[Congressional Record Volume 166, Number 206 (Monday, December 7, 2020)]
[House]
[Pages H6899-H6901]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                      NATIONAL CYBER DIRECTOR ACT

  The SPEAKER pro tempore. Under the Speaker's announced policy of 
January 3, 2019, the Chair recognizes the gentleman from Rhode Island 
(Mr. Langevin) for 30 minutes.
  Mr. LANGEVIN. Mr. Speaker, I rise today to discuss the Conference 
Report to accompany the National Defense Authorization Act for fiscal 
year 2021 that we will be considering tomorrow.
  Mr. Speaker, this is my 20th NDAA, and as ever, I am incredibly proud 
of the bipartisan work that went in to creating it. Amidst all the 1300 
provisions, however, I want to focus on section 1752.
  Section 1752 is based on my bill, H.R. 7331, the National Cyber 
Director Act, and it is the result of more than 10 years of 
deliberative thought and advocacy. The provision is simple enough. It 
creates an Office of the National Cyber Director within the Executive 
Office of the President. The office is led by a director who will be 
Presidentially appointed and confirmed by the Senate.
  The National Cyber Director is charged with being the President's 
principal adviser on matters of cybersecurity policy with developing 
and overseeing implementation of the national cyber strategy. He or she 
will

[[Page H6900]]

also be responsible for coordinating government response to serious 
cyber incidents. And as I said, simple enough, but this represents a 
complete sea change in the way cybersecurity is handled in the Federal 
Government.
  The need could not be more urgent. Of course, cyber operations, 
whether carried out by criminals or nation states, continue to threaten 
us as a Nation. Hardly a day goes by where we don't read about a new 
ransomware attack taking down an entire hospital system or shutting 
down businesses. Our adversaries target our elections to strike at the 
heart of our democracy. They target our defense industrial base that 
gives us our competitive edge. They are even targeting vaccine research 
that may be the key to ending the terrible pandemic that we are living 
through.
  Mr. Speaker, cyberspace is a new domain, and the first that has been 
created entirely by humankind. We would not expect that emerging 
security challenges in cyberspace would be easy to tackle, and, of 
course, they have proven to be quite difficult.
  After all, many security paradigms that developed about borders are 
virtually meaningless when it is as easy to attack a computer across 
the room as it is to attack one half a world away. While decidedly 
thorny, these challenges are not insurmountable.
  However, the Federal Government has not risen to the challenges as 
well as we could hope. There are many reasons for this, but probably 
the most important of which is that nobody really is in charge. 
Cybersecurity is often passed off as an IT problem, best left to the 
geeks to handle, instead of being recognized as an operational risk 
that needs attention from senior leadership.
  Most Federal agencies do not have cybersecurity in their core 
missions, so investments in cyber capabilities can fall by the wayside. 
Computer systems also pervade every aspect of the Federal Government's 
work, so coordination is required across the entire interagency.
  The failures to rise to address these challenges poses real risk to 
the government. Sensitive government data, such as clearance 
information stored at the Office of Personnel Management, has been 
stolen. U.S. corporations suffer billions of dollars in damages each 
year from cyber incidents, and other adversaries increasingly view the 
cyber domain as ideal for conducting asymmetric warfare in the ``gray 
zone,'' below the level of armed conflict.
  Mr. Speaker, for more than a decade, I have been involved in numerous 
efforts to root out underlying causes of the government's inability to 
get its arms around the cybersecurity problem. Most recently, I had the 
distinct privilege of serving on the Cyberspace Solarium Commission, a 
14-member body chartered by Congress to develop a strategic approach to 
protect the United States from cyber incidents of significant 
consequence.
  One of the things that these efforts have universally uncovered--a 
finding endorsed recently by the Government Accountability Office--is 
that a lack of centralized leadership in the White House is holding the 
government back.
  Mr. Speaker, only the White House has the ability to compel 
interagency cooperation and ensure that cybersecurity efforts are 
synergistic and deduplicated.
  Only the White House can ensure that budgets are adequate, both for 
internal cyber defense and external cybersecurity programs aimed at 
protecting the private sector.
  Only the White House can effectively coordinate incident response 
across two dozen agencies with some cybersecurity responsibility.
  Now, Presidents Bush and Obama both made strides in improving 
cybersecurity policy coordination within the White House, changes that 
were at first carried forward by President Trump and his Homeland 
Security adviser. But none of them gave the position they created the 
gravitas and authority it needed to be successful. And eventually, 
then-national Director John Bolton, eventually eliminated the 
cybersecurity coordinating position altogether.
  Congress needed to step in and provide strategic direction with the 
National Cyber Director Act that we have here. Finally, we will have 
the accountability that comes from having a leader within the Executive 
Office of the President that we can interrogate about cyber strategy 
writ large, and that we, as the Congress, will in turn be accountable 
to our constituents for ensuring the strategy is executed and resourced 
properly.
  This NDAA will be an incredibly important bill in the history of 
cybersecurity legislation, and I am honored to have played a key role 
in advancing it.

                              {time}  1800

  Mr. Speaker, like any bill a decade in the making, many hands have 
gotten us to this point with the National Cyber Director Act. First 
off, I owe an enormous debt of gratitude to Speaker Nancy Pelosi for 
appointing me as her designee to the Cyberspace Solarium Commission. 
Developing and implementing the commission report has been one of the 
highlights of my congressional career, and much of the progress that we 
have made on the National Cyber Director is due to my fellow 
commissioners.
  I want to start with Congressman Patrick Murphy as my original ally 
on this proposal, based on his experience in these Halls and in the 
executive branch.
  Tom Fanning brought his expertise as a major utility executive in 
crafting a recommendation that ensures accountability.
  Frank Cilluffo focused relentlessly on appropriately scoping the 
authorities of the office, while Suzanne Spaulding fought to ensure 
that the National Cyber Director will have insight into all U.S. 
operations in the cyber domain.
  Dr. Samantha Ravich's initial scepticism was essential to making sure 
the final recommendation reflects the realities of working within the 
Executive Office of the President.
  Finally, Chris Inglis's invaluable feedback means that the bill we 
vote on tomorrow will fit squarely within the strategic vision laid out 
by the commission. Despite my years working on this proposal, I was 
always impressed by Chris's ability to elegantly connect the National 
Cyber Director recommendation with our broader mission.
  I would never have been exposed to the idea of a stronger 
coordinating authority within the White House were it not for my time 
on the Center for Strategic and International Studies' Commission on 
Cybersecurity for the 44th Presidency, which I was proud to co-chair. 
My fellow co-chairs, General Harry Raduege, Scott Charney, and 
especially Congressman   Michael McCaul, all helped shape my thinking 
during my first deep dive on this topic. And, of course, we would have 
been lost without the expert guidance of CSIS's Jim Lewis, the 
commission's executive director.
  After 9 years of trying to pass a bill to codify a cybersecurity role 
within the White House, what changed this year?
  Well, quite frankly, John Bolton and his poor decisionmaking changed 
the equation. Given the ever-increasing threat in cyberspace, I don't 
think anyone realistically thought that somebody would dare eliminate 
the cyber coordinator at the White House. Yet, in one of the worst 
cybersecurity policy moves ever seen, Bolton did just that, making 
clear the need for congressional action to establish a permanent cyber 
director.
  That need was well understood by Chairman Adam Smith, who has backed 
the inclusion of Solarium recommendations in the NDAA since day one and 
who has consistently supported the National Cyber Director Act.
  Chairwoman Carolyn Maloney also provided vital support. When I first 
spoke to her about the Solarium report, she immediately got why 
leadership in the White House was so important. In addition to joining 
the National Cyber Director Act as an original cosponsor, she convened 
a legislative hearing that teed up consideration on the House floor. 
The witnesses at that hearing--former House Intelligence Committee 
Chairman   Mike Rogers, former Obama Cybersecurity Coordinator Michael 
Daniel, Tenable CEO Amit Yoran, and Suzanne Spaulding--made a clear and 
compelling case for an expedited consideration of the bill.
  Chairman  Jim McGovern and his Rules Committee colleagues took up 
this charge, ruling in order an amendment consisting of the text of 
H.R. 7331 during our floor debate on the NDAA.

[[Page H6901]]

  As my colleagues well know, passing the House is only half the 
battle. Here is where my fellow legislative commissioners really 
carried the day:
  Senator Ben Sasse, who authored the legislation to create the 
Cyberspace Solarium Commission, made more efficiently organizing the 
government a central part of his push for improved cybersecurity.
  Our colleague and Solarium co-chair, Congressman   Mike Gallagher, 
has been with me every step of the way, on the National Cyber Director 
and the 16 other Solarium provisions we moved through the NDAA process.
  Anyone who claims bipartisanship is dead in Washington has not met 
these two exemplars of comity and serious policy deliberativeness.
  In the Senate, my counterpart, the chair of the Senate Armed Services 
Committee's Subcommittee on Cybersecurity, Senator Mike Rounds, has 
been a negotiating partner without equal. Senator Rounds came to the 
table with an open mind, asked tough but fair questions, requested 
additional information about our proposal, and, at the end of the day, 
helped to strengthen it and push it through the conference process.
  I also thank Congressman Katko, who went to bat for the National 
Cyber Director in conversations with the White House.
  A special note of thanks is reserved for our other Solarium co-chair, 
Senator Angus King. Senator King has been the soul of the Solarium 
Commission, and I continue to be in awe of his steady leadership 
throughout the process. Senator King's maxims--whether that ``sloppy 
structure leads to sloppy policy'' or that we needed ``one throat to 
choke'' in the executive branch--perfectly encapsulate the central 
theme and issues at stake. I can say for a fact that no one fought 
harder to ensure that the Senate accepted a strong version of the 
National Cyber Director Act in the conference process.
  Finally, Mr. Speaker, as all of my colleagues know, we would be lost 
in this institution without the staff that supports us. I never would 
have begun this journey in cybersecurity policy if it were not for Jake 
Olcott, my former staff director on the Committee on Homeland 
Security's Subcommittee on Emerging Threats, Cyber Security, and 
Science and Technology.
  Likewise, my then-MLA Davis Hake helped draft and introduce the 
Executive Cyberspace Authorities Act of 2010 that provided the 
scaffolding for the National Cyber Director Act; and his successor, 
Michael Hermann, further refined the concept.

  The Solarium Commission staff has been, frankly, extraordinary to 
work with and a great testament to the commission's executive director, 
Admiral Mark Montgomery. From day one, Mark challenged us to draft a 
report that would be actionable, not just a doorstop, and this NDAA is 
a realization of his vision and his unflagging work ethic.
  My fellow legislators' Solarium liaisons--Steve Smith on Senator 
King's staff, Chas Morrison on Congressman Gallagher's, and Brett 
Fetterly on Senator Sasse's--stepped up to ensure that all of the oars 
stayed rowing in the same direction, no matter how choppy the waters.
  We would never have had a hearing on the bill were it not for Emily 
Burns of Chairwoman Maloney's staff. Lori Ismail was our critical link 
at the Rules Committee to ensure the bill would have the opportunity to 
be debated and voted upon.
  On the Senate side, Jeff Rothblum from Ranking Member Peter's staff 
helped us navigate the jurisdictional hurdles that come with any piece 
of cybersecurity legislation and offered insightful comments and 
guidance throughout the process.
  During the conference process itself, we relied heavily on Katie 
Sutton and Kirk McConnell, two true pros on the Senate Armed Services 
Committee staff; and Eric Snelgrove, staff lead for Ranking Member 
Elise Stefanik.
  Lastly, but surely not least, I want to acknowledge my own staff. My 
MLA, Caroline Goodson, ably assisted by our defense fellow, Captain 
Mike Lake, thrived in her first NDAA and expertly balanced the many 
priorities I have within my IETC portfolio and for my constituents in 
Rhode Island.
  My cybersecurity fellows David Wagner, Eric Saund, and particularly 
Allison Browning, have all been brilliant minds and wonderful team 
players who have helped me get the most out of the Solarium Commission.
  At the end of the day, though, this bill never would have gotten done 
without my IETC cyber lead, Josh Stiefel. Josh immediately understood 
the importance of the National Cyber Director, based on his time 
working on cybersecurity in the interagency. Using that experience and 
his skill at negotiating, he definitely steered the National Cyber 
Director Act--and more than two dozen other Solarium recommendations--
through the NDAA. One of the hardest things to do is to entrust someone 
else with something of great value to you, but I never had any 
hesitation letting Josh work the staff-level discussions. I am 
incredibly lucky to have him on my team.
  Finally, and most importantly, the National Cyber Director Act, the 
dozens of other Solarium recommendations, and countless other cyber 
initiatives that I have developed over the years would never have 
existed were it not for my legislative director, Nick Leiserson. Nick 
has been the engine on my cyber policy work for 6 years. His 
legislative expertise and commitment to advancing effective 
cybersecurity policy have elevated the cyber discussion on Capitol Hill 
and kept our country safer. He has worked tirelessly for many years, 
and I am deeply grateful for how he has turned the National Cyber 
Director idea into legislation and finally into reality.
  Mr. Speaker, this year's NDAA is one of the most important pieces of 
cybersecurity legislation ever to be considered by Congress. There are 
so many cyber provisions--from creating the Joint Cyber Planning Office 
at the Cybersecurity and Infrastructure Security Agency to requiring a 
cyber force structure assessment--that we had to create a new title for 
the bill. But the crown jewel is the National Cyber Director Act.
  I look forward to working with President Biden, Vice President 
Harris, and the new administration to stand up this office. I have 
often said that there are no silver bullets in cybersecurity 
policymaking, and I still believe that. But I know that I will sleep 
more soundly knowing that there is a central coordinating figure in the 
White House empowered to protect the country. I hope that the legacy of 
this bill will be safety, security, and stability in cyberspace for 
decades to come.
  Mr. Speaker, I yield back the balance of my time.

                          ____________________