At Committee Hearing, Portman Highlights Importance of Building a Robust Cyber Workforce and Passing Bipartisan Cybersecurity Legislation

February 11, 2020 | Press Releases

WASHINGTON, DC - Today, at the Senate Homeland Security and Governmental Affairs Committee hearing, U.S. Senator Rob Portman (R-OH) questioned the Director of Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, Christopher Krebs, on what more Congress can do to ensure the cybersecurity division of DHS has the resources and personnel they need in order to protect against cyberattacks at the Federal, state, and local level.

Senator Portman has led efforts to address state and local cybersecurity threats as a member of the bipartisan Senate Cybersecurity Caucus. Bipartisan legislation introduced by Senators Portman and Hassan to bolster cybersecurity in the public and private sector, the Department of Homeland Security (DHS) Cyber Hunt and Incident Response Teams Act was signed into law as part of the final FY 2020 budget agreement last year. Senators Portman and Hassan’s bipartisan Hack Department of Homeland Security (DHS) Act and Public-Private Cybersecurity Cooperation Act were included in a package of bills that were signed into law in 2018.

Excerpts of his questioning can be found below and a video can be found here:

cid:image001.png@01D5E0F2.1ED80A40

Portman: “Thanks for having the hearing, this is really important and timely given what’s happening. I saw the two GAO reports. It sounds like you feel as though you’ve now done what you need to do in terms of the election security recommendations they had in their report. Is that correct?”

Mr. Christopher Krebs, Director of Cybersecurity and Infrastructure Security Agency at DHS: “Yes sir, we released our strategic plan on Friday and if you take a look at it, by the way, it’s a pretty clean, polished document. This is not something I just rushed out. It was ready to go, this is the plan we’ve been operating against since next February so we have a very clear understanding internal to CISA and with our partners about what we’re trying to accomplish and we have had so for a year.”

Portman: “Alright, in terms of what you’ve talked about today, earlier you talked about some of the authorities you might be looking for. One that’s out there already, as legislation, is to codify or formalize the relationship between you and the State Information Sharing and Analysis Center, the MS-ISAC we’ve been talking about. That’s 1846, it’s passed the Senate already, I assume you’d like to see that get passed. Second is this legislation the chairman just talked about to give you the subpoena power to be able to go to the internet service providers, very important. On the state coordinator bill, are you openly supporting that, is the administration supporting that? You have said you want to push more expertise down to the state and local level and you’d like to have somebody in every state capitol.”

Mr. Krebs: “Yes sir, that is definitely a capability that we can benefit from. Additional resources out in the field, yes sir.”

Portman: “Again that’s one that’s working through the system. I want to talk for a second about hiring authorities. That’s one that we haven’t gotten into much today. Actually I’m sitting next to Tom Carper who worked on this way back in the 2014 time period. We did pass legislation to help to provide you with additional hiring authority. Excepted Hiring Authority, as it was called. My sense is that’s still not enough, that you are still having a difficult time attracting the government the kind of cybersecurity expertise that you need. By the way, the same is true in the private sector. What more can we do there? What more can we give you in terms of authorities to be able to ensure you have the right people in place at the right time to respond to these increasing cyber-attacks?”

Mr. Krebs: “So, I think stepping back a little bit. First off, whether it’s the Boots on the Ground Act or the ability to direct-hire authority for certain positions, I think that those are paving the way for us to be more successful. I think we have some internal housekeeping to do in terms of the process from left to right. The entire hiring process, we’ve got some internal roadblocks that we’re working through right now that I’m confident in the next six months we’ll be able to make significant progress.”

Portman: “Let me just say on that for a second, and I agree with you and I’m glad to hear you say that. We passed this in 2014, excepted service it’s now, you know, five years later and no hires have been made.”

Mr. Krebs: "That is the cyber talent and management system."

Portman: "Well why does it take five years?"

Mr. Krebs: “So that’s the Department of Homeland Security’s management office that’s taking point on that. My understanding is by fourth quarter this year they will be fully hiring against those billets. It is a reimagining of the civil service and so it is not an overnight process and it took, I believe, some rulemaking and other aspects to get it to where it needed to be. But we are not waiting for that. We do have direct-hire authority, plus we have retention incentives up to 25 percent for employees, similar to what some of the intelligence community and Department of Defense may have as well. So we’re taking full advantage of that and we have seen our attrition rate go down over the last year or so, so we are excited by that. But I’ve got to build up that base, so we are working with partners through the Scholarship for Service, through the Cyber Talent Initiative, where we can have the private sector play a role here. One of the things I’m really excited about it is where the private sector can play a role - again this is the Cyber Talent Initiative - where they can provide tuition assistance to students coming out of college as long as they serve two-plus years or so in the federal government and then they’ll have the opportunity to go out in the private sector. For me, that’s a good thing. So if I get somebody in and have them for two to four years and then they spin out into the private sector, that’s not bad. That’s good. That’s mean I’ve been able to train people up, I now have an alumni network out in the private sector.  I don’t - I’m a small agency, I’m a young agency, not like the FBI - big and old. Not old, they’ve just been around longer than us. Not old, been around longer. They have an alumni network, I do not. I’ve got to be able to build this up so when somebody goes out to the private sector, they know how to work with us, they know what we can do. They know how to work with us so I’m really excited about some of these things that are coming down the pipe.” 

Portman: “And you have the authority to be able to do that loan forgiveness on the student debt?”

Mr. Krebs: “We also have tuition assistance capability but that’s a different - the Cyber Talent Initiative is a different program where the private sector takes over that piece - but I think this is the cybersecurity workforce and I think it’s been built, the gap has been built up a little bit, but this is truly one of those shared responsibilities where the private sector is going to benefit from supporting the federal government training the first four years of someone’s career, giving them the appropriate training and then spitting them out. I think it’s a win-win for everybody.”

Portman: “Well good. On the directorate DHS management perspective...I understand they’re directing this effort to be able to use these cybersecurity excepted service authorities and I hope you’ll push them on that. And you say fourth quarter, I mean it’s been five years and here we are. We’ve worked through the rulemaking so I just hope that can happen soon.”

...

“I’ll just say one final point. You know, we have been talking a lot today about how to identify problems up front and you’ve talked about some additional authorities you can use to do that, we’ve talked about that today, and I think this committee has been responsive to that and I think we’ll be responsive to the ever-evolving threat out there, but you mentioned Equifax. I mean it’s a great example. We worked with them, again in our Permanent Subcommittee on Investigations, we looked at what happened and you know, why were they allowing these breaches to take place which affected so many millions of Americans, but now we see it also affected our national security in very fundamental ways. What we found was they failed to remediate vulnerabilities in a timely fashion. They operated outdated legacy systems - I’m looking at our state partners here, some of whom have outdated legacy systems. Not saying that Michigan would or any other particular state, like Texas. And they didn’t have a complete list of applications running on their networks. So I think being proactive, being able to identify these problems up front, can save just an enormous amount of cost and hassle for individuals in terms of the consumers and also, as we’ve seen here, even our national security can be directly affected. So we want to help you in that and you got to help us to provide you the authorities you need to be able to be proactive.”       

###