Eric Swalwell Presses Cybersecurity Experts On Reforming US Cyber Security Clearance Process

Forbes Breaking News

During a House Homeland Security Committee hearing prior to the congressional recess, Rep. Eric Swalwell (D-CA) spoke about the need to reform the cybersecurity clearance issuance process in the United States.

Transcript

00:00I second that thought, so that's great. I now recognize the

00:05ranking member, the gentleman from California, Mr. Swalwell, for five minutes of questions.

00:08Thank you. And to follow what Ms. Rinaldo was saying about JCDC, Ms. Keene, can you discuss how

00:18JCDC facilitates information sharing? And to Ms. Rinaldo's point, how important is it for CISA

00:252015 to be effective that we have a mechanism like JCDC that facilitates cross-sector information

00:33sharing? I think how JCDC disseminates today and the critical importance of it, and to your point

00:39that it's a relatively new program, one of the things about it is it allows for rapid distribution

00:44when threat happens between industry and government, so that we have, in essence, a real-time

00:49channel of things that are going on. From an industry perspective, it's really important

00:55that we even broaden the scope of it to work closer with the ISACs and to think about

00:59how we can distribute not just to, you know, the top level of industry, but actually pull it down.

01:04From a JCDC perspective, I think it's one of the best things we've seen come out of so far,

01:10and it's still evolving. But that ability to have information sharing without repercussion,

01:15I think, is one of the areas that we really need to focus on. And so that's why, you know,

01:20looking at the, in essence, reauthorization of this act is so important, because we're just at the

01:25beginning of where JCDC could go. And as we start to think about, we've mentioned China, but, you know,

01:31if we think about the Chinese threats that have come in from Volt Typhoon, Salt Typhoon, Blacks Typhoon,

01:36Nylon Typhoon, there's a lot of typhoons right now, we're going to see, in essence, cross-pollination of

01:42those critical vulnerabilities exploits. And JCDC is going to be incredibly important to ensure we

01:47disseminate rapidly through that. And to Ms. Renaldo's point about security clearances,

01:53it's a frustration I share as well. You know, my district is high tech and biotech, two nuclear labs.

02:02And often I hear what Ms. Renaldo is saying, which is like, yeah, the CEO is cleared, but he's not

02:09the engineer, and he doesn't understand. One, his time is limited, or her time is limited.

02:15And two, like, he or she doesn't have the skill set to receive and understand the threat. But the

02:24problem on the government side is they're not really willing to clear that many individuals.

02:30And I just welcome your feedback on if you're seeing that, because I, if you remember like

02:34two years ago, it was like a 19 year old who was like caught leaking like Ukraine war plans. And it

02:40was like a military service member. And you're like, wait, we have a 19 year old,

02:43like basically the war plans for Ukraine. But we have like 20 year professionals who we could give

02:51like one day passes or more information to better protect critical infrastructure. And we're like

02:58cautious about that. So it just seems like we've got the priorities crosswise. But I'd welcome feedback

03:04from you, Ms. Keen on that.

03:06It's interesting. You know, I've been in cyber security for over 25 years. And some of the first

03:12attacks or hacks I dealt with were nation state level attacks going around the financial services

03:17network. If you can imagine, I was 23 years old walking rooms with Scotland Yard and looking at data

03:21center break ins. And then some of the first financial services attacks. I have never held security

03:27clearance in the United States. You know, been a risk executive of two fortune, you know, 25 companies. The

03:34reality is, is that we do need to reexamine how we look at clearance. But we also have to think about

03:38the fact that, you know, cyber security is to some degree and we talked about it a team sport. You

03:43know, I've known 15 year olds who've had, you know, inventions become state secrets and, you know,

03:47housed in the NSA. And I've known, you know, 90 year olds who still sit on boards and talk about

03:52cyber security. We need to make it that the reality of today's risk is that cyber risk is now business risk.

03:58And it's a question of how we look at protecting all the different areas companies look at risk from,

04:05from financial operational, you know, resilience perspective, everything. And so from a clearance

04:10perspective, it's getting the right individuals in an organization clear to ensure they understand,

04:15but also to make it more of a common language so we understand the impact risk has on our organizations.

04:19And, you know, just as Mr. Ogles said, like I welcome ideas, feedback. I'm a little hesitant to

04:27want to like amend this at all at this point at this late hour, risking that opening this up would

04:33not see it reauthorized. But I do agree that with Mr. Ogles that we need your feedback. And just because

04:41we reauthorize it, if we do it in a clean way, that doesn't mean we can't down the road, like even like

04:48right after reauthorization, have hearings and markups to make it even better. But avoiding a lapse

04:55is my priority. And it sounds like Ms. Keen, you agree. That would actually be my recommendation.

05:00I think that a reauthorization cleanly and then look at how we optimize and look at things down the road

05:05for a couple reasons. We're at the beginning of AI. We're still trying to figure out some things

05:09regarding, you know, different types of attacks. Like I said, we have malicious mistake and malfunction.

05:15And I think there's a way we can strengthen public-private on the back of it. But I would

05:19recommend a clean authorization. Great. Thank you.

Category

Transcript

Recommended