Skip to content
October 18, 2023

Cybersecurity Awareness Month insights and analysis

In this interview, U.S. Congressman Bennie G. Thompson (MS-2), Ranking Member, House Committee on Homeland Security, discusses the state of cyber security, both in the U.S. and internationally. He addresses national security, ransomware threats, emerging legislation, “target-rich, resource poor” industries, capacity building efforts across the globe and so much more. Don’t miss this!

How does the U.S. plan to bolster cyber security resilience, amidst an increasingly hostile threat landscape, over the next 6-12 months?

Together with Congress, the Biden-Harris Administration has charted an ambitious course to rapidly evolve how the nation approaches cyber security and has worked to mature collaboration between the Federal government, its state and local partners, and the private sector. From Day 1, the Administration has galvanized efforts to enhance public-private partnerships in the face of rapidly evolving international dynamics – from Russia’s invasion of Ukraine, to China’s ambitions regarding Taiwan, to the role cyber tactics may play following Hamas’s heinous attacks against Israel.

CISA’s Shields Up campaign, especially during the early days of Russia’s invasion of Ukraine, serves as a roadmap for how to respond to the cyber security threats we face from China and Iran. Enhanced collaboration with the private sector will enable us to support efforts to defend the networks of our allies abroad and our government and critical infrastructure networks at home.

We must also be vigilant about information operations. Reporting indicates that China is engaging in new disinformation tactics aimed at sowing discord among the American public. Both China and Iran have leveraged influence operations following Hamas’s attacks against Israel to either malign the Biden Administration’s response or curry favor for Hamas, respectively. Unfortunately, my colleagues on the right have attempted to turn conversations about how to deal with the national security threat associated with information operations into another third rail of politics. We cannot let that happen, and we must work to ensure the public is resilient to lies our adversaries pedal by ensuring they have access to accurate, reliable information. Increased transparency a critical component of confronting information operations.

On the Homeland Security Committee, my top priority is to ensure that cyber security remains a bipartisan priority and that my colleagues on the other side of the aisle do not turn CISA into a political hot potato. It is true that Congress has greatly expanded CISA’s budget and authorities while Democrats controlled the House. Those increases reflected long overdue investments in CISA’s critical mission: defending and making resilient Federal networks and critical infrastructure. As our adversaries grow bolder in their ambitions in cyber space, we cannot afford to cut CISA’s budget or attack its authorities.

Should the U.S. revise its approach to ransomware threats, given their potential to disrupt vital American organizations and the economy?

The Biden Administration has implemented many significant changes in how the U.S. approaches ransomware threats. These include disrupting ransomware gangs and taking more proactive steps to help support victims. Programs like CISA’s Pre-Ransomware Notification Initiative also show promise.  Such programs reach out to victims to let them know that their networks may have been breached before ransomware actors encrypt or steal data.

I am hopeful that implementation of the Cyber Incident Reporting for Critical Infrastructure Act will help CISA gain the information necessary to better support such initiatives. Ultimately, while efforts to dismantle ransomware gang networks, prosecute hackers, and disrupt attacks are important, so long as countries like Russia shelter ransomware actors, the threat will remain. Implementing CISA’s vision of secure-by-design and secure-by-default technology will be essential to improving organizations’ defenses.

How can new or emerging legislation assist with cyber protection for critical infrastructure sectors?

During the 116th and 117th Congresses, we provided CISA with several new authorities to enhance the security of critical infrastructure.  Congresswoman Yvette Clarke led three of them: The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), legislation authorizing CISA’s CyberSentry Program, and the State and Local Cybersecurity Improvement Act. Together, these pieces of legislation dramatically improve the Federal government’s visibility in terms of activity happening on critical infrastructure networks, enabling us to detect malicious cyber campaigns earlier and better understand the tactics of our adversaries.  In turn, this will allow us to prioritize security investments and provide much-needed resources to State and local governments. Additionally, current Subcommittee Ranking Member Swalwell enacted legislation to improve cyber security training for the industrial control systems (ICS) workforce.

Getting these bills enacted was important, but ensuring that they are implemented effectively is even more. From an oversight perspective, we will be laser focused on implementation of CIRCIA. We expect that the Notice of Proposed Rulemaking (NPRM) which is due out early next year, will identify the appropriate scope of covered entities and adequately contemplate the need to harmonize incident reporting requirements across the Federal government.

Building upon the progress made in previous Congresses, Subcommittee Ranking Member Swalwell has been working on legislation to formally authorize CISA’s Joint Cyber Defense Collaborative (JCDC).  The JCDC has been the hub of public-private collaboration since its inception, but most notably during the Shields Up campaign following Russia’s invasion of Ukraine and the disclosure of the Log4j vulnerability. Ranking Member Swalwell has worked closely with stakeholders on this bill, and the formalized structure, governance, and accountability measures included in it will ensure that the JCDC continues to serve as a productive hub for public-private collaboration for years to come.

Considering the fact that the private sector controls nearly 90% of critical U.S. networks, what strategies do you propose to assist resource-strapped sectors, like energy and water, in strengthening their cyber security defenses against possible threats?

I have been concerned about “target-rich, resource poor” sectors for quite some time. When I was Chair of the Committee last Congress, I held a hearing focusing on building resilience in the water sector at the Full Committee level and we also heard from water sector stakeholders at the subcommittee level. The witnesses’ insights were invaluable. They told us the Federal government needs to better tailor and streamline the cyber security advice and guidance for “target rich, resource poor” entities that do not have the workforce to absorb volumes of unnecessary information. We also learned that there is a real workforce and training shortage, which is why passing Mr. Swalwell’s industrial control systems workforce training bill was so important.

Moving forward, CISA and its federal partners must make sure “target-rich, resource poor” entities are aware of the free resources and support they provide and ensure that those resources provide security value. The President’s budget submissions have contemplated a Critical Infrastructure Cybersecurity Grant Program, but we have not seen a legislative proposal. I think there is value in the Federal government investing in the cyber security “target-rich, resource poor” entities we rely on every day, and would be interested to understand how the Administration thinks such a grant program could be structured.

How do you envision the U.S. collaborating with international partners in order to address emerging cyber threats and to enhance resilience on a global scale?

One of the key pillars of the new National Cybersecurity Strategy is forging international partnerships. Implementing that effort requires recognizing that our allies around the world are all at different levels of sophistication with regard to cyber security. For those like our Five Eyes partners and other allies with advanced cyber security skills, information sharing has been crucial to developing cyber security advisories and identifying emerging cyber threats. For others, the focus must be on simply building up a baseline cyber security capacity. Just as we work to protect critical infrastructure in the United States, the Covid-19 pandemic highlighted that with global supply chains, disruptions to critical infrastructure elsewhere can also cause significant disruption here at home. We aim to work with our allies and trading partners to improve cyber resilience globally and to make us more secure.

Do you believe that joint cyber exercises and response drills, conducted in partnership with international allies, should be expanded to better prepare for coordinated cyber threats? How can such exercises advance collective cyber resilience?

Russia’s invasion of Ukraine has demonstrated the value of investing in partner countries’ cyber defense capacity and how international cooperation can improve cyber resilience. Expanding participation in joint cyber exercises with allies should help us build on the lessons learned in the Ukraine experience so we can be better prepared for coordinated cyber threats globally. In particular, expanded exercises with partners and allies in Asia should be part of our strategy for preparing for the potential for future coordinated cyber activity in the region. 

How can both the government and private sectors support capacity building efforts in developing nations in order to enhance their cyber security capabilities and to shrink the global risk landscape?

There are many countries in the world that lack the resources for adequate cyber defenses, and we have seen examples of ransomware gangs taking advantage of this limitation. The potential impact is even greater in the event of attacks by nation-state actors against a developing nation. The Biden Administration has increased investment in building up capacity in countries like Costa Rica. I hope to see a sustained effort in providing resources and trainings to help developing countries better secure their networks, including in areas like sub-Saharan Africa, where resources are particularly limited. Additionally, an aspect of building up countries’ cyber capabilities should include expanding law enforcement capacity in partner countries who want to target ransomware gangs and other cyber criminals that may operate in their countries. The private sector should definitely step up to provide trainings in developing countries and by working to develop cyber security products and secure-by-design technology that is affordable for a broad range of countries.

In honor of Cyber Security Awareness Month, what takeaway messages would you like to share with the cyber security community?

Cyber security is a team sport. There is plenty of work to be done and everyone has a role to play – from Congress to the Administration, State and local partners, the private sector, and the public.

To Congress, I urge my colleagues to continue to support and fund CISA’s critical cyber security work. Sound cyber security policy must remain a bipartisan priority and we cannot allow it to be politicized.

I encourage the private sector to continue to engage with Congress and the Administration as cyber security policy continues to evolve. The cyber security legislation we enacted over the past two Congresses benefited enormously from private sector engagement and feedback, and we need continued collaboration to get policies right to reduce systemic cyber security risk.

And to the public, do not be intimidated by cyber security – as a practice or as a profession. Good cyber hygiene does not have to be hard, expensive, or time consuming. Keeping software up to date, enabling MFA, and avoiding phishing are low-cost, high-value ways to stay safe online. We also have a very concerning cyber workforce shortage. Cyber security careers are good careers.  Many do not require a 4-year degree or any degree at all. Training is available, and we are working to make it more accessible.


By:  Rep. Bennie G. Thompson, Ranking Member, Committee on Homeland Security
Source: CyberTalk