Cybersecurity Experts Urge DC Lawmakers to Take Stronger Action Against Threats

Tensions between Washington, D.C. and Silicon Valley’s cybersecurity lions have been running high this year, in large part because of controversial staffing cuts at the nation’s top cyber agency, the Cybersecurity and Infrastructure Security Agency (CISA). Cyber leaders have also decried what they call President Donald Trump’s “political persecution” of former CISA Director Christopher Krebs.

But at Stanford’s Hoover Institution on Wednesday, a surprisingly collegial House Homeland Security Field Hearing on U.S. Cybersecurity Challenges featured broad agreement on a host of urgent issues.

Lawmakers and experts alike expressed fear of the growing sophistication of cyber attacks like Salt Typhoon and Volt Typhoon on public and private organizations. Committee Chair Mark Green, a Republican of Tennessee, said it was no accident this field hearing was held in Silicon Valley.

“I have prioritized cybersecurity for myself in this Congress and for the Committee on Homeland Security, and I hope the industry partners that are here and across the country will join us in this mission to improve our cyber resilience against nation states, as well as criminal actors, strengthen our offensive posture, and develop new capabilities that incorporate security from the start,” Green said.

The hearing featured testimony from a panel of expert witnesses — all of them veterans of the federal government or military who are now working at the highest levels in Silicon Valley. They urged lawmakers to adopt a more collaborative approach to cybersecurity, emphasizing the importance of real-time information sharing between the government and the private sector, as well as a stronger national strategy to counter state-sponsored threats, particularly from China.

“Our cyber adversaries — China, Russia, Iran, North Korea and others — are more active and aggressive than ever,” said Wendi Whitmore, chief security intelligence officer at Palo Alto Networks. “Every single day, Palo Alto Networks blocks up to 31 billion cyber attacks. Up to 9 million of those daily attacks represent novel methods never previously seen,” she said.

Data breaches and ransomware attacks have become commonplace at hospitals, schools, utilities and even KQED. So have headlines about software systems infested with malicious code implanted by foreign state actors.

Global losses to cyberattacks could exceed $10.5 trillion this year alone, according to the multinational consulting firm McKinsey.

Whitmore argued that the era of isolated, disjointed or manual solutions should be over. But that doesn’t reflect the reality at many organizations and companies, where understaffing and limited budgets lead to poor cybersecurity hygiene.

“Most software attacks exploit preventable vulnerabilities in software products or insecure default configurations. This could be as simple as a default password that sits unchanged,” lamented Jack Cable, CEO and co-founder of San Francisco-based Corridor, which makes AI-powered development platforms.

Another point of agreement: the federal government could take advantage of its massive purchasing power to force Silicon Valley software contractors to increase the quality and security of their code, so that it’s “secure by design,” in cybersecurity lingo.

“The government has an obligation to set clearer security standards that are more consistent across the government,” said Jeanette Manfra, global director for security and compliance at Google Cloud, who served as a cybersecurity official during the Obama and first Trump administrations.

The expert witnesses touched only lightly on hopes for federal regulation or the recent exodus of technical talent from CISA. They seemed clear they were speaking to a friendly audience on the House Committee on Homeland Security, who already understand what needs to be done from a cybersecurity perspective in Washington D.C., as well as the political obstacles that lie in their way.

Industry watchers said the ball is now in the court of the committee’s Republican lawmakers to lobby the Trump administration to prioritize cybersecurity and turn the industry’s best practices into policy or even law.