With the Colonial Pipeline ransomware attack adding to the count of high-profile cyberattacks to make news in the past six months, members of Congress focused in on how the United States can deter such attacks, as well as how to attract talent to the cyber workforce, at a May 14 House Armed Services subcommittee hearing.
On hand to answer questions from subcommittee members during today’s public hearing were Gen. Paul Nakasone, head of U.S. Cyber Command and the National Security Agency, and Mieke Eoyang, deputy assistant secretary of Defense for cyber policy. The subcommittee also planned a closed-door hearing for later in the day.
“Three major incidents over the past six months demonstrate the importance of cybersecurity to our nation,” Nakasone said in his opening statement. “Well-resourced and sophisticated adversaries are exploiting gaps in the nation’s ability to monitor U.S. cyberspace infrastructure while conducting operations from within the boundaries of the United States.”
“The Colonial Pipeline ransomware attack also demonstrated a growing trend of companies and even government agencies being held hostage by malicious cyber actors,” Nakasone continued. “These cases demonstrate the broadening scope, scale, and sophistication employed by some adversaries. The United States government in tandem with industry partners must improve its defensive posture to prevent and or minimize the impacts.”
Members of the subcommittee asked Nakasone how the nation should go about deterring such attacks, and Nakasone replied that deterrence is not always about imposing direct costs.
“When we see elements that are operating [outside the United States], how do we try to impose the largest cost possible,” Nakasone offered. “Whether or not that’s through being able to expose them, whether or not that’s being able to share the information with a series of partners that we have, or whether or not when authorized to conduct operations against them,” he listed as possible options.
The subcommittee also questioned Nakasone and Eoyang on the best ways to attract and maintain talent in the cyber workforce. Both mentioned that there has been progress on that front, noting that the cyber excepted service program has helped Cyber Command to recruit talent.
“Building a strong and vibrant cyber workforce is certainly a priority and we’ve been working with our colleagues in personnel and readiness to try and improve that,” Eoyang said.
Nakasone also noted that Cyber Command has dramatically cut the amount of time it takes to go through the hiring process – reducing it by half in some cases.
“I’m a huge supporter of cyber excepted service,” Nakasone said. “What we’re seeing in that it is an avenue for us to be able to go to recruiting fairs and offer final job opportunities and opportunities for young people to come and consider a career with U.S. Cyber Command.”
“The other element is that I think it takes into account that we have to hire differently,” Nakasone added. “And so we’re seeing a dramatic drop in the number of processing days for those that are hired under cyber excepted service. Let me give you an example – traditionally it’s taken about 110 days to bring someone into our civilian workforce [and] under cyber excepted service we’re seeing that dropped to two somewhere in the 60-day range.”