Homeland Security Chairman Garbarino wants to see offensive cyber in forthcoming strategy
WASHINGTON – House Homeland Security Chairman Andrew Garbarino (R-N.Y.) said that he wants to see proactive offensive cyber capabilities take a prime role in the White House’s forthcoming national cybersecurity strategy.
“I think there should be more of a focus on offensive cyber,” Garbarino said today at a McCrary Institute and CrowdStrike event, adding that he also would like to see strategy components on regulatory harmonization and beefing up the cyber workforce.
“We have to focus on all these things if we’re going to be successful in our cyber defense,” he said, emphasizing that “offensive capabilities has to be part of that plan.”
Garbarino noted the urgency of these efforts given “the data that is being stolen daily” by China and other adversaries. “We have to do whatever we can to win this race,” he said.
“We’re not going to firewall our way out of this problem,” McCrary Institute Director Frank Cilluffo said, agreeing with the need for offensive cyber capabilities and stressing that “we need maps and we need rules of the road” to move forward. “We need to know where we want to go.”
CrowdStrike Chief Privacy Officer Drew Bagley described the evolution of the China threat in terms of the “smash and grab” hacks of a decade ago to the “strategic, long-term intrusions” of today – pre-positioning in critical infrastructure in some cases, waiting for a conflict or other pertinent moment to strike, or conducting a long-term espionage campaign including targeting high-profile political or business leaders and going after intellectual property.
Bagley also underscored that in today’s landscape “you can buy your targets” with hackers harvesting and later selling credentials. “We have this democratization of destruction that’s occurred,” he said.
Bagley said he’d like to clarity in the strategy about how the federal government is securing its own networks as well as government leadership on both leveraging and securing AI. He also said he hopes the strategy is evergreen, adapting to adversarial tactics and objectives.
Garbarino said his committee and the House Select Committee on the Chinese Communist Party are focused on the level of personnel that China has in the cyber arena compared to the United States. “We are grossly outnumbered,” he said.
Garbarino said he intends to ensure that committee members go beyond Capitol Hill to see what operators and partners are doing to secure critical infrastructure sectors. “You need that information sharing; you need that partnership,” he said.
At the same time, there “needs to be better sharing of information both ways,” he stressed, noting that the government is “very good at taking” while “we’re not very good at sharing information.”
Other committee priorities include focusing on harmonizing cyber regulations and figuring out how to get more people into the cyber workforce. Garbarino’s predecessor at the helm of the committee, former Rep. Mark Green (R-Tenn.), reintroduced in February the Cyber PIVOTT Act, which would establish a scholarship program to help address the cyber workforce shortage. Rep. Sheri Biggs (R-S.C.) assumed sponsorship of the bill in September.
Garbarino acknowledged there are a lot of ideas to work through when it comes to closing the country’s cyber gaps. “We have to do better, because in some ways adversaries are eating our lunch,” he warned.
The unique security challenge faced by operational technology, including visibility gaps and vulnerabilities in legacy systems, “really freaks me out,” the chairman said.
Bagley said the cybersecurity community needs to think about its own tailored version of how the physical security community views soft targets, such as an open-air event, versus hard targets such as a fortified military base.
Garbarino lauded the example set by the proactive security undertaken by critical systems operators outside of the federal government. “If the private sector didn’t control 75% of critical infrastructure, we’d be screwed,” he predicted.
Still, he said, the government should do a better job working with state, local, tribal and territorial partners to confront evolving threats.
Using the water sector as an example, Garbarino emphasized the downstream affect that an attack on one critical infrastructure sector has on others. “We need to be looking at that as national security issue” and address the “weak, low-hanging fruit that could really cause a problem,” he said.
“Luckily we have not had a mass casualty event – we’ve had things that have cost a lot of money, that have made people’s days difficult, but we have not had a mass-casualty event,” Garbarino said, adding that “we haven’t had to react to anything like that yet and I’m very scared about that.”
“That’s why we need to have a bigger focus on being proactive and fixing this before something bad happens,” the chairman said. “We don’t want anything bad to happen. That’s why I keep talking about it.”