Katko Opening Statement In Cybersecurity Hearing
WASHINGTON, DC – Rep. John Katko (R-NY), Ranking Member of the House Committee on Homeland Security, delivered the following opening statement in a subcommittee hearing entitled, “Evolving the Approach to U.S. Cybersecurity: Raising the Bar to Meet the Threats of Tomorrow.”
Ranking Member Katko’s Opening Statement (as prepared for delivery)
Thank you, Chairman Thompson, for hosting this hearing today. And thank you to Directors Easterly and Inglis for joining us to provide testimony on your strategic goals and discuss how Congress can work with the Administration to secure the cyber threats of tomorrow.
We started off 2021 by uncovering the impact of the devastating SolarWinds cyber espionage campaign, but, as we all know, the attacks did not stop there.
While they may seem distant, the Microsoft Exchange Vulnerability, Pulse Connect, and other several significant ransomware attacks, including the attacks on Colonial Pipeline, Kaseya, and JBS, happened this year alone.
As a result, CISA has issued an unprecedented number of Emergency Directives, Alerts, and Advisories regarding serious vulnerabilities and cyber threats. Just this week, CISA announced it was issuing a Binding Operational Directive to quickly remediate known vulnerabilities across the federal enterprise.
The volume of alerts, advisories, and directives goes to show the pervasiveness of vulnerabilities affecting owners and operators of critical infrastructure, and federal networks.
CISA has performed commendable work given the daunting task it has faced over the past few years. This, in part, has been due to additional authorities from the FY21 National Defense Authorization Act (NDAA).
This includes significant authorities such as the ability to issue administrative subpoenas to notify critical infrastructure entities of vulnerable devices, as well as the authority to conduct threat hunting on federal agency networks without advanced notice.
While new authorities are an important piece, CISA must also be fully funded. I have been a strong proponent of responsible growth at CISA, and I’m pleased the House Committee-passed Appropriations bill puts the agency on that path.
We must also move past bureaucratic turf battles and remember that cyber incidents are rarely sector specific. We need to continue building on the resources within CISA as the central agency that can quickly connect the dots when a malicious cyber campaign spans multiple sectors, then share that information across the broader critical infrastructure community.
Director Inglis, this is where I expect you to have an important role. Given your role as the principal advisor for cybersecurity, or as I like to call it, the head coach, the one overseeing the entire federal government’s cybersecurity mission. It’s important that you’re setting the tone that everyone has a role to play and must work together. I look forward to learning more about the various roles and responsibilities of the NCD, the National Security Council, and the CISA Director.
To ensure CISA can successfully carry out its mission, it needs a high degree of visibility into cybersecurity threats and incidents impacting private sector networks. Increased collaboration across governments and private industry is essential. I applaud new initiatives such as CISA’s standup of the Joint Cyber Defense Collaborative (JCDC).
We also need to ensure that information being shared with the private sector is timely, actionable, and meets the needs of a diverse set of cross sector stakeholders. It’s important that there be a high value proposition for entities to partner with CISA—it can’t be a one-way street.
I am pleased to have partnered with Chairman Thompson and Subcommittee Chairwoman Clarke on mandatory cyber incident reporting legislation, as it will be another important tool for CISA to have to protect the critical infrastructure community. But it won’t be a silver bullet.
We live in a world of an increasingly interdependent web of hardware, software, services, and other connected infrastructure. Single points of failure and layers of systemic importance across this ecosystem leave the potential for cascading impact.
Which is why I have been focusing on legislation which would require that CISA designate and prioritize risks to key infrastructure sectors as they work to mitigate cyber risks across the various industry sectors and government entities facing threats from nefarious cyber actors every day.
As CISA nears its 3rd anniversary in a few weeks, it’s incumbent on Congress to ensure CISA is appropriately prioritizing its mission space and focusing on what it does best within its limited resources to address the most pressing challenges in the evolving threat environment.
Between the two highly capable witnesses here today, Director Easterly and Director Inglis, I am confident that our federal government is poised to tackle the growing litany of cyber threats facing our nation.
Again, thank you for being here today, and I look forward to hearing your testimony.