Rep. Jim Langevin, D-R.I. – one of the pioneering policy voices in Congress on cybersecurity issues – told MeriTalk in an exclusive interview that legislative oversight of Federal government actions in the cybersecurity arena remains “absolutely essential.”
“I do believe that congressional oversight here is absolutely essential,” said Rep. Langevin, who chairs the House Armed Services Committee’s Subcommittee on Intelligence and Emerging Threats and Capabilities. “It’s really important,” he emphasized. The congressman, who co-founded the Congressional Cybersecurity Caucus in 2008 with Rep. Michael McCaul, R-Texas, talked about a range of a pending legislative and policy issues in a wide-ranging interview on July 24.
CIA Cyber Ops Order
Asked about a July 15 Yahoo News report that said the CIA has received White House clearance to conduct offensive cyber operations, Rep. Langevin said, “I can’t comment on that since I have not been briefed on that.” He added, “I can neither confirm nor deny that such a program exists.”
The congressman said he is “briefed regularly about the activities of U.S. Cyber Command and actions taken under NSPM-13,” referring to National Security Presidential Memorandum-13 issued in 2018, a document that governs military cyber operations.
“I support NSPM-13 and the more forward-leaning strategy in cyberspace to defend forward and to defend early,” said Rep. Langevin. “If we found a botnet or some entity that was trying to meddle in our elections or trying to cause harm to critical infrastructure, taking that server down would be an appropriate step.”
“That’s what I would consider within bounds and within proper norms to protecting the country in cyberspace,” he said. “If you’re going to get beyond that, we have to be very cautious that actions that we take don’t signal to other countries that it’s okay that in peacetime you’re targeting areas that are outside of that construct.”
While he is “very supportive” of NSPM-13, Rep. Langevin also said he is “concerned, in some ways, [with] congressional oversight, writ-large, on cyber.” He continued, “it’s such a big topic and an important topic that we should streamline the oversight process.”
The Cyberspace Solarium Commission, a congressionally mandated group responsible for developing a national cyber strategy and on which Rep. Langevin serves as a commissioner, recommended in its March report the creation of House and Senate Select Committees on Cybersecurity.
“In the long-run, I think you’ll see that those type of committees will be necessary to be created,” said Rep. Langevin. “The more coordination and focus we can have on conducting that oversight the better,” he said.
Currently, jurisdiction in Congress over cybersecurity issues is claimed by numerous committees and taking existing authority away from committees is notoriously difficult. For instance, Rep. Bennie Thompson, D-Miss., chairman of the House Homeland Security said in prepared remarks for a July 17 hearing that he disagreed with the Solarium Commission’s recommendation to create new committees for cyber oversight.
National Cyber Director
Another one of the Solarium Commission’s recommendations is for a Senate-confirmed National Cyber Director. Rep. Langevin has sponsored legislation that would house that position within the Executive Office of the President.
“Right now, we don’t have anyone in the government in that kind of a policy role that has both policy and budgetary authority, can see across government, and make sure that we have a cohesive policy on cyberspace, and that departments and agencies are moving with the appropriate speed to update their IT systems and their security vulnerabilities,” Rep. Langevin said.
The House Oversight and Reform Committee held a hearing earlier this month to discuss the legislation and the position – a version of which was eliminated in 2018 by then-National Security Advisor John Bolton. Rep. Langevin’s bill is included in the House National Defense Authorization Act (NDAA), which passed the chamber on July 21.
“The whole purpose of creating a National Cyber Director is that we would have someone that has the policy and budgetary authorities so that we can prevent the OPM hack from happening,” said Rep. Langevin, referring to the Office of Personnel Management hack of over 22 million security clearance files several years ago. “Nobody was there to say, ‘This is a problem and you need to close off this vulnerability.’”
“Had the data been encrypted, had they had more modern IT systems that were easier to patch, manage, and update,” said Rep. Langevin, “we would have perhaps prevented that OPM hack from happening, which caused a lot of long-term security and intelligence damage to the country.”
CISA and the Cyber Director
Rep. Langevin said he was not concerned that the proposed National Cyber Director would overlap with or diminish the role of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which is responsible for protecting civilian government networks.
“CISA is still going to be the operational arm for cybersecurity,” Rep. Langevin said. “In the same way that U.S. Cyber Command is the operational arm for the military, CISA is the operational arm for the .gov domain and also the primary liaison with the private sector to protect . . . private sector critical infrastructure.”
“Right now, you don’t have anybody in the Executive Office of the President advocating for the CISA equities on a consistent basis and creating cohesive policy on cybersecurity,” said Rep. Langevin, who added the Director would be able “to advocate directly to the president” on cyber policy.
With Rep. Langevin’s National Cyber Director bill included in the House NDAA and a provision to further study the position included in the Senate NDAA, the details will have to be sorted out in final legislation produced by a conference committee.
“With a National Cyber Director that’s Senate-confirmed, actually that person’s going to amplify the voice of CISA, and protect CISA’s equities, at the highest levels,” he said.