Rep. Jim Langevin (D-RI) said Monday he is looking to focus on oversight of new cyber security legislation and advancing workforce issues over the next year.
Langevin, ranking member of the House Armed Services Subcommittee on Emerging Threats and Capabilities and co-founder/chair of the Congressional Cybersecurity Caucus, said Congress will move more into an oversight role on cyber issues to see if recent legislation is working.
Congress is moving “to look at the degree to which the cyber sharing legislation is having the desired effects or if not why not” and how increased machine-to-machine information sharing is being implemented, he said at a New America cybersecurity conference.
“I think the other thing that we need to look at and something that I will be focusing on a great deal over this next couple of years is metrics. Focusing on what is working and what is not working. Because it’s one thing to have these policies and this framework in place but if we don’t know the degree to which they’ve been adopted or the degree to which they’ve been effective then we’re doing a disservice. So I think this is going to be a time for oversight,” Langevin added.
He noted there is currently no entity charged with determining metrics for whether cyber security legislation is working so he will work on that in Congress. Langevin raised the idea of using the National Science Foundation (NSF) or NIST, but neither entity has the resources necessary to determine metrics and weigh them properly now, he said.
Langevin said he is currently in the process of drafting legislation on metrics requirements, report requirements, and the cost involved. He expects within a short amount of time to have the legislation ready with the help of the Congressional Research Service (CRS) and will put more meat on the bones of measuring cyber legislation effects.
At a panel discussion on cyber workforce issues the congressman said the U.S. is woefully under resourced in the field. The country has to start thinking of getting younger people more interested in IT, programming and other cyber issues in elementary, middle, or at least high school, Langevin said. He noted Rhode Island has started those efforts where Microsoft [MSFT] is partnering with the state to offer coding classes to ever high school in the state.
Langevin also said the perception needs to change from hackers being men in the basement wearing hoodies. Many hackers and talented cyber users are just good at IT, like to tinker or solve puzzles, and may have a master’s degree or PhD.
He applauded former Defense Secretary Ashton Carter for embracing bug bounty programs that found dozens of vulnerabilities on Defense Department websites for prizes worth over $100,000 (Defense Daily, June 17, 2016). Langevin contrasted that to spending millions of dollars to find only five or six vulnerabilities using other contracting methods.
Langevin also commented on a possible NSA-Cyber Command split, where the U.S. international strategy should move, and Congressional committee jurisdiction problems.
He is happy with the Cyber Command advances so far with increasing operational readiness (Defense Daily, Oct. 27, 2016). “Clearly modern warfare has forever changed. You’re never going to see modern warfare again break out in either small scale or large scale without some kind of a cyber component to it. So we’re moving in that direction and getting more proficient at using our cyber capabilities.”
However, Langevin said he does not believe the NSA and Cyber Command are ready to split into completely separate organizations, partially because in many ways one is dependent on the other.
“The relationship will always be there, whether it’s going actually be split some point down the road, it’s very possible but I think it’s a ways away,” he added.
On international strategy Langevin said, “Well I really do believe that we need some more clarification in terms of international agreements and establishing international norms of what’s acceptable and not acceptable in cyberspace. And too much of it is the wild west out there right now in cyber and the more we can have countries come to the table and develop these rules of the road the better off we will be.”
He lauded the agreement between former President Barack Obama and China’s leader Xi on refraining from cyber-enabled theft of commercial software and said we are seeing benefits as a result of that (Defense Daily, Sept. 25, 2015). However, on broader international cyber issues there are still challenges.
“There’s talk about a cyber Geneva Convention as a route and I think that is a laudable goal and we should work towards that.”
The congressman also highlighted most members of Congress are not digital natives and jurisdictional boundaries are a bigger problem on cyber legislation than mere partisanship. Langevin said upwards of 80 separate committees and subcommittees oversee cyber issues, which is one of the leading reasons more cyber legislation does not get through congress.
“Cyber isn’t everybody’s issue in Congress and I think one of the most important things that we really need to focus on is bringing down the jurisdictional boundaries and battles that go on.”