During a House Homeland Security Committee hearing prior to the congressional recess, Rep. Eric Swalwell (D-CA) spoke about the need to reform the cybersecurity clearance issuance process in the United States.
Category
🗞
NewsTranscript
00:00I second that thought, so that's great. I now recognize the
00:05ranking member, the gentleman from California, Mr. Swalwell, for five minutes of questions.
00:08Thank you. And to follow what Ms. Rinaldo was saying about JCDC, Ms. Keene, can you discuss how
00:18JCDC facilitates information sharing? And to Ms. Rinaldo's point, how important is it for CISA
00:252015 to be effective that we have a mechanism like JCDC that facilitates cross-sector information
00:33sharing? I think how JCDC disseminates today and the critical importance of it, and to your point
00:39that it's a relatively new program, one of the things about it is it allows for rapid distribution
00:44when threat happens between industry and government, so that we have, in essence, a real-time
00:49channel of things that are going on. From an industry perspective, it's really important
00:55that we even broaden the scope of it to work closer with the ISACs and to think about
00:59how we can distribute not just to, you know, the top level of industry, but actually pull it down.
01:04From a JCDC perspective, I think it's one of the best things we've seen come out of so far,
01:10and it's still evolving. But that ability to have information sharing without repercussion,
01:15I think, is one of the areas that we really need to focus on. And so that's why, you know,
01:20looking at the, in essence, reauthorization of this act is so important, because we're just at the
01:25beginning of where JCDC could go. And as we start to think about, we've mentioned China, but, you know,
01:31if we think about the Chinese threats that have come in from Volt Typhoon, Salt Typhoon, Blacks Typhoon,
01:36Nylon Typhoon, there's a lot of typhoons right now, we're going to see, in essence, cross-pollination of
01:42those critical vulnerabilities exploits. And JCDC is going to be incredibly important to ensure we
01:47disseminate rapidly through that. And to Ms. Renaldo's point about security clearances,
01:53it's a frustration I share as well. You know, my district is high tech and biotech, two nuclear labs.
02:02And often I hear what Ms. Renaldo is saying, which is like, yeah, the CEO is cleared, but he's not
02:09the engineer, and he doesn't understand. One, his time is limited, or her time is limited.
02:15And two, like, he or she doesn't have the skill set to receive and understand the threat. But the
02:24problem on the government side is they're not really willing to clear that many individuals.
02:30And I just welcome your feedback on if you're seeing that, because I, if you remember like
02:34two years ago, it was like a 19 year old who was like caught leaking like Ukraine war plans. And it
02:40was like a military service member. And you're like, wait, we have a 19 year old,
02:43like basically the war plans for Ukraine. But we have like 20 year professionals who we could give
02:51like one day passes or more information to better protect critical infrastructure. And we're like
02:58cautious about that. So it just seems like we've got the priorities crosswise. But I'd welcome feedback
03:04from you, Ms. Keen on that.
03:06It's interesting. You know, I've been in cyber security for over 25 years. And some of the first
03:12attacks or hacks I dealt with were nation state level attacks going around the financial services
03:17network. If you can imagine, I was 23 years old walking rooms with Scotland Yard and looking at data
03:21center break ins. And then some of the first financial services attacks. I have never held security
03:27clearance in the United States. You know, been a risk executive of two fortune, you know, 25 companies. The
03:34reality is, is that we do need to reexamine how we look at clearance. But we also have to think about
03:38the fact that, you know, cyber security is to some degree and we talked about it a team sport. You
03:43know, I've known 15 year olds who've had, you know, inventions become state secrets and, you know,
03:47housed in the NSA. And I've known, you know, 90 year olds who still sit on boards and talk about
03:52cyber security. We need to make it that the reality of today's risk is that cyber risk is now business risk.
03:58And it's a question of how we look at protecting all the different areas companies look at risk from,
04:05from financial operational, you know, resilience perspective, everything. And so from a clearance
04:10perspective, it's getting the right individuals in an organization clear to ensure they understand,
04:15but also to make it more of a common language so we understand the impact risk has on our organizations.
04:19And, you know, just as Mr. Ogles said, like I welcome ideas, feedback. I'm a little hesitant to
04:27want to like amend this at all at this point at this late hour, risking that opening this up would
04:33not see it reauthorized. But I do agree that with Mr. Ogles that we need your feedback. And just because
04:41we reauthorize it, if we do it in a clean way, that doesn't mean we can't down the road, like even like
04:48right after reauthorization, have hearings and markups to make it even better. But avoiding a lapse
04:55is my priority. And it sounds like Ms. Keen, you agree. That would actually be my recommendation.
05:00I think that a reauthorization cleanly and then look at how we optimize and look at things down the road
05:05for a couple reasons. We're at the beginning of AI. We're still trying to figure out some things
05:09regarding, you know, different types of attacks. Like I said, we have malicious mistake and malfunction.
05:15And I think there's a way we can strengthen public-private on the back of it. But I would
05:19recommend a clean authorization. Great. Thank you.