Rep. Elissa Slotkin, D-Mich., said today that in a world free of constraints she would want companies to need cybersecurity hygiene certifications in order to deal with the Federal government.
While there have been efforts in fits and starts to require cybersecurity certifications to deal with the Department of Defense – notably through the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) Program – Slotkin at the ICS Hack the Capitol event on May 4 that she would want cyber hygiene requirements for companies dealing with anyone across the government.
“I would love to see a situation where companies that want to do business with the government have to be certified for their cyber hygiene,” Slotkin said. “That literally there [would be] certain requirements in order to be considered cyber hygienic, and I think that it would give a lot of calm to a lot of people if they knew, ‘hey, I’m dealing with a company that really takes cybersecurity seriously.’”
Slotkin said such a move would also put pressure on other companies in the industry to step up their game from a cybersecurity perspective. “It would also peer-pressure companies who maybe don’t think about this enough to do more on this front,” she said.
Additionally, Slotkin – continuing to answer under the assumption that monetary or resource constraints were no issue – said she would put a greater emphasis on getting cybersecurity out into the mainstream.
“We have to get cybersecurity into the bloodstream in an even more intense way,” Slotkin said. “I love hacking expert events and all these exercises that we do at universities to get it into the bloodstream and get young people thinking about this as a career field.”
Slotkin also reiterated calls for a comprehensive cyber response doctrine and called for more expansive cyber war games efforts to help flesh out that doctrine.
“We all talk about preventing a cyberattack on the homeland. That’s what we want, obviously. But I’m not so sure that we think about in the [United States] government what do we do the day after,” Slotkin said.
Positing a situation where a Russian-linked or affiliated group were to take out electric power in Michigan in the middle of winter, leading to deaths, Slotkin asked, “What is the proportional response? What do we do in the two hours, 10 hours, 24 hours after that?”
“In the United States, we have a doctrine of proportional response,” she said. “And I think while we have a community that looks at offensive cyberattacks in a military context, and looks at defending against cyberattack on the homeland, we don’t have a ton of big brains thinking about the doctrine when they attack our civilians successfully and how we respond to proportion.”
“I would love to see way more War Games that are not just Homeland Security over here and DoD over here doing their own silos of excellence,” Slotkin said. “But actually combining together and doing these exercises together, so that we can try and flesh out what the doctrine is going to be.”