Jim Langevin's view from the Hill

As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018
 

Few lawmakers in Congress today cover as much ground in cybersecurity policy as Rep. Jim Langevin (D-R.I.).

From his perch as chairman of the House Armed Services Committee and a member of the House Homeland Security Committee, Langevin has visibility and input into many of the most critical offensive and defensive issues confronting the U.S. government in cyberspace today. He's also co-founder of the Congressional Cybersecurity Caucus and a member of the U.S. Cyber Solarium Commission.

In a wide-ranging interview with FCW, he discussed his work shepherding the Department of Homeland Security through its evolution into the cybersecurity hub of the federal government, the jurisdictional logjams around information security policy in Congress, the burgeoning role of U.S. Cyber Command and his fight with the White House over the release of its new offensive cyber rulebook.

Stocking up CISA

November will mark the one-year anniversary of Congress passing the Cybersecurity and Infrastructure Security Agency Act, re-organization bill that elevated DHS' cyber bureau to an operational component while also providing a stamp of legitimacy to its claim as the federal government's premiere civilian cyber agency. Over the past year, CISA has accelerated its involvement in a host of core issues, such as securing election infrastructure, extending resources to states and critical infrastructure sectors and acting as a risk advisor to federal agencies and the private sector.

After receiving bipartisan praise for its work during the 2018 elections, the agency's portfolio has only grown, with officials staking out plans following the 2019 shutdown to increase engagement with state and local governments, wade into the national debate on 5G, develop new capabilities to mitigate ransomware attacks and other expansions of its mission. CISA Director Chris Krebs even argued that the agency was fulfilling many of the same "block and tackling" coordination between agencies previously conducted by the now-defunct White House Cyber Coordinator position.

Langevin supports these efforts and said he believes CISA is the right agency to lead them. Like many lawmakers, though, he doubts the agency has the money, personnel and authority to get the job done.

"I don't think they're appropriately resourced right now with cyber expertise within CISA," he said. "I think they're still too dependent on other departments and agencies -- thinking of U.S. Cyber Command -- for the skillset they need, and I think that needs to be developed in-house."

CISA is starved for talent and exploring a number of initiatives to augment its cybersecurity workforce. The agency has gone on a hiring spree since the reorganization and is revamping its hiring and compensation process to move away from a General Schedule pay scale that doesn't always translate well to the cybersecurity talent pool.

Langevin and others are eager to provide more funding and perhaps additional policy and budgetary authorities to help CISA protect the federal government, but he said the agency has yet to ask for either.

"The personnel part of it is probably the biggest hole that needs to be addressed," he said. "If they're the agency that is charged with protecting [federal] networks, then they or somebody needs the policy or budgetary authority to close gaps, and right now they don't have that."

Jurisdictional sprawl

Langevin has been critical of how jurisdictional lines are drawn around cyber policy in Congress. As technology and the internet have become ever more relevant to the federal government and its various missions, committee chairs have increasingly sought to stake their claim over some portion of the cybersecurity portfolio. The Departments of Defense, Homeland Security, Justice, Treasury, Commerce and others all fulfill important roles in the digital space and so too do the bodies responsible for oversight.

While the number is hard to pin down, Langevin has said in the past that anywhere between 80-100 committees and subcommittees have laid claim to some aspect of the issue. Having that many masters makes it hard to think big or shift paradigms when writing legislation.

The law that eventually stood up CISA, for example, took nearly two years to pass through Congress, despite widespread bipartisan support and the urgency created by the 2015 Office of Personnel Management hack and the 2016 Russian election interference campaign largely executed in the digital space.

Ron Johnson (R-Wis.), chairman of the Senate Homeland Security Committee, told FCW last year after a hearing that jurisdictional "turf battles" with the Senate Intelligence Committee and others over CISA's place in the cybersecurity ecosystem were one of the biggest obstacles to moving forward. A cybersecurity information-sharing bill traveled a similarly rocky road for six years before finally passing in 2015.

So what is the right number of committees? Langevin declined to provide a specific number but said "the fewer the better" and "certainly a much smaller number than 80."

"Oversight is important, but having too many hands in this is not productive or helpful, and if anything, it slows things down unnecessarily," he said.

Pruning that jurisdictional overgrowth back will require nothing less than a personal intervention by the Speaker of the House and sufficient "political will" from the majority caucus. Langevin compared the situation to the Democrats' push for health-care reform after bolstering their majorities in the 2008 elections. Speaker Nancy Pelosi (D-Calif.) brought the caucus together, laid out a detailed schedule for pushing legislation and tapped a small handful of committees that would be taking the lead.

"It takes that kind of leadership and focus to make those changes, and of course the caucus needs to be supportive," he said. "Right now, there hasn't been that catalyst event that has moved us to the place where I'd like to be in terms of streamlining the number of committees and subcommittees on cyber."

Limited patience

Two programs the agency uses to protect federal networks -- Continuous Diagnostics and Mitigation and Einstein -- have been subject to criticism in some quarters for delayed implementation timelines and uncertain returns. A 2016 report by the Government Accountability Office found Einstein, designed to scan network traffic to identify and stop emerging cyber attacks, offered only limited protection to agencies. CDM, which acts as a purchasing vehicle for agencies to procure network monitoring tools, has struggled at times to get buy-in from other agencies and has had to revamp the program and push back implementation timelines.

Neither appears to be in immediate danger from appropriators; the House Appropriations Committee voted to give CDM $130 million more in funding than requested by the White House, while Einstein got an additional $40 million to set up new technology to monitor Domain Name System activity.

Still, Langevin indicated that while he still supports both programs, his patience is not infinite.

"Neither Einstein nor CDM have yet realized the full potential that we hoped they'd achieve and are works in progress," Langevin said. "It's an area where we need continued oversight, and we need to push for more robust coverage in fulfilling their goals, but we also need to be open to other things as technologies change and mature. So if there are other things we can be doing, we should be looking at those as a government as well."

Taking offense

Langevin is also in a battle with the White House over the release of National Security Presidential Memorandum 13, which governs how and when DOD and Cyber Command can engage in offensive operations.

After calling for the White House to turn over to Congress documents outlining the expanded offensive cyber authorities being assumed by the administration, he has been locked in negotiations with the White House for months. Since announcing the policy change last year, media reports have confirmed multiple operations against Russia, Iran and ISIS.

Langevin believes Congress cannot conduct proper oversight of the new policy as well as DOD's "Defend Forward" strategy in cyberspace without reading the rulebook they follow. Right now, he said, he is negotiating in good faith with the administration, but he pointed to an amendment in the House version of the National Defense Authorization Act that would force the administration's hand if those talks fail.

"If need be, I think there's bipartisan support to keep our requirement in there that would require by law that the document be forwarded to the committee, so that would be the ultimate resolution," he said.

A year after NSPM-13 and Defend Forward were put in place, Langevin said he's seen real progress at DOD and Cyber Command staffing up mission teams and slotting into the government's strategy for protecting U.S. elections. He's satisfied with Cyber Command's current budget authorities and would like to see the efforts on coordination in the election security space extended to other parts of the military's cybersecurity mission.

"I think the construct is good in terms of the cyber mission force and having cyber mission teams that are training to form different functions and defend the [DOD Information Network] or defending the United States in cyberspace," Langevin said. "The coordination aspects of protecting the country in cyberspace are still a work in progress, and that's why exercising that coordination is important."

NEXT STORY: Background checks move to DOD

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.