[Congressional Record Volume 166, Number 206 (Monday, December 7, 2020)]
[House]
[Pages H6899-H6901]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
NATIONAL CYBER DIRECTOR ACT
The SPEAKER pro tempore. Under the Speaker's announced policy of
January 3, 2019, the Chair recognizes the gentleman from Rhode Island
(Mr. Langevin) for 30 minutes.
Mr. LANGEVIN. Mr. Speaker, I rise today to discuss the Conference
Report to accompany the National Defense Authorization Act for fiscal
year 2021 that we will be considering tomorrow.
Mr. Speaker, this is my 20th NDAA, and as ever, I am incredibly proud
of the bipartisan work that went in to creating it. Amidst all the 1300
provisions, however, I want to focus on section 1752.
Section 1752 is based on my bill, H.R. 7331, the National Cyber
Director Act, and it is the result of more than 10 years of
deliberative thought and advocacy. The provision is simple enough. It
creates an Office of the National Cyber Director within the Executive
Office of the President. The office is led by a director who will be
Presidentially appointed and confirmed by the Senate.
The National Cyber Director is charged with being the President's
principal adviser on matters of cybersecurity policy with developing
and overseeing implementation of the national cyber strategy. He or she
will
[[Page H6900]]
also be responsible for coordinating government response to serious
cyber incidents. And as I said, simple enough, but this represents a
complete sea change in the way cybersecurity is handled in the Federal
Government.
The need could not be more urgent. Of course, cyber operations,
whether carried out by criminals or nation states, continue to threaten
us as a Nation. Hardly a day goes by where we don't read about a new
ransomware attack taking down an entire hospital system or shutting
down businesses. Our adversaries target our elections to strike at the
heart of our democracy. They target our defense industrial base that
gives us our competitive edge. They are even targeting vaccine research
that may be the key to ending the terrible pandemic that we are living
through.
Mr. Speaker, cyberspace is a new domain, and the first that has been
created entirely by humankind. We would not expect that emerging
security challenges in cyberspace would be easy to tackle, and, of
course, they have proven to be quite difficult.
After all, many security paradigms that developed about borders are
virtually meaningless when it is as easy to attack a computer across
the room as it is to attack one half a world away. While decidedly
thorny, these challenges are not insurmountable.
However, the Federal Government has not risen to the challenges as
well as we could hope. There are many reasons for this, but probably
the most important of which is that nobody really is in charge.
Cybersecurity is often passed off as an IT problem, best left to the
geeks to handle, instead of being recognized as an operational risk
that needs attention from senior leadership.
Most Federal agencies do not have cybersecurity in their core
missions, so investments in cyber capabilities can fall by the wayside.
Computer systems also pervade every aspect of the Federal Government's
work, so coordination is required across the entire interagency.
The failures to rise to address these challenges poses real risk to
the government. Sensitive government data, such as clearance
information stored at the Office of Personnel Management, has been
stolen. U.S. corporations suffer billions of dollars in damages each
year from cyber incidents, and other adversaries increasingly view the
cyber domain as ideal for conducting asymmetric warfare in the ``gray
zone,'' below the level of armed conflict.
Mr. Speaker, for more than a decade, I have been involved in numerous
efforts to root out underlying causes of the government's inability to
get its arms around the cybersecurity problem. Most recently, I had the
distinct privilege of serving on the Cyberspace Solarium Commission, a
14-member body chartered by Congress to develop a strategic approach to
protect the United States from cyber incidents of significant
consequence.
One of the things that these efforts have universally uncovered--a
finding endorsed recently by the Government Accountability Office--is
that a lack of centralized leadership in the White House is holding the
government back.
Mr. Speaker, only the White House has the ability to compel
interagency cooperation and ensure that cybersecurity efforts are
synergistic and deduplicated.
Only the White House can ensure that budgets are adequate, both for
internal cyber defense and external cybersecurity programs aimed at
protecting the private sector.
Only the White House can effectively coordinate incident response
across two dozen agencies with some cybersecurity responsibility.
Now, Presidents Bush and Obama both made strides in improving
cybersecurity policy coordination within the White House, changes that
were at first carried forward by President Trump and his Homeland
Security adviser. But none of them gave the position they created the
gravitas and authority it needed to be successful. And eventually,
then-national Director John Bolton, eventually eliminated the
cybersecurity coordinating position altogether.
Congress needed to step in and provide strategic direction with the
National Cyber Director Act that we have here. Finally, we will have
the accountability that comes from having a leader within the Executive
Office of the President that we can interrogate about cyber strategy
writ large, and that we, as the Congress, will in turn be accountable
to our constituents for ensuring the strategy is executed and resourced
properly.
This NDAA will be an incredibly important bill in the history of
cybersecurity legislation, and I am honored to have played a key role
in advancing it.
{time} 1800
Mr. Speaker, like any bill a decade in the making, many hands have
gotten us to this point with the National Cyber Director Act. First
off, I owe an enormous debt of gratitude to Speaker Nancy Pelosi for
appointing me as her designee to the Cyberspace Solarium Commission.
Developing and implementing the commission report has been one of the
highlights of my congressional career, and much of the progress that we
have made on the National Cyber Director is due to my fellow
commissioners.
I want to start with Congressman Patrick Murphy as my original ally
on this proposal, based on his experience in these Halls and in the
executive branch.
Tom Fanning brought his expertise as a major utility executive in
crafting a recommendation that ensures accountability.
Frank Cilluffo focused relentlessly on appropriately scoping the
authorities of the office, while Suzanne Spaulding fought to ensure
that the National Cyber Director will have insight into all U.S.
operations in the cyber domain.
Dr. Samantha Ravich's initial scepticism was essential to making sure
the final recommendation reflects the realities of working within the
Executive Office of the President.
Finally, Chris Inglis's invaluable feedback means that the bill we
vote on tomorrow will fit squarely within the strategic vision laid out
by the commission. Despite my years working on this proposal, I was
always impressed by Chris's ability to elegantly connect the National
Cyber Director recommendation with our broader mission.
I would never have been exposed to the idea of a stronger
coordinating authority within the White House were it not for my time
on the Center for Strategic and International Studies' Commission on
Cybersecurity for the 44th Presidency, which I was proud to co-chair.
My fellow co-chairs, General Harry Raduege, Scott Charney, and
especially Congressman Michael McCaul, all helped shape my thinking
during my first deep dive on this topic. And, of course, we would have
been lost without the expert guidance of CSIS's Jim Lewis, the
commission's executive director.
After 9 years of trying to pass a bill to codify a cybersecurity role
within the White House, what changed this year?
Well, quite frankly, John Bolton and his poor decisionmaking changed
the equation. Given the ever-increasing threat in cyberspace, I don't
think anyone realistically thought that somebody would dare eliminate
the cyber coordinator at the White House. Yet, in one of the worst
cybersecurity policy moves ever seen, Bolton did just that, making
clear the need for congressional action to establish a permanent cyber
director.
That need was well understood by Chairman Adam Smith, who has backed
the inclusion of Solarium recommendations in the NDAA since day one and
who has consistently supported the National Cyber Director Act.
Chairwoman Carolyn Maloney also provided vital support. When I first
spoke to her about the Solarium report, she immediately got why
leadership in the White House was so important. In addition to joining
the National Cyber Director Act as an original cosponsor, she convened
a legislative hearing that teed up consideration on the House floor.
The witnesses at that hearing--former House Intelligence Committee
Chairman Mike Rogers, former Obama Cybersecurity Coordinator Michael
Daniel, Tenable CEO Amit Yoran, and Suzanne Spaulding--made a clear and
compelling case for an expedited consideration of the bill.
Chairman Jim McGovern and his Rules Committee colleagues took up
this charge, ruling in order an amendment consisting of the text of
H.R. 7331 during our floor debate on the NDAA.
[[Page H6901]]
As my colleagues well know, passing the House is only half the
battle. Here is where my fellow legislative commissioners really
carried the day:
Senator Ben Sasse, who authored the legislation to create the
Cyberspace Solarium Commission, made more efficiently organizing the
government a central part of his push for improved cybersecurity.
Our colleague and Solarium co-chair, Congressman Mike Gallagher,
has been with me every step of the way, on the National Cyber Director
and the 16 other Solarium provisions we moved through the NDAA process.
Anyone who claims bipartisanship is dead in Washington has not met
these two exemplars of comity and serious policy deliberativeness.
In the Senate, my counterpart, the chair of the Senate Armed Services
Committee's Subcommittee on Cybersecurity, Senator Mike Rounds, has
been a negotiating partner without equal. Senator Rounds came to the
table with an open mind, asked tough but fair questions, requested
additional information about our proposal, and, at the end of the day,
helped to strengthen it and push it through the conference process.
I also thank Congressman Katko, who went to bat for the National
Cyber Director in conversations with the White House.
A special note of thanks is reserved for our other Solarium co-chair,
Senator Angus King. Senator King has been the soul of the Solarium
Commission, and I continue to be in awe of his steady leadership
throughout the process. Senator King's maxims--whether that ``sloppy
structure leads to sloppy policy'' or that we needed ``one throat to
choke'' in the executive branch--perfectly encapsulate the central
theme and issues at stake. I can say for a fact that no one fought
harder to ensure that the Senate accepted a strong version of the
National Cyber Director Act in the conference process.
Finally, Mr. Speaker, as all of my colleagues know, we would be lost
in this institution without the staff that supports us. I never would
have begun this journey in cybersecurity policy if it were not for Jake
Olcott, my former staff director on the Committee on Homeland
Security's Subcommittee on Emerging Threats, Cyber Security, and
Science and Technology.
Likewise, my then-MLA Davis Hake helped draft and introduce the
Executive Cyberspace Authorities Act of 2010 that provided the
scaffolding for the National Cyber Director Act; and his successor,
Michael Hermann, further refined the concept.
The Solarium Commission staff has been, frankly, extraordinary to
work with and a great testament to the commission's executive director,
Admiral Mark Montgomery. From day one, Mark challenged us to draft a
report that would be actionable, not just a doorstop, and this NDAA is
a realization of his vision and his unflagging work ethic.
My fellow legislators' Solarium liaisons--Steve Smith on Senator
King's staff, Chas Morrison on Congressman Gallagher's, and Brett
Fetterly on Senator Sasse's--stepped up to ensure that all of the oars
stayed rowing in the same direction, no matter how choppy the waters.
We would never have had a hearing on the bill were it not for Emily
Burns of Chairwoman Maloney's staff. Lori Ismail was our critical link
at the Rules Committee to ensure the bill would have the opportunity to
be debated and voted upon.
On the Senate side, Jeff Rothblum from Ranking Member Peter's staff
helped us navigate the jurisdictional hurdles that come with any piece
of cybersecurity legislation and offered insightful comments and
guidance throughout the process.
During the conference process itself, we relied heavily on Katie
Sutton and Kirk McConnell, two true pros on the Senate Armed Services
Committee staff; and Eric Snelgrove, staff lead for Ranking Member
Elise Stefanik.
Lastly, but surely not least, I want to acknowledge my own staff. My
MLA, Caroline Goodson, ably assisted by our defense fellow, Captain
Mike Lake, thrived in her first NDAA and expertly balanced the many
priorities I have within my IETC portfolio and for my constituents in
Rhode Island.
My cybersecurity fellows David Wagner, Eric Saund, and particularly
Allison Browning, have all been brilliant minds and wonderful team
players who have helped me get the most out of the Solarium Commission.
At the end of the day, though, this bill never would have gotten done
without my IETC cyber lead, Josh Stiefel. Josh immediately understood
the importance of the National Cyber Director, based on his time
working on cybersecurity in the interagency. Using that experience and
his skill at negotiating, he definitely steered the National Cyber
Director Act--and more than two dozen other Solarium recommendations--
through the NDAA. One of the hardest things to do is to entrust someone
else with something of great value to you, but I never had any
hesitation letting Josh work the staff-level discussions. I am
incredibly lucky to have him on my team.
Finally, and most importantly, the National Cyber Director Act, the
dozens of other Solarium recommendations, and countless other cyber
initiatives that I have developed over the years would never have
existed were it not for my legislative director, Nick Leiserson. Nick
has been the engine on my cyber policy work for 6 years. His
legislative expertise and commitment to advancing effective
cybersecurity policy have elevated the cyber discussion on Capitol Hill
and kept our country safer. He has worked tirelessly for many years,
and I am deeply grateful for how he has turned the National Cyber
Director idea into legislation and finally into reality.
Mr. Speaker, this year's NDAA is one of the most important pieces of
cybersecurity legislation ever to be considered by Congress. There are
so many cyber provisions--from creating the Joint Cyber Planning Office
at the Cybersecurity and Infrastructure Security Agency to requiring a
cyber force structure assessment--that we had to create a new title for
the bill. But the crown jewel is the National Cyber Director Act.
I look forward to working with President Biden, Vice President
Harris, and the new administration to stand up this office. I have
often said that there are no silver bullets in cybersecurity
policymaking, and I still believe that. But I know that I will sleep
more soundly knowing that there is a central coordinating figure in the
White House empowered to protect the country. I hope that the legacy of
this bill will be safety, security, and stability in cyberspace for
decades to come.
Mr. Speaker, I yield back the balance of my time.
____________________