On Tuesday, May 24, 2016, the U.S. House Committee on Homeland Security (the “Committee”) held a hearing titled “Enhancing Preparedness and Response Capabilities to Address Cyber Threats.” The hearing was convened jointly by the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee and the Emergency Preparedness, Response, and Communications Subcommittee (the “EPRC Subcommittee”). The goal of the hearing was to determine the states’ cybersecurity capabilities, current best practices, and needs, as well as to examine how the federal government can assist the states.
Representative Dan Donovan (R-NY), Chairman of the EPRC Subcommittee, noted that the impetus for the hearing was the release of a FEMA National Preparedness Report that, for the fourth year in a row, indicated that states report cybersecurity as their lowest core capability. The Committee heard testimony from representatives from four states and agencies (California, Connecticut, New York, and the Port Authority of New York and New Jersey), as well as from the non-profit Center for Internet Security.
The hearing focused not only on the threat of hacking and breaches of computer systems and databases, but also threats to infrastructure and issues of disaster preparedness. The witnesses emphasized that cybersecurity threats are diverse and continually evolving, and they identified a number of current issues, including the growing presence of “Internet of Things” devices and increasingly complex mobile devices, along with the ever-present threat of access to or release of personally identifiable information. Through questions, Committee members specifically identified the financial and petrochemical industries as areas of interest.
The common theme running throughout the testimony and the questioning was the need for more and better information sharing and coordination, both between the public and private sectors, and within and between the different agencies. Witnesses identified several parallels to the reforms of the intelligence infrastructure that followed the 9/11 terrorist attacks and suggested that the cybersecurity community should model itself in this way. The witnesses welcomed involvement by, and information sharing with, members of industry as an important part of preparing for and responding to cyber threats. In responses to questions, the witnesses also faulted the technology industry, noting that it needs to do a much better job of creating software and hardware that was hardened “out of the box”, especially in products sold to the general public.
The witnesses at the hearing also identified the shortage in the workforce of qualified professionals as a major issue in cybersecurity preparation. Beyond such professionals, witnesses testified that the nation as a whole needs better knowledge and awareness of cybersecurity risks. Witnesses recommended starting training in technology and security issues as early as K-12 education, and cited a few programs throughout the country, but also noted that industry members could do a better job of publicizing risks and educating their customers, along with providing more training to their own employees.
Reporter, Alex Yacoub, Atlanta, +1 404 572 2758, ayacoub@kslaw.com.
