Lawmakers and expert witnesses discussed ways the U.S. can better ensure Federal software systems are protected against cyberattacks from hostile foreign nations like China during a House Oversight Cybersecurity, Information Technology, and Government Innovation Subcommittee hearing on Wednesday.
The panel of witnesses called for simple but important steps like culture change, to more complicated measures like cyber regulation harmonization.
Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University’s Antonin Scalia Law School, explained that the U.S. is “in a constant, if low-level, state of conflict with adversaries in the cyber domain today,” including China and Russia.
“They have long-term, sustained access to almost every aspect of the U.S. government and the private sector, including our water supply, our electric supply, our banking system,” Jaffer said.
Because of this, Jaffer argued that the U.S. must work to address the issue now, starting with buying commercial software that is secure by design.
“The government can take action to strengthen its own systems,” Jaffer said. “It requires our government actors and our government procurers to be able to procure the leading edge of software technology.”
He continued, “As we think about how to better defend the nation’s cyber domain, that requires culture change within the executive branch and culture change within the executive branch’s overseers here in Congress.”
“Finally, the U.S. government cannot simply remain on the defensive if we’re going to really effectively address threats to our government and industry in the cyber domain,” Jaffer said. “We’ve got to go on the offensive – that requires taking the fight to the enemy.”
Roger Waldron, the president of the nonprofit Coalition for Government Procurement, argued that “unnecessarily burdensome” Federal requirements drive commercial cyber vendors out of the government market, which can leave systems at risk.
Waldron said that the government can better address this problem with more coordination.
“There are various pending rules and regulations, like FedRAMP, CMMC, NIST 800-171, SBOMs, proposed FAR cybersecurity clauses, Section 889, and the Federal Acquisition Security Council, all of which are in various stages of government review and or public comment,” Waldron said.
“The government faces a challenge and an opportunity here to provide the needed harmonization of these rules and regulations to assure an efficient and consistently implemented cyber regime,” he added.
The White House kicked off its cybersecurity regulatory harmonization efforts this summer, aiming to create a framework that represents reciprocity of baseline cyber requirements that are aligned across all critical infrastructure sectors.
“Such consistency will assure that all stakeholders understand the rules of engagement in the government space and will be able to more easily adjust as those rules evolve to meet the challenges of a dynamic cyber and supply chain environment,” Waldron said.