To better protect the nation's critical digital infrastructure, lawmakers must enact policies to address a shortage of trained cybersecurity professionals, a panel of experts warned at a joint House subcommittee hearing on Tuesday.
Stressing the urgency of the threats, witnesses from industry and academia told members of the Committee on Science, Space and Technology's research and technology subcommittees that cybersecurity, as a profession, is hobbled by scant funding for research and development and education.
"I do not have to tell you that we are under attack in cyberspace. Those of us in the field of security have known about it for some time now, but now the problem has broadened and deepened in scope," said Frederick Chang, president and COO of the data-analytics firm 21CT.
"The field of cybersecurity is too reactive and after the fact. We wait for something bad to happen, and then we respond. We lack the fundamental scientific understanding of causes, of solutions, of counter measures. Science uses words like 'evidence,' 'metrics,' 'repeatability,' 'predictability.' In cybersecurity, these words are not used often enough," Chang added. "Indeed, when it comes to predictability, about the only thing we can predict with a high degree of confidence is that a determined hacker will be able to compromise the target system."
Tuesday's hearing comes at the beginning of the new congressional session when lawmakers are once again working to build support for legislation to bolster defenses against digital attacks on critical infrastructure operated by the government and private sector.
Lawmakers and witnesses both expressed support for one such bill, the Cybersecurity Enhancement Act, which passed the House in 2010 but did not clear the Senate. The authors of that measure, Reps. Michael McCaul (R-Texas) and Dan Lipinski (D-Ill.), are trying again in the 113th Congress. That legislation includes provisions to establish cybersecurity grant programs, improve coordination among federal agencies and develop cybersecurity scholarships at the National Science Foundation.
Whether the Cybersecurity Enhancement Act progresses as a standalone bill or as part of a more comprehensive package, McCaul is hopeful that new cybersecurity standards, after years of debate, will become law in short order.
"I do believe this is the Congress when we will get cybersecurity legislation passed through the House, the Senate and signed by the White House," he said. "Whether it's criminal, whether it's espionage, whether it's cyberwarfare, we can't afford to wait any longer."
But in the absence of congressional action, President Obama earlier this month issued an executive order directing federal departments and agencies to develop a system for reporting cyberattacks, expanding coordination with the private sector and other measures.
That executive order, limited in scope by the bounds of presidential authority, was not designed as a substitute for cybersecurity legislation, which as a general matter enjoys strong bipartisan support.
Sign up for CIO Asia eNewsletters.