Cybersecurity in the 119th Congress: Insights on What's Ahead from Andrew Howell and Kyle Klein

Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and have the privilege this week to sit down with two of the most thoughtful individuals looking at all things Capitol Hill. So we're going to talk about the legislative landscape obviously very early in the 119th Congress, but there have been a number of bills that have been dropped and clearly there will be more to follow. So joining us today we have Andrew Howell, who is a Vice president and runs Government affairs at Sentinel One. Prior to that, for about 20 years, he worked at Monument Advocacy where he lobbied the Hill every day and had a huge number of tech clients. And we also have our very own Kyle Klein, who is Deputy Director for Policy and Partnerships here at the McCrary Institute, served as the staff Director on the House Homeland Security Committee and had served in various roles on that same committee for a number of years. Gentlemen, great to have you here. Hey, Frank, for having us. So like I said, it's early on in the new, in the new Congressional calendar year, but there have been a number of bills. So let's start with sort of painting what we think the landscape is, what's being introduced, what being reintroduced and what we project we'll see in the upcoming year. Either of you jump in, you want to start? Sure. Well, as

you mentioned, Frank, it's still early in the 119th Congress. So most of what folks will see is legislation that is reintroduced from the last Congress because it didn't, for whatever reason make it into law all the way over the finish line. One of the biggest piece of legislation I've seen reintroduced so far is from the House Homeland Security Committee and that's the Chairman's bill, the Pivot act. And we hosted him to

talk about his act recently. Yes, that's right. That's right. That is a reintroduct, reintroduction

from last Congress that's focused on cyber workforce development, creates a grant program for two year schools and now the new version also includes the opportunity for four year schools and universities to participate in the program as well. That also has a Senate counterpart from Senator Rounds that just got introduced as well. Andrew? Yeah, I would just, I

would just say, look, I mean, I think that, that as we look at the, as we look at the legislative horizon for cybersecurity this year, I think you're going to, you're going to wind up seeing an interesting combination of both new ideas. A lot of those new ideas probably related to China given, given the amount of congressional interest there is in the Chinese cyber threat. And then you're going to see lots of bills that didn't get over the finish line last year just because of the odd crowded legislative schedule last year. And Cyberpivot is a good example of one of those on a longtime issue right. Cyber workforce that we've been struggling to find good answers to. And I think Chairman Green is working really hard to see if he can make that happen. I think it's, it's particularly helpful to have a Senate companion this year which wasn't the case last year. And I think that you're going to see a lot of interesting ideas coming forward because I think you're going to probably see Congress act more on cybersecurity early than you are going to see the administration. I think the administration will come around on cyber, but obviously they have lots of other priorities that are higher up on the list right now than cybersecurity is. So, so I would, I would expect that, that you would, you would see Congress lead the way to a certain degree here and then, and then all of this offices also factor needs to factor in the, the appropriations process and how that's going to play in and how, how policy will be made through spending in the appropriations bill. And that'll be a, that'll be a fun march project for all of us. Yeah,

no kidding. I mean my old adage is policy without resources is rhetoric. So it's a good idea and at the end of the day we do need to tie the two together. But couple of other bills I'd like to touch on very briefly and we mentioned Senator Rounds and his companion bill, Cyber Pivot Act. He also has an interesting he and Senator Gillibrand put forward a new bill that is looking at the, the old Computer Fraud and Abuse act updating cfaa, which if I'm not mistaken, and for those of us that will look afterwards, we can easily check that out. I think it was 1986 or 1984 that had originally passed. It had been amended maybe 15 years ago or so. So it's been a while. The world's changed a little bit since then. If I'm not mistaken, the first prosecution was Robert Morris and the big worm incident out of a fellow university up north in New York. But bottom line is that's an interesting bill too. And if I look to see who some of the movers and shakers are, he's two for two pretty early on. Right, says Senator Rounds. But thoughts on that? And that's gonna wind up being a Judiciary

Committee bill. Right. So that'll be even more interesting to see kind of how exactly that winds up playing just given again, committees with lots of work to do and still kind of unclear. It's very unclear beyond the traditional homeland committees, which committees will prioritize cybersecurity activity, you know, in addition to obviously the authorizing committees and the appropriating committees early, early this year. Anything to add to that? Yeah, I think first I

want to go back to something Andrew said about lawmakers sort of leading the way, at least early on in Congress legislating more on cyber. I think that's absolutely true. And I think you see members of Congress being a little more comfortable legislating in this space than you saw, you know, for the last several cycles or at least early on when this was becoming a more predominant issue on the Hill. And I think this bill is actually a really good example of that. It's really moving beyond sort of the more general we need cybersecurity standards or agencies need to be cyber aware and really changing the law. This one specifically would raise the ceiling of maximum and minimum prison time from the current general conspiracy statute of five years maximum to attend a life which if enacted would of course be a pretty strong deterrent for cyber conspiracy criminals. You raise an interesting point there, Kyle, in that, and I think

probably the three of us have talked about this before is you've really seen over the last three, four, five years, you saw really a generation of cybersecurity lawmaker kind of exit stage, Right? Yes. Right. And, and maybe now we're beginning to see kind of the first steps of a new group of lawmakers come in, feel comfortable on an issue, and begin to feel comfortable enough to want to legislate on an issue. Right. That is not super simple, not terribly complicated. I think healthcare and tax are a lot more complicated than cybersecurity. But it's an area where members want to feel comfortable. They, they want to know what they're doing before they jump into it. And so I think that, I think we are seeing Senator Round's good example of someone who's becoming more and more comfortable in this space. Andrew Garbarino obviously has been for a while. Chairman Green obviously is getting there now. And I think we're going to see in this Congress probably a new generation of cybersecurity focused lawmakers come forward. I

hope you're right, because one of the challenges is also being able to figure out how the Hill works, how legislation is actually passed and having some of the requisite knowledge and skill base around cyber. But you're right. I hope you're right because we have had a number of discussions and had some of them on including like John Catko and Mike Gallagher, Jim Langevin, and we've lost the number of the cyber titans, but we need that next generation and hopefully you're right before. And you tee up my next round of thoughts in a, in a second. But before we move off of that, there's just one other bill I want to foot stomp and that is the bill designating space as a critical infrastructure, something we spent a lot of time on here at the McCrary Institute as well as the Cyber Solarium Commission. But thoughts on that? Anything? This seems to be the perennial bill that will be put forward. Do you think we'll get some momentum this time? I don't. Yeah, I don't know

what you think. You know, it felt like last year was a big year where there was a good amount of momentum behind. You had a space, you had other. Structure, you know, other things happening on the National Security Council, etc. Etc. And I think there were more members, like more members of Congress who looked at space cyber and like, huh, this is something we should really think about. Obviously I think we didn't, that didn't get done. But I do think that, that you're probably going to see the need for members to need to get reeducated on this issue and frankly I think you'll need legislative branch engagement too on this in order to see space move forward as a critical infrastructure. But I do think that once there is that level of education, I think we've got enough, there's enough history when you combine it with some new members that you'll probably see this get over the finish line the next two years. I think, I think common sense if you think about it. But

I'm sorry, I think where we. Were talking earlier where members feel more comfortable than

they used to now that they're more educated on cyber issues, I don't think we're necessarily or haven't been to this point there on things like space and AI, which I'm sure we'll talk about later. But with space, I think it's one of those issues where members know it's important the space economy's blowing up. There's so many startups now out there along with the blue origins in the SpaceX, so. And also the reliance of other critical infrastructure on space systems. So I do think you'll, you'll get There at some point. It's just the two year clock of each Congress. You know, it can take several cycles for something to make it over the gold mine, but maybe this year it is. Well, we don't advocate specific legislation or lobby, but in

that one we do have strong opinions. So let's. You sort of teed up a perfect segue into talking about AI again. I think now you're starting to see some members become a little more comfortable and conversant around cyber, maybe less so around AI. I feel like I'm stepping back about five years ago, five years in terms of congressional legislation. But that doesn't mean we're not going to see action for good or bad. And simultaneously you have states taking steps into legislating around AI. Does that mean we're heading for a patchwork or do we have the potential for a national framework? Where do you see things going vis a vis AI? I think we are headed

on the current trajectory. I think we could end up with a patchwork not unlike where we ended up with a lot of cybersecurity rules and regulations. It's one thing, and often a good thing to have states move out on their own as almost like a test case that the federal government can later use. That's been the case with every area of policy for as long as we've had states. Right. But at the same time, when it comes to things like digital privacy and AI, this is something there. There is a House working group at the Energy and Commerce community that got stood up on, on digital privacy with Chairman Guthrie and Vice Chairman Joyce. But

a good move. Maybe we'll actually see something. But you still see people in sort

of this educational what do we do? How far do we go exactly Phase. And so we may end up having a conversation in a few years where we're about regulatory harmonization, just like with AI, just like we are now with cyber. I don't

know, I think, I think. Gives us work to do, but in all sincerity, jumping. That's right. And I think, you know, I think Jay Obernol too, who led the House AI working group, I think did, did a great job of coalescing that group of members around, around some, some good, solid foundational knowledge that should help them for the next two years begin to move out. I think at the same time that that working group concluded, I think pretty, pretty decisively that in order to have national AI legislation, you actually need to have national privacy legislation. And national privacy legislation is really, really hard. Right. It's because we've come so far in so many states, those preemption questions wind up getting harder and harder. Every year another state acts. And so I think intellectually that's right. I think practically speaking though, that makes advancing comprehensive AI bill pretty hard because. It literally touches everything like cyber. But even more so in

some ways. And frankly, in talking to members and folks in the executive branch about

AI, you can see the comfort level increase as you talk about specific use cases, a use case in an industrial facility or a use case in a cybersecurity instance. Whenever you can talk about AI in the context of use cases, members get a lot more comfortable, which leads me to believe that members will be far more comfortable solving niche use case oriented legislative or regulatory problems via smaller bills than via bigger bills. Andrew, you know, that's a really thoughtful point. Cause at the

end of the day, maybe those in the middle of it every day are speaking to themselves. It's sort of like this, not to be pejorative, but a self licking ice cream cone. You keep going around and around. Truth is, is we do need to articulate and communicate the issues in ways that not only representatives, but more importantly the women and men they serve. I think that's right. And represent. I will never

forget I had a meeting with Michael Grazios in the first Trump administration about AI when they were beginning to think through what they wanted to do. And as we were wrapping up the meeting he's like, look, I mean you can bring every tech company you want in here, but until end users understand why AI matters to them and is important to them, it's hard to imagine a world in which political figures actually get engaged on this issue. Right. It's a lot more important to have an understanding of what AI means for PepsiCo or John Deere than it is to understand what AI means for Google or Microsoft. And you know, because those are brands that communicate to the public. Well said. And I feel like there are two camps. There's

the doom and gloom and then there's the do nothing let's innovation thrive and there's got to be something in between. Right? That's right, because companies are already using AI,

Right. I mean every day use cases proliferate. I mean, you know, it's ET1. We've got, you know, use of AI and ML on the cyber defensive side of things that's happening every day. And, and, and I think that that is really where, where, you know, those of us who are advocates before the executive legislative branches need to make our case on, you know, legislation or regulation solving specific use case problems that exist that either add friction or slow down the utilization of AI to solve a.

Problem that can actually also correlate and fit into congressional jurisdiction committee jurisdiction. So, yeah, actually one thing, that's one of the challenges. Right. One thing I was going to

add is maybe a slightly more cynical view, but also a true one, which is every committee, when there's a hot, has. A bite of that apple, they want. To bite at it. Right. And so you have the Homeland committees, you have the Armed Services committees, the Commerce committees, the Space and Science committees. All of them are going to try and you know what is my piece of this very interesting pie. And sometimes that's good because they can be highly specialized and specific. But also you can go down the road towards patchwork and competition too. Yeah. And having lived at the

Homeland Security Committee, you know that very well. And looking at it from the executive branch perspective and not just from a rules perspective on the Hill, they still had to go to, gosh knows, how many committees to sing for supper. And that's hard. So you can imagine when you're looking at an issue like AI, just extrapolate that 10x. I think that's right. But again, it does, I think that does open a

more comfortable door for members to actually work on an AI thing. I think you're right. I think you're right. Within the jurisdiction of every community, within the jurisdiction of their committee in an area they know. And that does make a whole lot of

sense. And there's a. I yet to ever suggest a book that people read, but Reid Hoffman has a very interesting book out right now on Super Agency, and it's not about the technology, but rather its application and does it change actual human nature? And I think that's what people get, the philosophical side of it all. So I don't want to be a philosopher because I can very well speak, but it's the truth of it. Before we jump on to next sets of questions, how do you. Healthcare has become front and center in the past few years largely because of ransomware incidents that have proliferated. And when you start thinking about life, death, obviously healthcare comes top of mind to a lot of people. Anything there? I know there's some legislation, if I'm not mistaken, Senator Rosen, There is some legislation. I think it might still

be needing to be reintroduced, but there is a, there is a health care resiliency bill from last Congress with I believe it was Senators Cassidy and Warner. And then there was more of a privacy focused one and cyber data security, one that I believe Senator Wyden and Senator Warner worked on. It's a, it's a big challenge because the health care sector is, is so multifaceted. You have huge conglomerates and organizations that have, they might have the resources to secure their systems more than another player, but they also have very large attack. Surfaces and they often outsource it to these companies

you've never heard of until you're getting that note in the mail saying, hey, you've been, you've been paying. I mean, health care is a, health care is a super

interesting issue, right, because as, as, as Kyle said, right, you've got it, you've got a lot of, you know, a lot of resource rich organizations that have a larger tech surface and then you've got a lot of the, you know, target rich cyber poor, you know, local health delivery, rural health delivery organizations that just don't have the knowledge or the resources to, to effectively protect themselves from, from cybersecurity attacks. And so, you know, in a lot of ways you could look at that whole community of rural critical infrastructure owners and operators, right? Water health care, you know, being probably the top two that you're looking at and saying, hey, what do we need to do from a policy perspective in order to give those, those target rich cyber poor asset owners and operators more resources, more expertise, more capability? If, if it is indeed as, as I think most of us believe to be a significant cybersecurity risk to, to.

Our country, you know, you open up another line of questioning and that's sort of around state, local, tribal, territorial. They assume the same risk that everyone else does, but not necessarily the same tools, resources and capabilities to address it. Let's jump into what some of these policy shifts could mean. And I'm very aware of the SLGCP funding, state, local funding, cybersecurity grant program potentially in jeopardy kind of going forward. I think some states have used it very well and for transparency. The state of Alabama and Auburn has supported some of their work around that. But, but thoughts around that. Well,

the state and local cyber grant program has affected impact far, far beyond the Beltway, right? It is, it is really being used in almost every state. I think all but maybe two. But importantly, one of the two states that rejected this funding was South Dakota when the current Secretary of Homeland Security was governor of South Dakota. And she did criticize that program quite heavily at the time. Now she did then divert some of her state's resources to cyber and has since done a lot for South Dakota in terms of academic partnerships, private public partnerships, with the Department of Defense. I expect that she'll do that in office as well. But the fate of the state and local cyber grant program is hugely important to the federal government's partners at different levels of government. I think it gets to a bigger, I think, in a lot

of ways, strategic issue, too, in that you have to look at leaders, whether they're cabinet secretaries or governors or homeland security advisors in states, and understand. I think we need to figure out how to better understand how to. How to make them acutely aware of the problems they face, the challenges that they can and can't address, and what the tools are to address them. I had a conversation with Dave Bukoski, the now former TSA leader, a couple years ago, because we were working on something to try and convince US Department of Agriculture leadership to invest more in cybersecurity. And so I was talking to Dave and I was like, look, you have gone through a big, you know, with the Colonial Pipeline cyber attack. You know, you've gone through a big, you know, a big, you know, inflection point at gsa. And, you know, what can we learn from your experience in order to help other, you know, senior government officials at the state, national, local level kind of get in front of this. And he's like, look, you can't do anything. Every person like me has a thousand things to do every day, and only when something outside of the normal list of high priorities pops up to the top do you actually address it. And therefore, it's probably unrealistic to expect the Secretary of Agriculture to focus on cybersecurity until something happens in the food supply chain. And, you know, obviously, I didn't want to hear that answer.

Yeah, it's a little defeatist. And it's a little defeatist, but, you know, but it

probably has a good amount of wisdom attached to it. So I think, you know, the state and local grant programs and everything like that probably have some amount of need for us to do better strategically to help understand what should we expect from our leaders to address issues that aren't necessarily directly in the spotlight of their agency or department wheelhouse. Because what we're doing now probably isn't enough. Right, right. To really move the needle enough. That's an interesting challenge. And clarifying not only general

roles, missions, but accountability. That's the way you drive change. Right. You hold someone account. And. And that's still sort of a shared set of issues. I get it. But I think that can lead to some. Some positive change there. You know, what do we think? And Granted, we don't have crystal balls in front of us. And I like to say the, the best way to predict the future is to shape it. But what do we think we're going to see vis a vis cisa? I think it's clear we're going and Cybersecurity and Infrastructure Security Agency. I think it's very clear we're going to see a refocus, a sharper focus in terms of what it does and does not do. And there have already been some developments around that. But I'd be curious what we're thinking there. You know, it's funny, when the Biden administration came

in and folks were saying, hey, what's the Biden administration going to do? I was like, don't be surprised if they don't introduce the, you know, CISA Modernization and Improvement act of what, 2020, right. In order to, whatever years, in order to take the, the, you know, Trump implemented version of CISA and sharpen it, right. To be more, more, you know, Biden oriented. And obviously that never happened. Right. CISA was just allowed to continue doing what it's doing. And, and now I think we are at a similar point where once CISA has leadership in place and once that, once DHS has all of its political, political leadership in place, I think that one might be able to see, you know, Secretary Noem's, you know, confirmation hearing talking points get a little sharper on. Okay, we're going to, you know, we are going to have CISA focus on its knitting. Right. And so what exactly that looks like, I think now we have an opportunity to shape both from a kind of, from a stakeholder perspective as well as from a congressional perspective as well as from an executive branch perspective. And, and it'll be interesting to see if people wind up availing themselves of that opportunity as they seem to be messaging they may well do. So I think that, you know, the big part of the question winds up being, you know, CISA will, will also be affected by the appropriations process big time. Right. And what that budget request looks like for, for the next fiscal year, you know, how we get through the current continuing resolution and then what, you know, the structure of the organization looks like.

So you've got three which will require congressional action too, right? That's right. Yeah. So

you've got three motions potentially over the next 12 to 18 months on, you know, on, on reshaping CISA and, you know, at least two of those will involve appropriations. And so getting back to the earlier, earlier comment. Right. Appropriations will really drive how, how CISA gets shaped going forward. But we also, again, have an opportunity for the Trump administration to put a bill out there to do something. And what's kind of

interesting, and I think most of our viewers and listeners are unaware, is a lot of The CISA funding is.050 money. It's, it's defense, national security spending. Used to be the NDAA was the safe vehicle. I'm not sure anymore. But I'd be curious on CISA and anything you want to talk ndaa. I, I think with, with CISA there,

there's obviously going to be some initial changes, you know, people leaving. I think you will definitely see a refocusing away from things like disinformation and misinformation. I think that's,

that's, that's already gone. Right. Same with a lot of election security work and a

refocusing onto some of the more core cybersecurity, cybersecurity of critical infrastructure principles. And to be honest, I think there, there are a lot of people, especially on Capitol Hill on the Republican side, that would welcome that. And I think too, somewhat to Andrew's point, the issues are so evergreen and the threat landscape is so severe that I have to assume it will still remain the core mission of the agency will still have to be at least prioritized to some degree. And I want to underscore that

because again, we don't do politics here. But at the end of the day, it's not throwing babies out with bath. The core mission is so critical to our national and economic security that, and I'm confident that will be recognized. But, you know, one

thing that we've talked about, Frank, is, is, you know, the CIS has a lot of important work to do to the point that Kyle just mentioned. Right on critical infrastructure. Right. It is the sector risk management agency for eight critical infrastructures. I don't think, I don't think anyone would, would give cisa, you know, gold stars for its work in all of those eight critical infrastructures and its role as the national coordinator of all of the critical infrastructures. And so, you know, as I think about, you know, looking at CISA going forward, I would hope that there would be additional attention paid to, you know, establishing baseline metrics on, you know, what is an effective sector risk management agency, you know, what are the different levels of maturity of sector risk management agencies and how do we, how do we decide, you know, who needs to be good, who needs to be better, and who needs to be best. And again, that gets to, we need to make sure we fund what we want. Right. If we, if we want great for all eight, we need to fund great for all eight. But we also have to agree what great is. And we've never really had that conversation. I mean, you're right. That was a big point in our report, our

transition study. You're absolutely right. I mean, ever since, you know, and you were involved

in all this stuff in the beginning, you know, in the Ridge years. And I don't think, I think a lot of the, a lot of the ideas were right, but we never really got to some of that. Okay, here's what we expect. No,

you're right. Right. And that's hard work. Right. I think that the other, the other

thing kind of underlying all this from my perspective is there really aren't that many easy cybersecurity issues left. Right. Almost all of them are. You mean that easy button

doesn't exist? Yeah, that doesn't exist. Right. Almost all of them are 5941 decision, 509411

issues. And you've just got to make a decision. Right. You've got to say, okay, if we're going to have a risk management oriented framework to make these decisions, here's where, you know, here's where I'm, here's where I'm going to, you know, put my chips and you know, in those instances, you're going to be wrong sometimes. But the issue is, is how you bounce back, how you bounce forward from being wrong, not that you are wrong. Right. Well said. Well said. Anything to add? Yeah, that's right.

Anything to add on that, Kyle, or. No, I'm going to leave it with what

Andrew said. Yeah, that was actually really, really well said. So I want to touch

on Salt typhoon just because the implications and everyone thought that the telcos were the gold standard, maybe next to financial services, defense, industrial base, and, and maybe they are still the gold standard, but that's not good enough. Do you see anything coming at a salt typhoon? I think you're going to see all sorts of agency activity. But legislatively, you think Capitol Hill is going to jump on this? I think at some

point you will see some action. I think a lot of members are still just frankly trying to understand the extent and severity of it as what. We know is

scary. What we know is terrifying. And the members that have come out of classified

briefings have come out extremely terrified. And so you did hear Vice Chair of Senate Intelligence, Senator Mark Warner. He did make some comments at the Munich Security conference last week saying we need to be more aggressive at deterrence, deploying our own offensive cyber capabilities in China, as well as diplomatic pushback on China. And basically he was criticizing the government's response so far is not having been strong enough. And so I think that you will start to see more of a consensus around a deterrence approach and maybe even an offensive approach, which we need. Yeah, yeah. I mean, that's, that doesn't

answer all the, that doesn't answer the question, all the questions there. So, so I think you're right about that. Anything you want. I would just say, look, I mean,

I think, I think SIS is the sector coordinator, right. For communications and you know, has to do a good job, I think on this issue going forward of coordinating with the fcc, with NTIA and others in government to make sure that we have communications technologies, whatever those look like, whether they're traditional telecommunications companies or new communications technologies that are safe, effective and secure. And then we wind up getting into. I guess I'm a little skeptical on the issue of Salt Typhoon, because I think you then quickly get into conversations again, which I think, you know, you've been part of earlier in your career, Frank, on, on the role of encryption. And you had to bring

that up now. No, no, no. I think that's ripe for a new discussion idea.

I think that adds an interesting level of complexity to this issue because, you know, you've, you, we are communicating with new tools and more tools than ever. Before and

the economic implications are so great. That's right. They really are. And they all operate

with different business models and in different spaces. And so, you know, I think we have to, as a, as a policy matter, decide, you know, is, is a communications technology. Communications technology. Communications technology. And if so, do we need to, to treat them all the same, Demand from them the same and expect from them the same. And that's, that's, that's an interesting policy conversation that we really haven't had. And it's all

the, everyone is dependent upon communication telecommunications. So it does sort of like if you don't have power on the grid's down, it's a really bad day. And you know, the FCC outgoing chair was very vocal. Her parting shots were on this was on Salt Typhoon and the specificity and the sense of urgency to act around that. So I hope we'll see some activity there. I'm not sure it's more regulatory. I actually don't think it necessarily is, but it's not right. But there are a lot of other supply chain. Are we going to see Anything there. I mean this is the evergreen issue that all of us have talked about in one way or another for many years. But to me it's getting harder and harder to separate cyber AI supply chain related issues. What are your thoughts there? And I think it's really hard. Right.

I think, I think it's because we. Don'T have visibility yet to even know. We really don't. And, and it doesn't seem like anyone really knows with a good amount of specificity the problem they're trying to solve when it comes to supply chain and can articulate Beijing and Moscow. But that's okay. I mean I think, I look, I think that, that at its, at its. At its simplest level. Yes, right, it is. But then the question winds up being okay, what do you do about that? Right. What do you do about the fact that advanced pharmaceutical ingredients, we're reliant on China and therefore the supply chain for a lot of drugs goes through China. So what are we going to do about that from a strategic perspective? What are we going to do about all the critical minerals that go into all of our technologies here? You know, are we going to, are we going to invest in domestic manufacturing and domestic capability? You know, Rob Strayer. Yeah. As a, Rob's got a super interesting data driven project to try and understand what that market actually looks like. Right. Because we don't know what the market looks like. And you know, is there an ex China market for critical minerals we'll get Rob on. Right. I didn't know. It's a, it's a fascinating idea. Right. And you know, if there is an example ex China market for critical minerals. What does that look like? What does it look like? Exactly. And now, and now, you know, maybe we're throwing, maybe we're throwing Ukraine into that conversation. Right. And so what does that all look like? It's a, it's a fascinating problem.

And I kind of feel like, and this is not a knock on policy, but we're a little schizophrenic if you look at our own policies on Tick tock tick tock. One day it's this, the next day it's that. So I'm not sure that provides a whole lot of stability and thinking including of our adversary at the end of the day. China. No, I think that's right. I think that's exactly right. And,

and look, these are, these are Again, these are 5,941 issues. And if you're going to do something to even slightly change the calculus of global sourcers of products then you know, you have to do that understanding that's going to move markets and that you know that's going to affect consumer, that's going to affect consumers pockets here in the United States. And you know, I think that, that people have gotten used to, you know, disposable clothes from Shein. From China. Right. And so what do we, how do we change the consumer's expectation on a. Lot of this stuff, free market

principles and economic principles and what have you that's legit and fair and they are really hard. But there certain technologies and sectors that are so critical and essential to our economy, national security, public health and safety that I think there's finding those and being discriminate about those not, not, not painting everything with the same brush. Yeah, please.

Right. I mean, and one thing I would add that underscores Andrew's point is there is one bill from Senator Cantwell and Senator Blackburn, bipartisan bill, sir Camel of course being the ranking member of the Senate Commerce Committee that, that to Andrew's point is basically asking the question of the Department of Commerce together with creating an interagency tell us what the answers to these questions are because we know it's a problem. So the bill, if enacted it wouldn't actually do much other than hopefully help inform policymakers. What is it that we need to do? Yeah, I think. Well, quite honestly we

have so many darn lists anyway that there's no single list for this. I mean literally the very basics in terms of what companies could or could not or should or should not or. And everyone's got a different definition of what that is. Yeah.

And I think, I think supply chain the way, the way that if you can actually make progress on supply chain security. I think the way to do so again is similar to AI, Right. Identifying specific use cases, you know, as we've done with telecommunications equipment. Right. We've had a very definitive consistent policy on Huawei and ZTE for a while. For good reason. For good reason. Right. And so, so let's do that same level of, of intellectual work behind kind of what are our next two or three areas from a supply chain perspective to tackle and you know, and dedicate some, some, some time and energy to figuring out what those are. Go figure. A policy

purist actually get some empirically based data. There's truth to it. You do, you do. And one of the critiques I've had for so many years, agnostic to who's in office. We tend to always react and our strategy is based on we're Giving the initiative to the adversary. We are always responding to something that's not a way to get ahead, that's a way to batten down the hatches on what you just saw.

I think that's right. And we're dealing with thinking predators here. We're not dealing with

static but a dynamic adversary. And I don't want to see that instrument, that approach, and I didn't mean to be pejorative. I agree with your approach 100%. We also

can't allow analysis to paralyze us. Right. I think we've got to, we've got to decide that we're going to do something about this. Right. And we've got to decide quickly where we want to focus our time and energy to addressing supply chain risk and tackle it head on. We're near the end of our time and I'd be

curious. We'll start. Whoever wants to jump in. What questions didn't I ask that I should have? Kyle, you want to actually take first bite at the apple? I would

say just asking what else we see Congress focusing on this, this year aside from legislation reacting well? Yeah, they're great at that, aside from just regulatory action or legislative action. And for that I would say I think you're going to see a lot of oversight hearings in terms of, you know, emerging tech, quantum AI as we already talked about. And a lot of it's going to be in the form of these working groups. You'll have subcommittee hearings, oversight hearings at the full committee level. And that, that it can, can sound like lawmakers just droning on and on, but at the same time it is at the end of the day, hopefully informing, sound policymaking at the end of the day. And, and you will see, you will see, I think a lot of interesting conversations around things like semiconductors like quantum and the quantum safe Challenge and things like that. We've seen those issues percolating up. You mentioned ndaa. There was a number of provisions relative to both of those things. The only way you

got cyber action. And I think that's still true. And you'll see even more of

a focus this time around. I'm going to foot stomp that. Right. Because I think

that good, dedicated oversight work in congressional committees is absolutely essential to effective policymaking. I mean, that's how we met each other, right. Kyle and I met when he was working in House Homeland on the Transportation Security Subcommittee and we were working on some TSA issues together. And I mean the work that we wound up doing together I think probably crossed over Two Congresses and led to some changes in the way that TSA acquired transportation security technology. Right. And I think that far too often we tend to gloss over stuff like that, but there is no substitute for really good oversight work. And there's a lot of oversight work that I think congressional committees in the cybersecurity space could do in order to help advance the state of cybersecurity policy in the United States. And it's just a matter of being able to take a breath and say, hey, I know we've got another cybersecurity breach, another incident, another attack today, but we actually need to focus on, at our core, what do we want to be able to say? We're going to do really well as a country when it comes to cybersecurity policy. I think that would be an extraordinarily interesting and important thing to do. Another interesting thing that, that we didn't get a chance to talk about is, you know, we have an outgoing senator and Senator Peters who has done a lot of work on cybersecurity over the course of his career from an industrial state where, you know, where industrial cybersecurity has been a big issue for him. And so, you know, it'll be interesting to see kind of what he does over the next two years. And as he is departing Congress in an area where he has spent a lot of time and energy, how can he advance some of his policy priorities as he, as he, as he exits stage left? Andrew, I

want to build on one point and bring us back to where we started. And it really is about having some of the leadership. And it's hard because you don't get points on the board for being the cyber leader. Right. Unless it impacts your jurisdiction and particular sets of issues that we do need to recognize the women and men who are actually advancing these issues, and hopefully we have more of them. And hopefully they're informed by two thoughtful people like you. And just wanted to say thank you for spending some time with us today, and hopefully we'll see some action in the year ahead. That's fun. Thank you both. Thank you very much. Thanks for having

me. Thank you. Take care. Thank you for joining us for this episode of Cyber

Focus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.