Congressman Jim Langevin, a recognized party leader on cybersecurity discusses what Congress is doing to ensure cybersecurity. Starting with, the soon to be released, Cyber Security Solarium Commission report.

Episode Table of Contents

• [02:25] Ensure Cybersecurity With Us Cyber Solarium
• [07:04] From Small to  Encompassing Tactical Recommendations
• [12:24] Ensure Cybersecurity by Securing the Supply Chain
• [19:12] Where Do We Need to Require or Incentivize to Ensure Cybersecurity
• [24:47] Improving the Whole Cyber Ecosystem to Ensure Cybersecurity
• About Our Guest

Ensure Cybersecurity With Us Cyber Solarium

Arika: Hi and welcome to To The Point Cybersecurity. This is one of your hosts, Arika Pierce, and joined as always of course by Eric Trexler. We’re very excited this week we have a guest that is a member of Congress. We have Congressman Jim Langevin. A member of the House Armed Services Committee and the Committee on Homeland Security. A co-founder of the Congressional Cybersecurity Caucus and a member of the US Cyber Solarium. So you keep quite busy, Congressman.

Jim: Definitely, it's a busy time and certainly you talk about cybersecurity, it's an issue that keeps me very busy.

Eric: You're a huge champion on cybersecurity and I think the country owes you a debt of gratitude for that.

Jim: Well, that's very kind. I kind of fell into this by accident. I didn't know cyber‘s going to be a major focus of what I'd be working on in Congress. In 2007 I chaired the Homeland Security subcommittee that had jurisdiction over cyber. I realized the cyber vulnerabilities that existed in our critical infrastructure.

Jim: That's where the damage could be done through a cyber attack. It could actually lead to physical damage or potentially loss of life. It really got my attention and realized we needed to do more. Do something about it and focus more attention on this issue.

Arika: We have quite a few things we'd love to talk to you about today. First, I just like to talk a little bit about the US Cyber Solarium commission that you're on. I know we are to expect a report out soon I know Congress has been working quite hard on this.

An Overarching Strategy to Ensure Cybersecurity

Arika: Do you have anything you can share with us in terms of what we can expect. And why it was so important to convene this type of commission at this time?

Jim: Created in the FY 19 NDAA, National Defense Authorization Act, and the Solarium commission was charged with creating an overarching strategy to better protect the country in cyberspace. I have the honor of serving with 14 commissioners that are top experts in their field on cybersecurity.

Jim: There were people from the executive branch, the legislative branch, and the private sector. I have never served with a finer group of people and experts on this topic who really took the responsibilities seriously.

Jim: Put in the hard work over 10 months and about a thousand hours of debate and study and doing a deep dive with some of the brightest minds on this topic. I was just humbled and very privileged, very honored, to be a part of these efforts.

Eric: Back in the Eisenhower days, the first Solarium was commissioned. It began, I guess to deal with the emerging threat from the USSR. What do you see in the future coming out of this Solarium, from a benefits or a results perspective?

Jim: I definitely think that we should replicate this process from time to time. With the executive, the legislative, and private sector participation. The country will be better off because of the quality of the debate, the dialogue, the input collaboration that occurred.

Understanding How Cybersecurity Is Broken

Jim: And so yes, I think it was an important exercise. As much as I have learned about cybersecurity over the years, I was still learning more. And it allowed me to do a deeper dive on a topic that I've already done a deep dive on. I thought I knew a lot but realized how much more I still have to learn. And how it's just a very dynamic topic.

Eric: What's the most fascinating, the most unexpected thing you learned that was like, "Wow, I never thought about that. Or I thought about it, but I thought about it very differently." Was there any key moment or any key item that came up that comes to mind?

Jim: The most surprising thing is how all the commissioners came to understand that congressional oversight and cybersecurity is broken. And coming to the process I thought I‘d be a lone voice in the wilderness on this topic as I've been for about the past decade-plus. But it really ended up being a core recommendation in the report.

Jim: Right now we have some 80 different committees and subcommittees that have jurisdiction over cybersecurity. We're not able to do adequate oversight. Or move with the agility with which we need to move to tackle this complex topic. Especially when there are glaring vulnerabilities that need to be closed and done so quickly. The process just doesn't lend itself to that. I'm pleased that a core recommendation is really overhauling and streamlining congressional oversight.

From Small to  Encompassing Tactical Recommendations

Arika: We've seen it happen at the administration level in terms of some of the consolidations and the overhaul. Seeing it happen at the congressional level really align in terms of even the checks and balances that our system is supposed to have. Do you think there'll be legislation that will move that initiative forward or just some realignments?

Jim: Yes. For the many different recommendations, there will be some total of about 75 recommendations that range in scope from small tactical ones to recommendations that encompass aspirational organizational change. But for all of these topics, much that you're going to see are the legislative proposals. And also working concurrently on bill language that we can introduce shortly after we roll out the report.

Eric: This deals not just with the US government, but really protecting the entire American people, the economy, the entire nation, correct?

Jim: That's right. It’s, from the get-go, the charge to the Solarium commission was chart. A course creating an overarching strategy that best protects the country in cyberspace. So not just about protecting the executive, the legislative branch, or the private sector. It's holistic.

Jim: It was a holistic approach and recognizing that this isn't just a government problem. It's not just a private-sector problem. It's a whole of nation challenge and security threat that we need to have a whole of nation response to.

Jim: And by the way, it's not just a US problem. It's an international problem and challenge and we have to have an international engagement as a component of keeping the country safe.

The Funding It Would Cost to Ensure Cybersecurity

Eric: So that's within scope, then. Not just dealing with nation-states that are attacking the United States, also our partners out there who are being attacked. That's in scope?

Jim: Absolutely.

Arika: That's great. It's interesting to see the level of focus that we see on cybersecurity these days. And then of course there's always the budget piece of it. And we saw the president's proposal come out recently. Any thoughts there? There's been a little of a back and forth on what we saw from a cybersecurity perspective. As far as the funding for different departments and agencies.

Jim: That's part of where congressional oversight comes in. We've spent billions of dollars working to protect the country in cyberspace. We've gotten some things right. Others, we still have a lot of work to do. But one of the things that I see, well it's a good thing, good response.

Jim: Obviously when I first started this, US cyber command didn't even exist. And then we have the cybersecurity infrastructure security agency and that's getting better organized.

Jim: There's a number of things that need to be changed and improved to streamline authorities, and put someone in charge. One of the things is that time where cybersecurity is growing in importance. We need an entity like CISA to grow its capabilities and expertise. And the president's budget that was submitted yesterday assists in funding is down.

CISA’s Increasing Roles to Ensure Cybersecurity

Jim: It's something I need to take a look at and why? Because CISA's roles and responsibilities are not decreasing. In fact, they're increasing. Needs to be able to stand on its own and not just rely on reach back to cyber command or NSA for its expertise.

Eric: When you look at authorities and who really owns the problem, as you said earlier, there's no one entity. In fact there are dozens or more than a hundred maybe. CISA is definitely a point where a lot of things come together. So cutting funding seemed bizarre to me.

Jim: It seemed too bizarre to me too. Very troubling, especially where we expect CISA to be the point agency to interact with the private.  And they are the ones that both will bring capabilities to bear if need be or will help to mitigate problems. And we're also working with states and local governments on things like election security.

Jim: If we want state boards of elections or cities and towns to be priority customers and be able to call on resources at department of Homeland Security. To secure the cornerstone of our democracy, elections, CISA has to have the resources and support to be able to give that support while not neglecting its other areas of responsibilities. So cutting CISA, to me, made no sense in that legislation, in the budget proposal.

Eric: Agreed. So let's switch gears for a second. We've had Katie Arrington on from the DOD talking about the cybersecurity maturity model certification. We've had other guests talk about supply chain challenges, the DOD supply chain. What is the Solarium doing around that, if anything?

Ensure Cybersecurity by Securing the Supply Chain

Eric: Are you looking at the supply chain? Katie mentioned there are over 300,000 US companies, and partners or foreign suppliers that are impacted by attacks to the supply chain. Are you guys on the Solarium, are you looking at that?

Jim: Yes. And that's something else. Supply chain security is something that I'm concerned with and we've tried to make improvements to the NDAA on this topic of securing our supply chain. But the federal government's buying power is an important point of leverage in cybersecurity.

Jim: And I've been closely following the development of the CMMC, and this essentially requires contractors who provide products and services for DOD to meet certain cybersecurity standards. So I also worked last year to include sub-stream metrics and new pathways for software acquisition that we set off in the FY 20 NDAA.

Jim: So supply chain security is growing in importance and a topic that needs to be front and center.

Eric: Now they're moving quickly. And I believe it's a huge way to really change the way American companies protect themselves, because they want these contracts and it'll make them stronger, it'll make them better. I mean, just the other day we saw four members of China's PLA indicted for Equifax.

Eric: We know that there are nation-states and others coming after, not just our government's information, but personal information, corporate information, theft of trade secrets. And that's just not okay.

Jim: No, it's not. And that's why we need to have a whole of nation response to and an effort to better protecting the country in cyberspace.

Responding to Cyber Bad Actors

Eric: How do we do that? So we're working CMMC, we've got CISA in place. What else? Any other recommendations or sneak peeks into the report that you'd want to share with us potentially?

Jim: On the Equifax issue, there's a couple of things. First of all, I think it's important that we have a whole of nation response. In some ways it may be a cyber response. In other ways it might be a sanctions or indictment.

Jim: So I think what the DOJ did in indicting the four Chinese nationals is exactly the type of response I would expect to see from the United States government in how we're responding to cyber bad actors and trying to hold them accountable.

Jim: But I will also say that equally important that private companies, just like the government, needs to do more to protect customer data, citizens data. Practicing good cyber hygiene and doing things like encrypting data both at rest and in transit is another major step that can be taken for private entities. And the government to do more to protect the data that they're charged with protecting.

Eric: Yes, we must do a better job as a nation, as an economy, as businesses, as individuals. And another question for you. The theme of RSA, the big RSA security conference this year is the human element, protecting the human element. Is the Solarium or are you working on anything around the human element of cybersecurity?

Eric: Looking at what individuals are doing on the networks in companies, not just from an insider threat or a corporate espionage perspective, but just protecting user identities and individuals.

An Urgent Call to Practice  Good Cyber Hygiene

Jim: A high percentage of the problems we're dealing within in cyberspace, in terms of cyber vulnerabilities, can be mitigated if we all practice good cyber hygiene. Recognizing that there is no such thing as 100% security, there's never going to be a silver bullet to solving the cybersecurity vulnerabilities.

Jim: But we can buy down that risk to something that is much more manageable. And that's something else that we'll address in the Solarium commission report, this issue of promoting stronger, better cyber awareness and practicing good cyber hygiene.

Eric: 95% of the attacks that's been reported are based on the human element, so I absolutely agree with you. I think it's a major problem. 95% of the breaches, I should say, it's human error. So we need to do more there. What we've been doing as an industry, as a community, from global perspective, it hasn't been working. We keep spending more and more money and getting further and further behind.

Arika: I think it's important that you guys had, it was a public-private partnership. Sorry about that. How did that work out in terms of even when you're looking at and discussing different issues and challenges, as far as having those different viewpoints from both sectors?

Jim: It was essential to the success of the Solarium project and the commission's work. We could not do this in a vacuum with just representatives there from the executive and the legislative branch. It wouldn't have worked, wouldn't have been successful. We needed private sector input because they're an important part of this equation.

Where Do We Need to Require or Incentivize to Ensure Cybersecurity

Jim: In so many ways, the private sector is where most of the damage can be done. And we need to understand the challenges that private sector is facing. What are the motivations and the incentives for the degree to which they practice good cyber hygiene or protect their networks? Where we need to work to do more, helping to define basically the three levels of what we want a private sector to do and what should they do on their own?

Jim: What more do we need to require or incentivize in terms of the difference between what they do on their own and what government or is it the country's best interest to have them do? Then at the end of the day that third layer of, at what point do we no longer expect a private sector to be able to defend themselves and the government's role and responsibility to step in?

Jim: Just like we wouldn't expect a bank for example, to have an anti-aircraft system on its roof to defend from incoming missiles or bombers. That's the government's role. But we expect the entities to have at least a certain level of security. That is going to allow them to protect themselves.

Jim: When the report comes out, we need also to influence their peers to adopt the recommendations. Because this is something that we're all in this together. The government, the Congress, the private sector all has a role to play.

Bringing the Best of Minds Together to Ensure Cybersecurity

Eric: You're bringing together the government, you're bringing the private sector and academia. You're bringing the best minds from all three to really throw at this problem and come up with some recommendations and better understand it.

Jim: That is our hope for sure. That's our plan.

Eric: If you had one wish, a magic wand for corporate America around cybersecurity, is there something you'd like to say? Like what would you recommend? What would you ask for or do?

Jim: I would say that working more closely on information sharing is important. But also helping us to understand what would help the private sector be more proactive. And working with us to close the vulnerabilities collectively that we face as a country.

Jim: Because what affects private sector in so many ways affects all government as well. So we need to have that closer collaboration. You'll see recommendations in there of how we have more meaningful information sharing to broadly inoculate all of us.

Eric: Once the report comes out, does the Solarium continue or is that kind of the end of it and then we will go work from there?

Jim: The commission at some point will terminate. But I would like to see from time to time that a Solarium-type commission revisits the work that we have done and looks at it. If not as broadly the topic as we have. Do checkups from time to time on where we need to do more.

Refocusing the Country in Different Areas

Jim: Perhaps a Solarium-style commission every so many years I think would be important to take up the topic again to see where we've had successes and where more work needs to be done.

Eric: Kind of baseline and then refocus the country in potentially different areas, or double down on areas that are working?

Jim: I think that we're going to have again, some 75 recommendations. I think it would be important time to time to have a follow-up Solarium commission style entity. That would look at how well we've done in terms of adopting those recommendations. What else needs to be done, if they haven't been adopted. To get more support behind them, or adjusted legislative proposals, or support for the private sector needs.

Jim: I think this will be an important foundational blueprint document going forward. Because there'll be legislative proposals along with it, I don't believe it's going to be a document that just sits on the shelf. Especially because we had good buy-in with the executive, legislative, and the private sector.

Eric: I hope not. I mean, we need to make this world a safer place online. It's a nasty place right now.

Arika: You said it best, Congressman, we're all in this together. So I think we definitely look forward to the recommendations and working again as partners. To see what we can do to make this world a safer place in terms of our cybersecurity threats.

Improving the Whole Cyber Ecosystem to Ensure Cybersecurity

Eric: We've got to protect the constituents, our employees. We've got to protect data regardless of where it is. Whether the government's housing it or you're at home in your own house or at work. We've got to protect critical data regardless of where it is, Arika.

Jim: What's obvious is that the United States created the internet. We make the most use of it. But we are also most subject towards vulnerabilities. And it's in our best interest to make sure that we improve the whole cyber ecosystem. Make it more secure, so the internet operates the way it was originally intended.

Eric: Exactly. It's too critical to our economy, to our world. We can lead in this area, Congressman.  We can as a nation lead in this area and we're here to support you, and I appreciate you pulling this together.

Arika: Thank you Congressman for being with us. We know your schedule is quite busy. So we really appreciate you taking time to be on our podcast this week.

Jim: You're very welcome. I appreciate your attention to this very important topic and glad I could be a part of the discussion today.

About Our Guest

Congressman Jim Langevin

Throughout his career, Congressman Jim Langevin (LAN'-jih-vin) has made Rhode Island’s priorities his own and fought to open the doors of government to its rightful owners - the people of this great nation.

Recognized as a national and party leader on national security, health care and cybersecurity, Congressman Jim Langevin has dedicated his many years of public service at the federal and state levels to the hard-working citizens of Rhode Island.

Langevin is a senior member of the House Armed Services Committee, where he is the Chairman of the Intelligence and Emerging Threats and Capabilities Subcommittee, and also serves on the Subcommittees on Seapower and Projection Forces and Tactical Air and Land Forces.

As a supporter of the critical national security work done by Rhode Island’s defense industry, he has worked in committee to double production of the extraordinary Virginia Class Submarines built in Quonset, meeting military needs and creating hundreds of new jobs.

After fulfilling an eight-year term on the House Permanent Select Committee on Intelligence, Langevin returned as a senior member of the House Committee on Homeland Security, where he serves as a member of the Subcommittees on Cybersecurity and Infrastructure Protection and Emergency Preparedness, Response and Communications.

As part of the Democratic Leadership team, Langevin serves as both a Democratic Regional Whip for New England and a member of House Minority Whip Steny Hoyer’s Senior Whip Team. In these roles, he is responsible for educating other Democratic members on key issues and helping to craft the party’s strategy and legislative agenda.

Congressman Langevin’s Priorities

Securing our nation’s technology infrastructure against cyber attack is a top priority for Langevin. As the Co-Founder and Co-Chairman of the bipartisan Congressional Cybersecurity Caucus, he led the way in raising awareness of cybersecurity issues in Congress and fostering dialogue and debate on the critical questions surrounding this topic.

He co-chaired the Center for Strategic and International Studies (CSIS) Commission on Cyber Security for the 44th Presidency, which made policy recommendations to President Obama. Langevin has introduced the Personal Data Notification and Protection Act to ensure consumers are appropriately alerted when their sensitive information is compromised.

To further improve cybersecurity, he has also introduced the Executive Cyberspace Coordination Act, which aims to strengthen the country’s defenses against cyber threats and reflects concerns listed in the Commission’s report, including the vulnerability of critical infrastructure.

As co-chair of the bipartisan Congressional Career and Technical Education Caucus, Langevin advocates to improve and increase access to training that gives students and workers the skills that best fit the needs of expanding industries. Among efforts to boost Rhode Island’s workforce, he has launched a competition to introduce high school students to the rapidly growing cybersecurity field and has helped obtain funding to start other workforce development initiatives.

The Counseling for Career Choice Act that Langevin introduced in February 2015 would support the development of comprehensive career counseling programs to ensure that high school students are made fully aware of their career and education options prior to graduation.

State Service

A voice for those facing serious challenges, Langevin championed passage of a bipartisan bill to expand services for families caring for their elderly and disabled loved ones and authored a breakthrough law to protect foster youth. He is a strong advocate for inclusion and independence for people with disabilities and helped pass the ADA Amendments Act that strengthened the protections of the Americans with Disabilities Act.

His commitment to advancing the science of stem cell research has earned Langevin recognition as a national leader who works tirelessly to educate and encourage his colleagues to embrace medical research in all of its forms. Langevin helped champion the passage of legislation to expand the federal policy on embryonic stem cell research and proudly joined President Obama in 2009 as he signed an Executive Order lifting the Bush Administration’s restrictions on embryonic stem cell funding.

In the 114th Congress (2015-16), Langevin prioritized rebuilding the economy through workforce development, strong skills training and a focus on growth sectors in Rhode Island including IT, cybersecurity, health care and the food economy. He is advocating investments in the middle class, a balanced approach to tax reform and a budget that reduces the deficit without enacting additional cuts to social safety net programs.

Langevin first ran for office in 1986, when he was elected a Delegate to Rhode Island’s Constitutional Convention and served as its secretary. Two years later, he won election to the Rhode Island House of Representatives, where he established a reputation as a hard-working reformer committed to good government.

In 1994, Langevin defeated a Republican incumbent to become the nation’s youngest Secretary of State. He transformed the office into “the people’s partner in government” and took on the challenge of reforming Rhode Island’s outdated election system.

Personal Biography

Langevin also established the state’s Public Information Center and, with Brown University, published “Access Denied,” which examined the General Assembly’s compliance with the Open Meetings Law and documented routine and widespread violations.

In 1998, Langevin easily won re-election to his second term as Secretary of State, achieving the largest plurality of any general officer in this century, and in 2000, he made a successful run for the U.S. House of Representatives, where he has served the Second Congressional District ever since.

Born April 22, 1964, Langevin is the first quadriplegic to serve in the U.S. House of Representatives.

At the age of 16, Langevin was injured while working with the Warwick Police Department in the Boy Scout Explorer program. A gun accidentally discharged and a bullet struck Langevin, leaving him paralyzed. The tremendous outpouring of support from his community inspired Langevin to give something back and enter public service.

Langevin graduated from Rhode Island College and earned a Master’s Degree in Public Administration from the Kennedy School of Government at Harvard University. He resides in Warwick, Rhode Island.