• 5 months ago
During a House Homeland Security Committee hearing prior to the Congressional Recess, Rep. Laurel Lee (R-FL) questioned witnesses about interagency cooperation to improve cyber security infrastructure.

Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:

https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript


Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Transcript
00:00I now recognize the gentlelady from Florida, Ms. Lee, for five minutes of questioning.
00:08Thank you, Mr. Chairman. Mr. Salufo, I'd like to start with you, please. In your written testimony,
00:15you stressed the importance of identifying and protecting systemically important entities.
00:21You said you would like to see this coordination go beyond information sharing and see entities
00:27engage in joint threat analysis and incident response coordination. What do you think, if any,
00:33are the inhibitors to entities engaging in these kinds of activities and getting beyond that
00:38information sharing stage? Thank you, Ms. Lee, and that's an excellent question. I think, just like
00:45any other environment, trust really is the coin of the realm. It takes a very long time to build,
00:52and it can evaporate in a nanosecond with one silly comment or one leak or what have you.
00:59So I think it really does come down to trust and also being honest enough to know where
01:06one's strengths are and where one's weaknesses are. So I make the case that
01:11the information sharing sets of discussions, they're all important, but they're tired. Maybe
01:16I'm just old and grumpy. I've been at this issue a long time. But I kind of feel like we have to go
01:22beyond all of that, and the only way you really go beyond that is if you play ball together and you're
01:28actually going to start hunting together. You're actually going to feel the pain together, and
01:32you're actually going to respond together. So I think, to me, that's where we need to go. All that
01:38said and done, trust is still going to be. You don't want to necessarily, if you're a company and
01:46you have intellectual property or if you have PII data that could be leaked in one way or another,
01:52obviously that comes with consequences. So you want to make sure that you minimize those to
01:57the greatest extent possible. And do you have any thoughts on how we might do that? Anything
02:04that you would recommend or think we should be considering in how we could build that trust?
02:09Yeah, I think the JCDC is a starting point, the Joint Cyber Defense Collaborative out of CISA.
02:15I think it needs to be scaled. The good thing about JCDC, if there's a crisis,
02:21they come together well. So when something is going boom in the middle of the night,
02:26or might go boom tomorrow, they are able to galvanize and rally the troops. The problem is
02:33that doesn't have sustainability in a day-to-day environment. So we got to figure out how to be
02:38able to transcend some of that. In my testimony, I touched on Project Fortress, which is a new
02:45initiative. It's led by Department of Treasury, financial services sector. And then they have
02:53publicly stated that it's not only going to be a reactive defensive set of issues, but you can turn
03:00to other tools that Treasury has, such as OFAC, and where they can start looking at unique ways
03:07to be able to put some pain on some of our adversaries. Because quite honestly, we're never
03:11going to defend our way out of this problem. We're going to have the same discussion in 10 years,
03:17if that's all we do. And Ms. Denbo, you mentioned both in your written testimony and in your
03:25earlier discussion with Mr. Littrell, CFAT's program. And so I know on this subcommittee,
03:30we're very committed to trying to get that legislation passed. But right now, since it
03:36has not, I'd like to hear a little bit more from you. First, let's start with what are the benefits
03:42of the program, and what do you find to be useful about it? Well, I will tell you that
03:49the program sets a foundation for operators to work from. And one of the biggest values of the
03:57program, when the program first came out, I was around when the program first came out, and it was
04:01a very different model than what it is now. And it has actually migrated to a model that is
04:08extremely functional, where we talked about trust. Trust cannot be mandated. Trust must be earned.
04:15And that requires an investment of resources on both sides, the operator and the government partner
04:22or the government regulator. Regardless, that's how we, with the pipelines, are achieving what
04:30we're achieving with TSA. It's that trust. And so I will tell you that through the Chemical Facility
04:38Antiterrorism Standards Program, they have been able to help operators learn what can they do
04:47to maybe minimize or reduce the amount of quantities they have on site, or to substitute
04:54for that, but more importantly, to provide the securities in place, the physical securities in
05:00place to protect, detect, and mitigate. I think, and specifically, and yes, we do want reauthorization.
05:08We've been pushing for that for a long time, so go reauthorization of that. At the same time,
05:15this is a black eye to that program that there was this cybersecurity breach, but the breach should
05:22not be looked at just as an issue of that program. It is a systemic issue across the government,
05:30because it's not just that group that got hit and has been successfully compromised.
05:36One thing I wanted to mention to something you mentioned earlier, information sharing versus
05:42incident reporting. There's a difference between the two, and you will get more engagement from
05:47operators if they are invited to engage in information sharing versus incident reporting.
05:56That actually, with some cyber policies, triggers negative points for the insured if they are
06:07incident reporting versus just information sharing, and that comes from myself who
06:12leads the Downstream Natural Gas Information Sharing and Analysis Center. Thank you.
06:17Thank you, Mr. Chairman. I yield back.
06:19General, he yields back. I recognize myself now for five minutes of questioning.

Recommended