We've come a long way in cybersecurity.
US Representative Jim Langevin (D-RI), long-serving member of the House and currently ranking member of the House Armed Services Committee, addressed Cyber 9/12 with an account of how far he believed Congress had come, and what in his view impedes further progress.
He thinks a rudimentary but fundamentally sound understanding of cybersecurity now pervades Congress. He's seen that understanding manifested in the establishment of agencies, attempts to address the longstanding shortfall in qualified labor, and especially in recent programs that foster exchange of labor among the military, civilian agencies, and the private sector.
Discussing CISA, the Cybersecurity Information Sharing Act, Rep. Langevin said he saw widespread agreement on the bill's goal, information sharing, but that here "lawyers have been an obstacle." Looking beyond CISA, he offered some perspective on where he sees law and policy moving. Essentially, he believes "there are two different paradigms in play."
First, issues over jurisdiction are tying the hands of both the House and the Senate. "Over eighty committees claim some part of cyber as their portfolio." One of the reasons as relatively uncontroversial a bill as CISA took so long to pass is that it fell between the bailiwicks of the Intelligence and Homeland Security Committees. He argued that the Congressional oversight the committees exercised could be streamlined with benefit to the republic.
Second, "most policy is still being made on the basis of analogies with the physical world." Such analogies, he said, may have a certain applicability, but they do tend to break down. He cited the difficulties around the Wassenaar cyber arms control regime as a clear case of failure induced by "lawmaking by analogy."
Since the student teams were, in the Cyber 9/12 exercise, playing the role of junior staff, Rep. Langevin concluded his remarks with advice on how to approach staff work. "Know your principal," he began. "There's no such thing as a perfect brief. Your job is to help your principal reach the best decision possible. Different people reach that in different ways."
His second piece of advice was, "Know your subject," which in turn is related to establishing trust. "Trust is earned over time. One of the fastest ways to earn it is to say three little words: 'I don't know.'"
And the final bit of advice was, "Make sure you account for stakeholders." Many people and interests will be affected by the courses of action you're advising--consider them.
In the question session, Rep. Langevin was asked which hard problem he'd like to tackle. He said he'd like to work on legislation to better protect critical infrastructure. "We also need to put someone in charge of the dot gov network." The dot gov, dot mil (which, he said, NSA and Cyber Command do an excellent job of protecting), and dot com worlds need, in his opinion, coordination.
To other questions, he said he would be disinclined to establish a new regulatory agency to oversee the Internet-of-things. He'd rather see such responsibility vested in an existing agency. And, with respect to Cyber 9/12's hacking-back scenario, he thought, "no, as much as that might feel good, we need to think about the blowback."