked witnesses how to better educate the American people on the threats we face in cyberspace:
 
“Imagine if Russia placed a satchel charge next to a cell tower and had a detonator in their hand. We’d be livid. But essentially that’s exactly what China has done to our telecommunications systems… They literally have a kill switch in the system right now and nobody’s making a big deal out of it. Why do you guys think that’s the case?”

McMaster answered:
 
“I think because we haven’t really taken this to the American people to explain the gravity of it. And I think to really ask the question, okay, well, why? You know, why is China [in] our systems?… The Chinese Communist Party is preparing for war in a number of ways, right? We see it with their massive buildup of their military forces, about a 44-fold increase in their defense spending since the year 2000. We see it in the development of weapons systems to sort of keep us at bay. But also, I think what we can do is connect what we’ve seen with Volt Typhoon to a broader range of threats, including the massive buildup of their nuclear forces, about a 400% increase… And if you look at the pattern of their intelligence collection, for example, the balloon intelligence collection, was really aimed at communications intelligence they could only be picked up at that altitude, and that was communications intelligence associated with our strategic forces. So I think the American people haven’t really had this explained in context.”
 
Whitmore answered, touching also on the danger of overregulation in cyberspace:
 
“My viewpoint on this has been from 20 years of responding on the ground to some of the most major breaches that have occurred in the last few decades, and many of those in my time in the military were highly classified investigations that no one talked about and certainly couldn’t be talked about in open dialogue. So that has certainly contributed to the lack of awareness from the public. I think it’s a great movement in the right direction that we can now have this kind of open dialogue… In addition to the lack of awareness, one of the things that we unfortunately do today is punish the victims… When the media gets ahold of cases of cybercrime and these massive intrusions we often do that, and then we add regulation in that requires them to provide information in this most dynamic time period––the first 48 to 72 hours… that’s also the time that it’s most dynamic in a computer intrusion.” 
 
Chairman Green concluded, calling for a better partnership between the public and private sectors:
 
“It is unfair for the federal government to expect the private sector to defend itself against a nation state. My side of the aisle has pushed very hard about a sovereign border, having a sovereign border that needs protection… But I would submit that there is a cyber border that’s just as sovereign… I think it’s going to take a paradigm shift, because for decades we have taken this ‘free market’ approach that private sector takes care of itself, and I think that’s self-defeating because the networks are so connected now, wherever a person enters they can pretty much move laterally anywhere in the networks.”

Chairman Green then asked about America’s future cyber workforce:
 
“The question comes to mind about education and the talent pipeline and my question is, we train cyber folks in the military, like you [McMaster] helped start Army’s Future Command… In the military, to get people excited about the military we have these simulators that…gets them excited at a very young age. What are some ideas on how we can do that for cyberspace and how can we collaborate… in preparing this workforce for the future in cyber.”
 
Cable answered:
 
“The manufacturers of software products have a key role to play here, and I think we can extend that to the cyber workforce. Recognizing that cybersecurity professionals alone aren’t going to be able to solve the cybersecurity problems of today, and that’s because we really need to work back to the point that software is developed. So we need to ensure that every current and future software developer has a solid understanding of the security baseline and knows, particularly as they are using more and more AI tools and writing less code themselves…that they know how to identify vulnerabilities.”

Chairman Garbarino asked witnesses about the balance between the security responsibility placed on companies versus users:

“I love the idea of ‘secure by design’…I think there should be a reliance when somebody buys something that there is at least some security there and they can depend on that without having to pay extra. But then you also have to go back and you have to weigh that against user error…You’re only as strong as your weakest link. So you can hold a company accountable for its design and up to a point, I believe, but at some point, the balance tips… There still has to be some reliance on the individual. So how do we weigh that, and who holds the companies accountable and how do you hold them accountable? Is it financial?”

Manfra answered: 

“Security is very hard for users, customers, and so I do think there’s incentives in thesoftware industry to make security easier naturally. But we need to increase the demand for that, and the federal government has an opportunity through their purchasing power to do that. Or it’s whether that’s through certification regimes or others, but then also mandating transparency. And so at Google, we’ve been pushing things like SLSA, we call it SLSA, but where you have artifacts that say, ‘this is how the code was tested.’ So you can see the provenance of the code, and you can have a higher level of assurance of the integrity… And so there’s more work that could be done there for sure in establishing what those baseline standards are. And the federal government has a real opportunity to drive that… So the government also has an obligation to set, I would say, clear security standards that are more consistent across the government. Those are all opportunities that all companies would welcome that participation with the government.”

Chairman Garbarino asked about information sharing and how to incentivize companies to enhance the cybersecurity of their products:

“What’s the incentive? I mean, is it the government pushing, say, OK, these have met the Secure by Design standard? So what are we saying? OK, in order for a financial institution to take part in the FDIC protection, you have to have this–I mean, what’s the incentive?”

McMaster answered:

“I think there should be a convergence of standards between ‘dot gov’ and ‘dot com’. All companies should strive for that. I think there are also some best practices that should be followed that everybody should share with one another as we create this community of companies or anybody who touches critical infrastructure with their products. And that’s kind of a holistic approach to security involving––we’re talking a lot about IT, but it’s OT, it’s hardware, it’s supply chain, and then it won’t be until we’re all together on these standards that you can really reduce what is really critical, which is that third-party risk, which we’ve seen really go through the roof in recent years in terms of software and supply chains that can have a devastating effect if they’re compromised. 

“There is a tension between setting a standard and holding companies accountable for it and not treating the company like a victim because you want them to report, and really what you want is the government and that company to be working together when something bad happens. And overall, I mean, companies I think have to kind of adopt the attitude of: try to envision like we do in the military. What’s the worst thing that could happen to you and then take action to prevent that. What you would do the day after a massive attack is what you should do right now.”

###