Sen. Cruz: Congress Must Take All Legislative Steps Necessary to Protect the U.S. From Cyber Attacks

WASHINGTON, D.C. – U.S. Sen. Ted Cruz (R-Texas) questioned a panel of expert witnesses yesterday in a Senate Judiciary subcommittee hearing that explored the vulnerability of the United States’ infrastructure to foreign cyber-attacks, and ways in which Congress should act to eliminate such threats.

Watch Sen. Cruz’s full line of questioning here. Full transcript is below:

Sen. Cruz: Thank you, Mr. Chairman. Thank you, to each of the witnesses, thank you for being here.

Dr. Lewis let me start with you. In your report published this past January, Rethinking Cybersecurity, and also in your testimony here today, you’ve noted that the greatest cyber threats come from nation states like Russia, China, North Korea, and Iran, that have the capacity to launch massively damaging attacks and that the private-sector is not matched to defend against. You also write in the reports that in your judgment these attacks are very unlikely because states are constrained by their geopolitical objectives and the risk of escalation. Can you elaborate on your thinking here in terms of the likelihood of attacks on the private sector?

Dr. James A. Lewis: Yes, thank you Senator. It’s always nice to hear that someone has actually read one of these reports. I think the concern that many people share now is that we’ve sent the wrong signal to the Russians, and that they could miscalculate. It’s like every time you up the ante and no one calls your bluff you’re likely to miscalculate. That’s the fear here, is that the Russians have been relatively cautious so far but, they’ve poisoned people in the UK, they’ve interfered with U.S. elections, they’ve done a number of things around the world that suggest they’re not as afraid of us as they should be. So, I think while norm would be for them to calculate the risk, the danger is that if we don’t pushback they’ll miscalculate.

Sen. Cruz: So, what do you think would be the most effective deterrence to nation states launching cyber-attacks of this kind?

Dr. Lewis: Thank you for that question Senator. I think we need to make public a list of potential responses that the U.S. could undertake -- ranging from indictments, sanctions, diplomatic action -- and signaling at least the willingness to undertake either overt military activity, and I know that’s risky, or perhaps covert action. Second, we need to communicate with our potential opponents there are, as you’ve heard there are four, we need to tell them that we have thought through the process of how to respond and are ready to do so. Finally, we need to persuade them that we’re serious. I heard a comment a year ago from a Chinese General, who when asked about the U.S. said, “A great capability, no will.” And that’s the thing that we have to change. We have to make our opponents think we’ll push back.

Sen. Cruz: Mr. Fanning, let me ask you about the Electricity Subsector Coordinating Council’s (ESCC) Cyber Mutual Assistance Program (CMA). Could you explain to the Committee what that program is, and how it works?

Mr. Thomas A. Fanning: You bet. It’s a really unique effort and in my mind, it is unique among the 16 coordinating councils. Here is the issue, this industry, the electricity industry, has a long track record of mutual assistance. When you think about Hurricane Katrina, snow storm Sandy you will see the legions of trucks and personnel go to help and restore hope to these communities in the worst of times. It’s obvious that a person from Georgia can go to New Jersey and put up an electricity wire. It is not so obvious that a person can go restore a piece of software that has been damaged by a cyber-attack. When you think about the types of people in the private sector, that could come help, Mandiant and others, in the event of an existential threat, now I’m talking not about punks, thugs, and criminals. I’m talking about somebody making a comprehensive attack, probably both physical and cyber, that is designed to interrupt our American commerce, our way of life, there will be an immediate draw on third party resources to restore that capability. And, what we have to have in the United States is a sense of priority as to how we will use those resources and what we will pay attention to first. So, what I’m so proud of -- we have formed a tri-sector effort that is unifying the preparation for and response to existential threats. That’s among electricity, finance, and telecom. It’s really that effort within the electricity sector we have already undertaken cyber mutual assistance programs in response to a threat, and we’ve helped the smaller intensities that don’t have the depth of capability to respond to and prepare for the threat that we saw.

Sen. Cruz: So, let me ask both of you, what do you see as our greatest vulnerabilities right now to cyber-attack and what legislative steps should Congress be taking to protect against those?

Mr. Fanning: I’ll take a shot at it. You know, the buzzword right now is, ‘resilience.’ Reliability means how our systems operate under normal conditions. Resilience, to me, means how our systems operate under abnormal conditions, like a hurricane, a snow storm, or a cyber-attack.

There’s a variety of things that we can get legislatively that I think will help our ability to be resilient. When I think about an infrastructure bill we could allocate funding, for example, for spare transformers to fund greater capability for analyzing computer systems that are common to our industry to move this nation forward for attacks, from an EMP nature, or from machine to machine attacks. These are capabilities that we all need to develop. The issue here is not where we are but where we need to be. Skate to where the puck will be. A lot of work needs to go ahead. We are working together in this tri-sector effort to develop what we call a wish list. Part of that wish list will involve legislative activities.

Dr. James Lewis: Thank you Senator. As we’ve heard and as we all know the electoral system is a primary target. The second is, of course, the electrical grid which we know that Russians have looked at. I would add to that, the larger energy infrastructure which the Iranians have probed and which they have attacked and their neighbors. So, Russia, Iran, elections, electricity, energy. Things that Congress could help do- hearings like this help focus the attention both to the public, the private sector, and the agencies. I think helping to move DHS to a better organization would be very helpful. Moving on the Department of Energy cybersecurity office would be useful. And finally, the legislation that the Senate has put forward on strengthening sanctions would be a powerful tool and a powerful message to some of our opponents.

Sen. Cruz: Thank you.

###