Senator Schmitt Emphasizes Need to Strengthen, Update Cybersecurity Technology

WASHINGTON — Today, during a Senate Commerce Committee hearing, U.S. Senator Eric Schmitt (R-MO) questioned witnesses about the need to modernize procurement processes at the Department of War, the failures of “checklist” cybersecurity, and efforts to strengthen satellite security.

Watch the full line of questions HERE

Senator Schmitt on Ways to Modernize Pentagon Procurement Systems:

Senator Schmitt: “Thank you, Madam Chair, just to follow up on that a little bit. Mr. Jaffer, in December, I had called for an investigation into the Department of War’s handling of the Salt Typhoon. In particular, the Department’s failure to ensure its communications, voice, text, and video, we’re protected from foreign espionage vulnerabilities. What, in your view, what are the structural problems in federal procurement that make it possible? What should Congress consider as far as the federal procurement process to make that better?”

Mr. Jamil Jaffer, Founder and Executive Director, National Security Institute at the Antonin Scalia Law School at George Mason University: “Well, Senator Schmitt, certainly, I think that the procurement system is one place where Congress and the Executive Branch can do a lot more to ensure effective cybersecurity in the procurement process, because you’re spending our taxpayer dollars, and people want these contracts. We can impose whatever requirements we want on them. To me, that’s a much more preferable way to address the regulatory burden that folks want to put on industry. It’s because if people want government contracts, they should secure the systems to the government standards. At the same time, we’re seeing the Department of War today pivot to a much more innovative approach to procurement, a much more commercial approach to procurement. I think that’s the right thing to do. It’ll allow us to get newer, better technology faster. Then, we have to make sure that we’re not over imposing cybersecurity burdens that will prevent us from getting the technology we want. There’s a balance there that we can achieve, I think, one that we can do successfully as we need to go forward.”

Senator Schmitt: “We have a lot of leverage as relates to those contracts. In your view, what are some of the minimum cybersecurity standards or audit compliance that should be included in those contracts?”

Mr. Jaffer: “What I do think we should do is require companies that sell to the federal government to go through a security audit and to demonstrate to an independent third party that they’ve successfully met things like this cyber security framework, right. That they’re applying it effectively, and they’re implementing it effectively. That, to me, is a good starting point. If they’re able to show that to the government, the government doesn’t need to do additional work on its own to qualify them. They can do that ahead of time. They get the audit paperwork present to the government and then become a contractor much faster. To me, that’s way to get smaller, faster companies in and not put an additional federal regulatory burden upon them, while still requiring them to meet good, good cyber hygiene requirements like the NIST framework.”

Senator Schmitt on the Failures of Checklist Cybersecurity:

Senator Schmitt: “Mr. Mayer, I wanted to ask you in your in your testimony emphasized that prescriptive regulations cause us to lag behind adversaries for a bunch of different reasons. You warned that this shift in attention from managing real risk to managing paperwork means provider can legally and fully be compliant but still be very exposed. Can you speak to the impact that we’ve seen already from the previous administration’s more prescriptive, checklist driven approach, what that’s kind of left behind and what we can learn from that moving forward.”

Mr. Robert Mayer, Senior Vice President of Cybersecurity and Innovation, USTelecom—The Broadband Association: “So, we know the checklist —and we have evidence of this — has not been successful. There are examples where individuals or organizations that whose checklist managed by checklists they missed. And, in this environment where the adversaries are evolving on a daily basis, using a checklist would be looking in a rear view mirror […] So, I think the better approach, and we’re doing this, is to engage with our government partners on a regular basis, including the intelligence community and the law enforcement community, and talk about what we’re observing. What the government is observing, how to mitigate those activities. And we do hold ourselves accountable. I can tell you, the frontline practitioners in our companies work every day to defeat these [cybersecurity] attacks. We don’t hear about their success rate, but they are dedicated and passionate about security, and they are held accountable within their organizations through their customers…”

Senator Schmitt on Operation Salt Typhoon, Need to Strengthen Satellite Security:

Senator Schmitt: “So… with the 43 seconds I have remaining, just kind of two questions out for whoever wants to grab on them, because I do think these are important. What we learned, I think, from Salt Typhoon, is that there’s a lot of deficiencies in the hardware that currently exists that’s outdated. And I know there’s efforts to sort of update that. Can you give me an update on where that stands and why it relates to satellite security? What are some simple things like enabling encryption. Why are why are we not further along with that? So, hardware issues and updating that, and then encryption for satellites.”

Mr. Daniel Gizinski, President of Satellite and Space Communications Segment, Comtech: “I think a couple of aspects is certainly on the hardware side, major emphasis, and, you know, ultimately, very important to pay attention to the supply chain of not just the hardware, but the software that’s going into this. Going into those systems, putting together transparent messaging around the source of all of the software aspects that are incorporated into in deliverable systems. There are a number of explanations that have been provided for some of the complexities that are created by enabling encryption, would say it’s a little bit of a surprise, and I think there’s probably further discussion needed on some of the limitations that are preventing encryption from being broadly used on satellite. It’s something that we’ve strongly advocated for. We’ve made those tools available to many of our customers that are using that equipment over satellite, and we’re still seeing to this day.”

###