Rep. Jim Langevin, D-R.I., a co-chair of the House Cybersecurity Caucus and one of the few widely acknowledged experts in Congress on cybersecurity, said on Nov. 14 that a lack of data “baselines” on security issues continues to hamper efforts in Congress – and the nation as a whole – to improve security.
Speaking at an event organized by Georgetown University, Rep. Langevin said he took an interest in emerging cybersecurity issues in 2007 when the topic was poorly understood by most members of Congress. “I approached cybersecurity with the zeal of a convert,” he said, and thought that “everyone would embrace it.”
He recounted the course of major congressional efforts on cybersecurity in recent years, and recalled as a turning point a 2013 executive order from President Obama that resulted in the creation in 2014 by the National Institute of Standards and Technology (NIST) of its cybersecurity framework for critical infrastructure sectors.
The congressman said he subsequently “wanted some data on how many people were using the NIST framework,” but said his effort to do that “was knocked down almost immediately.” The potential for finding constructive cybersecurity solutions at the Federal level has been dampened by a lack of such “baseline” data on security, he said.
Since then, cybersecurity has gone from an obscure topic to a much more well-known subject. But Rep. Langevin said that “new-found awareness has not translated into the remedies that I had hoped,” due in part to a lack of hard data about the problem.
On the Federal front, Rep. Langevin said he is particularly interested in cybersecurity assessments for weapons systems, and said it’s “impossible” to make decisions in that regard without understanding hard data about cyber risks. “We need to preemptively measure risks in systems before we acquire them,” he emphasized.
The ability to better secure military and other supply chains, he said, also depends to a “critical” extent on having “good data on supply chains,” he said.
“Without doing a better job of measuring risk, we are setting ourselves up for failure,” he concluded.
The U.S., he said, still needs to figure out a better way to measure the “national risk” of cybersecurity. “I don’t think it will be easy,” he continued, adding, “I believe cybersecurity is a national security imperative…I would love to see the data to prove me wrong.”
Asked about the state of Federal government coordination on cybersecurity, Rep. Langevin replied, “we are getting better…but we still don’t have the right structure in place.”
“We don’t even have anyone in charge,” he said, referring to the Trump administration’s
removal of the White House cybersecurity coordinator position in 2018. The Department of Homeland Security (DHS), he said, in many cases lacks the ability to compel other agencies to take action on security.
“I appreciate the work of CISA [the Cybersecurity and Infrastructure Security Agency]” and its director, Christopher Krebs, Rep. Langevin said. He gave the agency “high marks for use of the resources” provided to it, but added, “we need to do more.”
He also recommended that industry and the public continue to “engage with Congress” on cybersecurity issues to keep its attention focused on the problem. For members of Congress, he said, “there are thousands of issues, you can’t be expert on all of them.”