Jim Langevin's view from the Hill

Few lawmakers in Congress today cover as much ground in cybersecurity policy as Rep. Jim Langevin (D-R.I.).

From his perch as chairman of the House Armed Services Committee and a member of the House Homeland Security Committee, Langevin has visibility and input into many of the most critical offensive and defensive issues confronting the U.S. government in cyberspace today. He's also co-founder of the Congressional Cybersecurity Caucus and a member of the U.S. Cyber Solarium Commission.

In a wide-ranging interview with FCW, he discussed his work shepherding the Department of Homeland Security through its evolution into the cybersecurity hub of the federal government, the jurisdictional logjams around information security policy in Congress, the burgeoning role of U.S. Cyber Command and his fight with the White House over the release of its new offensive cyber rulebook.

Stocking up CISA

November will mark the one-year anniversary of Congress passing the Cybersecurity and Infrastructure Security Agency Act, re-organization bill that elevated DHS' cyber bureau to an operational component while also providing a stamp of legitimacy to its claim as the federal government's premiere civilian cyber agency. Over the past year, CISA has accelerated its involvement in a host of core issues, such as securing election infrastructure, extending resources to states and critical infrastructure sectors and acting as a risk advisor to federal agencies and the private sector.

After receiving bipartisan praise for its work during the 2018 elections, the agency's portfolio has only grown, with officials staking out plans following the 2019 shutdown to increase engagement with state and local governments, wade into the national debate on 5G, develop new capabilities to mitigate ransomware attacks and other expansions of its mission. CISA Director Chris Krebs even argued that the agency was fulfilling many of the same "block and tackling" coordination between agencies previously conducted by the now-defunct White House Cyber Coordinator position.

Langevin supports these efforts and said he believes CISA is the right agency to lead them. Like many lawmakers, though, he doubts the agency has the money, personnel and authority to get the job done.

"I don't think they're appropriately resourced right now with cyber expertise within CISA," he said. "I think they're still too dependent on other departments and agencies -- thinking of U.S. Cyber Command -- for the skillset they need, and I think that needs to be developed in-house."

CISA is starved for talent and exploring a number of initiatives to augment its cybersecurity workforce. The agency has gone on a hiring spree since the reorganization and is revamping its hiring and compensation process to move away from a General Schedule pay scale that doesn't always translate well to the cybersecurity talent pool.

Langevin and others are eager to provide more funding and perhaps additional policy and budgetary authorities to help CISA protect the federal government, but he said the agency has yet to ask for either.

"The personnel part of it is probably the biggest hole that needs to be addressed," he said. "If they're the agency that is charged with protecting [federal] networks, then they or somebody needs the policy or budgetary authority to close gaps, and right now they don't have that."

Jurisdictional sprawl

Langevin has been critical of how jurisdictional lines are drawn around cyber policy in Congress. As technology and the internet have become ever more relevant to the federal government and its various missions, committee chairs have increasingly sought to stake their claim over some portion of the cybersecurity portfolio. The Departments of Defense, Homeland Security, Justice, Treasury, Commerce and others all fulfill important roles in the digital space and so too do the bodies responsible for oversight.

While the number is hard to pin down, Langevin has said in the past that anywhere between 80-100 committees and subcommittees have laid claim to some aspect of the issue. Having that many masters makes it hard to think big or shift paradigms when writing legislation.

The law that eventually stood up CISA, for example, took nearly two years to pass through Congress, despite widespread bipartisan support and the urgency created by the 2015 Office of Personnel Management hack and the 2016 Russian election interference campaign largely executed in the digital space.

Ron Johnson (R-Wis.), chairman of the Senate Homeland Security Committee, told FCW last year after a hearing that jurisdictional "turf battles" with the Senate Intelligence Committee and others over CISA's place in the cybersecurity ecosystem were one of the biggest obstacles to moving forward. A cybersecurity information-sharing bill traveled a similarly rocky road for six years before finally passing in 2015.

So what is the right number of committees? Langevin declined to provide a specific number but said "the fewer the better" and "certainly a much smaller number than 80."

"Oversight is important, but having too many hands in this is not productive or helpful, and if anything, it slows things down unnecessarily," he said.

Pruning that jurisdictional overgrowth back will require nothing less than a personal intervention by the Speaker of the House and sufficient "political will" from the majority caucus. Langevin compared the situation to the Democrats' push for health-care reform after bolstering their majorities in the 2008 elections. Speaker Nancy Pelosi (D-Calif.) brought the caucus together, laid out a detailed schedule for pushing legislation and tapped a small handful of committees that would be taking the lead.

"It takes that kind of leadership and focus to make those changes, and of course the caucus needs to be supportive," he said. "Right now, there hasn't been that catalyst event that has moved us to the place where I'd like to be in terms of streamlining the number of committees and subcommittees on cyber."

Limited patience

Two programs the agency uses to protect federal networks -- Continuous Diagnostics and Mitigation and Einstein -- have been subject to criticism in some quarters for delayed implementation timelines and uncertain returns. A 2016 report by the Government Accountability Office found Einstein, designed to scan network traffic to identify and stop emerging cyber attacks, offered only limited protection to agencies. CDM, which acts as a purchasing vehicle for agencies to procure network monitoring tools, has struggled at times to get buy-in from other agencies and has had to revamp the program and push back implementation timelines.

Neither appears to be in immediate danger from appropriators; the House Appropriations Committee voted to give CDM $130 million more in funding than requested by the White House, while Einstein got an additional $40 million to set up new technology to monitor Domain Name System activity.

Still, Langevin indicated that while he still supports both programs, his patience is not infinite.

"Neither Einstein nor CDM have yet realized the full potential that we hoped they'd achieve and are works in progress," Langevin said. "It's an area where we need continued oversight, and we need to push for more robust coverage in fulfilling their goals, but we also need to be open to other things as technologies change and mature. So if there are other things we can be doing, we should be looking at those as a government as well."

Taking offense

Langevin is also in a battle with the White House over the release of National Security Presidential Memorandum 13, which governs how and when DOD and Cyber Command can engage in offensive operations.

After calling for the White House to turn over to Congress documents outlining the expanded offensive cyber authorities being assumed by the administration, he has been locked in negotiations with the White House for months. Since announcing the policy change last year, media reports have confirmed multiple operations against Russia, Iran and ISIS.

Langevin believes Congress cannot conduct proper oversight of the new policy as well as DOD's "Defend Forward" strategy in cyberspace without reading the rulebook they follow. Right now, he said, he is negotiating in good faith with the administration, but he pointed to an amendment in the House version of the National Defense Authorization Act that would force the administration's hand if those talks fail.

"If need be, I think there's bipartisan support to keep our requirement in there that would require by law that the document be forwarded to the committee, so that would be the ultimate resolution," he said.

A year after NSPM-13 and Defend Forward were put in place, Langevin said he's seen real progress at DOD and Cyber Command staffing up mission teams and slotting into the government's strategy for protecting U.S. elections. He's satisfied with Cyber Command's current budget authorities and would like to see the efforts on coordination in the election security space extended to other parts of the military's cybersecurity mission.

"I think the construct is good in terms of the cyber mission force and having cyber mission teams that are training to form different functions and defend the [DOD Information Network] or defending the United States in cyberspace," Langevin said. "The coordination aspects of protecting the country in cyberspace are still a work in progress, and that's why exercising that coordination is important."