[Congressional Record Volume 167, Number 87 (Wednesday, May 19, 2021)]
[House]
[Page H2547]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                       RESPONDING TO CYBERATTACKS

  The SPEAKER pro tempore. The Chair recognizes the gentleman from 
Connecticut (Mr. Himes) for 5 minutes.
  Mr. HIMES. Madam Speaker, as I rise, gasoline is once again flowing 
through the Colonial Pipeline, and we are getting ready to undertake 
our routine briefs--those of us who sit on the Intelligence Committee 
and the Committee on Homeland Security--of this week's cyberattacks. 
Many of them will have come from Russia, from China, from North Korea, 
from Iran, or from some shadowy criminal group, which is often 
sheltered or at least tolerated by one of these countries. Many will 
have succeeded in stealing critical data or penetrating essential 
networks. Only a few, like the recent attacks on the Colonial Pipeline, 
will ever become publicly known.
  There is a long list of things that we must do to stop these attacks. 
We should require private companies to tell the public, or at least the 
government, when these attacks occur. We should make sure that experts 
in places like the NSA and the FBI are working side-by-side with 
network operators to address these attacks, and we should have a clear 
policy on the payment of ransom to ransomware attacks.
  But at the very top of the list is the need to fundamentally change 
the game by establishing a sure and swift deterrence.
  Time and again, we do too little, too late.
  Five years ago, President Obama responded to the Russian attack on 
our 2016 election, the very essence of our democracy, with the 
expulsion of 35 so-called Russian diplomats and the closing of a few 
secondary Russian facilities, and he told Putin to ``cut it out.'' 
Putin barely felt the slap on the wrist.
  We know that, because fewer than 4 years later, a Russian 
intelligence agency used a supply chain attack on Microsoft and 
SolarWinds to penetrate thousands of networks, including those of the 
Federal Government. In response, the United States--you guessed it--
expelled some Russian diplomats.
  For the bad guys, the cost of doing business is very low indeed.
  It is time to strike back using our unparalleled offensive cyber 
capabilities with the ferocity and precision and, yes, the 
proportionality that these and many other cyberattacks would have 
provoked had they been undertaken kinetically.
  Let's hurl the full weight of the American legal, diplomatic, and 
cyber capabilities against DarkSide and the organizations or countries 
that assisted it. There is no reason why our immense power, if applied, 
can't result in jailed hackers, businesses sanctioned into bankruptcy, 
emptied bank accounts, and melted computers.
  The same goes for Putin, who draws no formal distinction between the 
Kremlin and the private groups who supply it with propaganda, 
mercenaries, and hacking services. Putin respects only the 
Machiavellian language of force and retribution. For him, all else is 
tactical. So let's demonstrate the cyber capabilities we have spent 
billions of dollars developing. Let's make sure that he and the 
oligarchs who support him feel the fear and anxiety felt by millions of 
Americans contemplating crashed email systems and gasoline lines down 
the street.
  The objection to my arguments has always been consistent: that as a 
highly networked nation, we are particularly vulnerable to a cyber tit-
for-tat. In a cyber exchange, the Russians, the Chinese, or the 
Iranians might choose to attack our critical infrastructure, like, say, 
a gasoline pipeline. Yes, there is risk, but that risk must be weighed 
against the fully unacceptable status quo.
  Hitting back isn't the only answer. It is part of the answer. In this 
new world, a credible deterrent must be combined with clearly 
articulated international rules, norms, and an understanding of our 
national doctrines: all the things that helped keep the Cold War with 
the Soviets from becoming hot.

  Above all else, however, it is time to change the game and impose the 
meaningful costs that will finally deter our adversaries. Until we do, 
we are all just waiting for the next Colonial Pipeline attack.

                          ____________________