By Rep. Barbara Comstock (R-VA-10)
The United States is under attack. Every day cyber criminals, “hacktivists,” and state-sponsored cyber terrorists are attempting to gain access to the valuable and sensitive information of Americans, American companies, and the government. This is a 21st Century war, and one of the greatest challenges our country faces today.
Last year, more than 178 million records on Americans were exposed in cyberattacks. The breach of the Office of Personnel Management alone exposed the personal information of more than 21 million Americans. The attack hit close to home in more ways than one, as I was one of the millions of current and former federal employees who had their personal information compromised.
The OPM breach highlighted how vulnerable our nation’s most sensitive systems and information are to attack. It also made it clear that the time has come for every manager and every employee in both government and the private sector to make cybersecurity a top priority in their daily work, and for leaders to be held accountable for negligent failures to protect information.
It is my privilege to be in a position to help find solutions to this challenge as chair of the Research & Technology Subcommittee of the House Science, Space, and Technology Committee and to serve in a district where so many of my constituents are the talented people who work on cyber issues at such firms as Northrop Grumman and MITRE Corporation to start-ups like PhishMe and dozens more of large and small businesses who are on the cutting edge of this essential 21stCentury industry. Since I became chair of the subcommittee last year, we have held five hearings on cybersecurity with some of the foremost cyber experts in the private sector, academia and the government.
With the input of these innovative cyber experts, I believe that there are some key steps we can take to improve cybersecurity across the private and public sectors:
- There must be a healthy partnership between the public and private sectors to share information and best practices;
- A focus on “cyber hygiene,” which is day-to-day maintenance and monitoring of devices and IT systems using widely accepted cybersecurity best practices;
- We should not only focus resources on defending against cyberattacks, we must also bolster our ability to detect vulnerabilities, and limit the damage of a breach;
- We must continue to upgrade cybersecurity forensics so that we may quickly identify the perpetrators of these attacks and successfully prosecute them;
- More research and development is needed on new technology for preventing and responding to cyberattacks, particularly in identity authentication;
- We must do more to educate and train a cybersecurity workforce, as demand for professionals is expected to rise to 6 million by 2019, with a projected shortfall of 1.5 million; and
- Leaders in government and the private sector must create a culture that ensures everyone considers cybersecurity a high priority.
There are some great examples of companies and organizations implementing new cybersecurity practices that can be a guide for best practices. John Wood, the CEO of Telos Corporation, an Ashburn-based cybersecurity company, who also serves on the Commonwealth of Virginia Cyber Security Commission, recently testified before my subcommittee on the steps his company takes to prevent cyber intrusions and promote security. John also testified that, “these practices must be embraced in the boardroom and by management so that a culture of cybersecurity is created throughout the organization.” Telos is also working towards building a future cybersecurity workforce in Loudoun County, including a five-year partnership with George Washington University’s Science and Technology Campus in Loudoun as well as a partnership with the Wolf Trap Foundation for the Performing Arts to implement 63 STEM Classroom Residency Sessions in schools throughout the county to promote STEM careers at the K-12 level.
Other examples include: Visa Corporation, which recently opened a Cyber Fusion Center in Ashburn that will bring together all of their global cyber defense teams into a new, state-of-the-art facility for rapid detection of new threats and information sharing with private and government partners; and Symantec, which has also launched a Cyber Career Connection program, partnering with nonprofit organizations to educate and train underserved populations to become cybersecurity professionals, including a program in the National Capital Region to train military veterans for careers in cybersecurity.
The Federal government lags behind the private sector in cybersecurity. Last year, audits revealed that 19 of 24 major federal agencies failed to meet the basic cybersecurity standards mandated by law—OPM still does not even have a complete inventory of servers, databases and network devices in its system. I will continue to push for making sure that if federal officials neglect their duties, or are not the right people for the job, they are held accountable so that proper leadership is in place to not just meet, but anticipate and beat the next cyber threat.
I will continue to support policies in Congress that unleash technological innovation, foster healthy public-private partnerships, and build a stronger national security apparatus. Cybersecurity must be a top priority in every government agency from the top Cabinet official on down. We need an aggressive, nimble, and flexible strategy to anticipate and stop cyberattacks to meet the challenges of the 21st Century.