January 5, 2017

Whitehouse Delivers Cybersecurity Recommendations for Trump Administration

Senator praises the work of bipartisan Cyber Policy Task Force and signals action on legislation to improve cybersecurity and combat growing cyber threats

Washington, DC – Today, Senator Sheldon Whitehouse (D-RI) joined House Homeland Security Committee Chairman Michael McCaul (R-TX) and members of the Center for Strategic and International Studies’ Cyber Policy Task Force to announce recommendations to the 45th President for strengthening the nation’s cybersecurity. Whitehouse, Ranking Member of the Senate Judiciary Subcommittee on Crime and Terrorism, served as a co-chair of the Task Force.  The recommendations were included in a report released by CSIS this week.  In his remarks at today’s event, Whitehouse praised the work of the Task Force, Chairman McCaul, and Congressman James Langevin (D-RI), who chaired the CSIS task force that drafted recommendations for the 44th President and leads the Congressional Cybersecurity Caucus.

“This past election has proven just how important it is for the President-elect and his national security team to appreciate the scope and the severity of the cyber threat we face,” said Whitehouse. “I look forward to carrying on this bipartisan work with my colleagues in the Senate and with cybersecurity leaders in the House like Congressman Langevin and Chairman McCaul, and I will continue to encourage the incoming administration to adopt needed reforms to the Executive Branch.”

“I want to thank both Chairman McCaul and Senator Whitehouse for not simply putting their names on a report but having been an active influence in all of our work.  They’re walking the walk,” said Frank Reeder, Co-Founder and Director of the Center for Internet Security.

Senator Whitehouse has authored comprehensive cybersecurity legislation, prepared the Senate Intelligence Committee’s first cyber report, and worked with members of both parties to call attention to the growing cyber threat.  In 2010, Senator Whitehouse chaired the Intelligence Committee’s Cyber Task Force.  As Chairman of the Senate Judiciary Subcommittee on Crime and Terrorism from 2011 to 2014, Whitehouse held regular hearings on the cyber threat, including hearings on the role of law enforcement in responding to cyber attacks and on the dangers that cyber-enabled intellectual property theft poses to American businesses.  Last year, he introduced bipartisan legislation to disrupt botnets and make it easier to hold accountable those who create them.

The Task Force’s report is available here

Complete footage of the event is available here.

A transcript of Whitehouse’s remarks is below.

First, let me thank Chairman McCaul for whom this is a second effort. Eight years ago he led a similar report with Congressman Langevin also of Rhode Island and there were many dozens of people who were involved in this product and I want to thank all of that enormous group who did such exceptional voluntary work. In particular, I want to thank Jim Lewis for his dedication and persistence in shepherding this effort to completion. 

Recent events show just how important it is for the President-elect and his national security team to appreciate the scope and the severity of the cyber threat.  The recommendations offered here lay out a path forward for government and the private sector to collaborate in making our country safer, and I sincerely hope they will receive due consideration. 

The report offers guidance related to a number of key priorities, such as better securing critical infrastructure and services, and improving “cyber hygiene”; bringing cybersecurity and the protection of vital data to the highest levels of corporate management; streamlining bureaucracy at the White House, creating an office within the Government Accountability Office devoted solely to cybersecurity, and defining federal agencies’ cyber roles more clearly; and working closely with our allies against common cyber threats – efforts like building voluntary international cooperation and standards to fight botnets and sophisticated financial crime. 

Let me emphasize a few of these items here today.

Chairman McCaul has talked about ways to improve the Department of Homeland Security’s performance of its cybersecurity mission, and I share his view that organizational changes could reap significant rewards. 

In particular, I’d like to see the creation of a roving Inspector General for Cybersecurity – an independent review and “red-teaming” capability – to conduct white-hat penetration testing and evaluate cybersecurity performance across the civilian agencies of the federal government. 

Cyber responsibilities are currently spread across 73 different Inspectors General, and it is not reasonable to expect all 73 of those offices to have adequate expertise and capacity to do more than simply check compliance with minimum standards. 

A single, specialized, independent office could both attract world-class talent to the government and spur federal agencies in the direction of more effective cybersecurity measures. 

The report includes my recommendation that a new oversight and evaluation capability be created within the Government Accountability Office and provided with the white-hat authority and resources to accomplish these goals. I think it is important that white-hat penetration authority be a part of this.

Understanding our vulnerabilities is one important first step in improving our defenses.  We also need to clearly communicate to the American people the seriousness and the breadth of existing threats.  The warnings from our intelligence community, from DHS, and from private-sector cybersecurity experts about the Russian government’s involvement in hacking operations designed to influence our election, about hacks into DIB, about industrial espionage – on a scale that has been described as the largest illicit transfer of wealth in history – among others, are a wake-up call that we ignore at our peril. 

Few non-specialists truly understand our vulnerability to a wide range of cyber threats, from hacking and the theft of private data to cyber attacks on critical infrastructure like public utilities or the banking system.  We must do a better job of sharing this information with the public – and of making Americans aware of the measures their government is taking to deter and respond to such threats.  An educated public is a democracy’s first line of defense. 

That is why I encourage the new President to designate a cybersecurity discloser in the Executive Branch, empowered with broad declassification authority and charged with clearly, constantly, and concisely reporting such information to the American people.  One obstacle to transparency is the culture of over-classification that pervades the Executive Branch.  Information about cyber attacks is reflexively classified, making it difficult to report to the public what we know about the actual state of our cyber vulnerability.  But much of this information does not truly implicate intelligence sources and methods, and the benefits of increased public awareness will often outweigh the risks posed by its release.  True cybersecurity requires all hands on deck, so we must find a way to provide appropriate disclosure of threat data and intrusion reports.  The report acknowledges this fact, and it includes a recommendation that a senior cybersecurity official be empowered to perform this task, and stress-test. 

Finally, I think that the NIST/Homeland Security “framework” process has been successful, but with a new administration coming in it would be both wise and prudent to stress-test the results that have been achieved of that framework process and make sure that the resulting cyber security improvements are adequate to the threat that presents itself. 

The task force’s report addresses these issues and many others, and I appreciate the dedicated work of all those involved in its production.  It shows that cybersecurity is an area ripe for bipartisan cooperation in the 115th Congress. 

In the Senate, I’ve been working with Lindsey Graham to counter and disrupt botnets, protecting our critical infrastructure from attack by these armies of lurking zombie computers. 

My friend Jim Langevin – who leads the Congressional Cybersecurity Caucus alongside Chairman McCaul, with whom he also co-chaired this CSIS task force in 2008 – has been a leader on cybersecurity issues for the last decade in the House of Representatives.  He has worked to improve coordination between government and the private sector and to focus attention on the protection of critical infrastructure, as well as raising the profile of cyber attacks as an emerging national security threat on the House Armed Services Committee. 

And two of his biggest priorities – educating, training, and incentivizing a capable cybersecurity workforce for the future and designating a senior official with the authority to shape cybersecurity strategy and policy across the government – can be seen right at the heart of this report.  I appreciate Congressman Langevin’s continuing efforts and I’m proud to be his successor as the McCaul co-chairman on the CSIS effort.

I look forward to carrying on this bipartisan work with my colleagues in the Senate and with cybersecurity leaders in the House like Congressman Langevin and Chairman McCaul, and I will continue to encourage the incoming administration to adopt needed reforms to the Executive Branch to get this done.


Press Contact

Meaghan McCabe, (202) 224-2921