Sen. Ron Johnson, R-Wis., chairman of the Senate Homeland Security and Governmental Affairs Committee, led his committee today through a hearing aimed at finding “practical solutions” to a host of homeland security threats, but didn’t appear to land many easy or novel solutions.
Opening the committee’s hearing on “Evolving Threats to the Homeland,” Sen. Johnson told witnesses he was looking for practical solutions–“things we can actually do”–to blunt a diverse set of threats ranging from critical infrastructure cybersecurity, to solar radiation that could knock out the electrical grid, to dangers posed by drone aircraft.
Of those problems, he said, “we have admired this enough, we have studied this enough . . . but we have not come up with solutions.”
“If there is a law we have to pass [to address those threats] then pass that law,” he urged.
Sen. Claire McCaskill, D-Mo., the committee’s ranking member, said she was particularly concerned about supply chain security, specifically about its security implications for government and communications networks, and plugged a supply chain security bill that she introduced earlier this year that would create a Federal Acquisition Security Council to oversee creation of a government-wide strategy to address supply IT chain security and mitigate supply chain security threats from IT equipment and service purchases.
Kevin Mandia, chief executive officer at FireEye, Inc., told the committee that the U.S. was “uniquely more vulnerable” in cyberspace than other nations because of its higher dependence on network technology, higher private ownership of critical infrastructure, and free press that allows adversaries to more easily conduct “influence operations” on the American public.
Rather than facing a massive cyber attack all at once, he predicted the U.S. will instead engage in more enduring “trench warfare” in cyberspace that will be costly and could have damaging economic impacts. Some critical infrastructure sectors–like utilities and financial services–have prepared themselves to fare better in such conditions, he said, although he cautioned that smaller utilities in particular may always remain more vulnerable.
In the solutions arena, he suggested that the Federal government work to create even faster threat data sharing mechanisms, promote greater resilience in assets that may be attacked, take steps to strengthen supply chain security, and do more to hold perpetrators accountable. The U.S., he said, should also make greater diplomatic efforts to decrease the volume of attacks, as it was able to do with China in 2015.
Mandia also suggested that the Federal government participate in “fire drills” once or twice per year with private sector critical infrastructure owners to simulate large-scale attacks and test out responses to them. “We will learn a lot just by practicing,” he said.
Scott McBride, an infrastructure security manager at Idaho National Laboratory, warned of the potentially devastating impact of geomagnetic disturbance (GMD) and electromagnetic pulse (EMP) evens to the U.S. power grid, and said he believed that about $4 billion of investments in grid protections against those threats could save the U.S. “trillions” in costs should those threats–either from solar effects or man-made sources–ever come to pass.
But, McBride said, “nobody is in charge” of evaluating those kinds of threats. He said that while both the Department of Homeland Security and the Defense Department have appointed people to understand the threats, “nobody is taking responsibility” for further actions to mitigate them.
Speaking of the estimated $4 billion price tag to mitigate GMD and EMP threats, he said, “where we do it and how we do it” remain outstanding questions. But, he said, large-scale destruction of grid components from those threats would lead to countless deaths and would “be the socio-economic disaster that his country has never seen.”
Sen. Johnson said today’s hearing was “born out of my personal frustration” that Congress pays a lot of attention to cyber and other security issues but does not often take major steps to address the threats.
He said the committee is planning to have a similarly focused “full-fledged” hearing “in a couple weeks” with senior officials from the Department of Homeland Security and the Federal Bureau of Investigation.
