As a co-founder of the Congressional Cybersecurity Caucus, Rep. Jim Langevin has helped shaped the policy debate on Capitol Hill on issues ranging from federal bug bounty programs to information sharing. The Rhode Island Democrat talks about what galvanized his interest in cybersecurity and his hopes for bipartisanship on the issue, among other topics.
CyberScoop: What sparked your sustained focus on cybersecurity?
Rep. Jim Langevin: A lot changed for me the day a couple of scientists from Idaho National Lab came and gave me a briefing on the Aurora threat [in 2007].
In the SCIF, we saw the video of the generator blowing itself up. They described to me how it could be done. It’s, at first, hard to get your arms around, but then as they further explained, this could affect not only just one generator but several, and not only just one power generation facility, [but] potentially it could shut down a whole sector of the country’s electric grid as a result of a SCADA attack. And that was very alarming.
CS: That was 2007. More than 10 years later, we hear the word “cyber” more on Capitol Hill, for better or for worse. How have your fellow lawmakers improved in paying attention to and talking about cybersecurity, and how do they still need to get better?
JL: Members of Congress have become more aware of the problem in the same way that the American people have become more aware of the problem, in many cases because of the high-profile cyber-intrusions or events that have occurred.
We’ve been at this for a long time. I’d love to say that it is because of the work that I did, or that we did together, to raise awareness. That was a part of it, of course, but unfortunately, most of it is because of the large number of cyber-intrusions and threats that the country has faced, the personal and private information that’s been stolen and compromised, the theft of intellectual property, and the list goes on and on.
CS: Do you find yourself being an educator with fellow lawmakers on cybersecurity? Do other members heed the advice of colleagues who have been paying attention to the subject longer?
There are different times that a bill that I have sponsored or co-sponsored, and it’s come up for a vote, that I have members say they voted for the measure because they have a lot of respect for me on this topic and they know that I spend a lot of time on this issue.
Each member of Congress specializes in a different topic. We’re not all experts on every topic. Certain people are go-to people on any range of issues, and cyber happens to be something that I spend a lot of time on.
CS: Have we had a galvanizing moment that generates widespread momentum to drive better cybersecurity policy — the proverbial “Cyber 9/11,” to use a tortured metaphor? Was the 2016 election that moment?
JL: It was a moment, and certainly one of those things that has gotten people’s attention. But it wasn’t a Cyber 9/11, per se. I am still worried about that type of event occurring. It’s still possible, even though it may be remote at this point. It’s still a possibility. … It’s one of those things that keeps me up late at night — you wonder when or if that date will ever come. It’s probably more of a “when” not “if.”
I’ve often said that you will never have modern warfare again without some type of a cyber component to it.
The United States continues to get better at being better organized and defended against a Cyber 9/11. But you can never say never, that it won’t happen. But between the work that the Department of Homeland Security is doing, the work that U.S. Cyber Command is doing, [and] NSA, we have nation-state capabilities to defend the country. But there’s still more work to do. Remember, most of critical infrastructure is still in private hands and we haven’t completely figured that piece out yet as to how we [might] adequately defend the country if there were a Cyber 9/11.
CS: Cybersecurity has often been described as a bipartisan issue. But with all of the politicization of the aftermath of Russian hacking and information operations during the 2016 election, is cybersecurity still a bipartisan issue in 2018?
JL: I believe it is. … Some make it a partisan issue, but I don’t see it that way. Case in point: I have a bipartisan election security bill, the Paper Act, with Congressman Mark Meadows [a Republican from North Carolina].
We both see this as an American issue — not a Democrat or Republican issue, it’s an American issue – that we need to do a better job with, securing our elections infrastructure.
CS: Congress has recently moved to set up bug bounty and vulnerability disclosure programs at multiple federal agencies. What have you learned from talking to experts on what works in setting up these types of programs at agencies?
JL: What I’ve learned over the years in working on the cybersecurity issue and [from] meeting with cybersecurity researchers is that they want to help … they want to help make the internet more secure and function the way it’s intended to.
Bug bounty programs are a great way to leverage that private sector talent, as we saw with the Pentagon’s bug bounty program. It was set up the right way. You get trusted researchers who want to do the right thing, provide them a vehicle where they can lend their talents, I think [it] is a good model. I’d like to see other government departments and agencies do a similar bug bounty program.
We also need to have a vulnerability disclosure program at each of the departments and agencies so that when cybersecurity researchers do find a vulnerability they’ve got somebody they can report it to – and they know that it’s going to be acted upon.