WASHINGTON, DC – This morning, U.S. Senator Rob Portman (R-OH), Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, pressed Robin Carnahan, nominee to be Administrator, General Services Administration; Jen Easterly, nominee to be Director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security; and Chris Inglis, nominee to be the National Cyber Director, on the need for transparency in providing information to the Committee as it performs its oversight duties. The nominees committed to Portman that they would promptly provide the Committee with any documents and information that are requested. Portman also stressed with Easterly and Inglis the importance of establishing a single point of accountability for federal cybersecurity and developing a national cybersecurity strategy. As Senator Portman highlighted, having someone with ultimate accountability for cybersecurity in the federal government ensures that the government can more effectively defend our country against cyberattacks.
A transcript of the exchange can be found below and a video can be found here.
Portman: “Thank you, Mr. Chairman, and I look forward to working with you on that legislation, and we’ll talk about accountability in a moment and the importance of having clear lines of accountability in what is an increasingly concerning issue, which is not just ransomware, but cyberattacks generally. With regard to our oversight role here, in order to do it properly, we need to have information. And one of the congressional complaints sometimes is about responsiveness. This is particularly true, unfortunately, in this area. And so I want to ask you some questions about that. Ms. Carnahan, I’ll start with you, on the video. I’ll ask you, do you agree to promptly provide the Committee with documents and information that we request?”
Robin Carnahan, nominee to be Administrator, General Services Administration: “Certainly, Senator.”
Portman: “Thank you. Ms. Easterly, yes or no would suffice.”
Jen Easterly, nominee to be Director, Cybersecurity and Infrastructure Security Agency: “Absolutely, sir.”
Portman: “Mr. Inglis?”
Chris Inglis, nominee to be National Cyber Director: “Yes, sir.”
Portman: “Let me just give you an example of this. Ms. Easterly, the authorization for CISA’s flagship cybersecurity program, the EINSTEIN program, as you know, is expiring, and it expires next year. So we’ve been working on a reauthorization bill. I hope to work with Chairman Peters and all members of this Committee on that. It has to be reauthorized. And yet we’re having a really hard time getting information. On April 5th, Chairman Peters and I sent to CISA a letter requesting information about EINSTEIN to inform our legislative efforts. Until earlier this week, the only response we received were documents previously provided to Congress. So nothing new. And a lot of the documents we received this week were heavily redacted. Let me give you an example of that, we’ll put it up here behind me. This is the document where everything apparently describing the mission needs of EINSTEIN is redacted. Not terribly useful and not helpful in our efforts to give you the key tool that you would need should you be confirmed to be sure that DHS is effective at combating cybersecurity.
“So my question for you would be, understanding you weren’t involved in this decision, but should you be confirmed, would you agree that the Chair and Ranking Member of an authorizing committee should be allowed to review the mission needs of a program before attempting to reauthorize it?
Ms. Easterly: “Thanks for that question, Ranking Member Portman. I would just say that I absolutely believe in the strong oversight role that this Committee has. And if confirmed, I would 100 percent commit to doing everything I possibly can to make sure that you get all of the information that you need to perform those important oversight roles.”
Portman: “Well, thank you. We will hold you to that. Mr. Inglis, we also sent a letter to the federal CISO, as opposed to CISA – this is OMB – on April 5th, which asked about the accountability for federal cybersecurity, an issue, as you know from our conversations, I have a lot of interest in, and all we received to date is a list of public websites. That’s it. Does that seem like a timely and sufficient response to you?”
Mr. Inglis: “Senator, I, similarly, if confirmed, commit to providing the Committee with all of the resources and insight required for them to do their duty. We know that the Senate is a principal source of authorization and resources necessary. Without insight into that specific kind of request, not knowing what the question is, I’m unable to comment on that. Only to say that it doesn’t sound correct and that if confirmed, I will work to accommodate that.”
Portman: “Well, thank you. I ask unanimous consent, Mr. Chairman, that we would submit for the record the letters we’ve sent and the redacted page behind me. And just personally, I need to know from all three of you, you’re going to be more responsive and we’re trying to work with you and do our work. Ms. Carnahan, GSA has a lot of responsibilities. One, of course, is with regard to procurement. If confirmed, how would you increase federal agency usage of GSA schedules and government-wide acquisition contracts for procurement?”
Ms. Carnahan: “Yeah, thanks for that question, Senator. I am very interested in making GSA services more user-friendly. I know when I’ve talked to businesses that have tried to get on GSA schedules, they’ve told me about how difficult that process is. And I’m interested in learning more about how we can streamline that. It creates more competition and it creates good jobs in our country if we can get more people able to sell through the government and GSA schedules. Likewise, we can make it easier for agencies to be able to buy through GSA schedules and make sure we’re getting them the best price and the best value. So I’m very interested in this topic, Senator, and I look forward to working with you more to figure out how to do that.”
Portman: “Good. I appreciate that. And I think you’re absolutely right. Improving the user experience is key and your commitment to it is appreciated. During COVID-19, as you know, the government had waived certain requirements in order to move more quickly to acquire goods and services to respond to the pandemic. My question is for you. Why shouldn’t we continue to waive these requirements for the urgent and critical non-pandemic contracts?”
Ms. Carnahan: “Thanks for that question. I will tell you, Senator, I’m not familiar with all of the waiver requirements and waiver rules that were implemented during the pandemic, but I think it is worth figuring out how we can streamline and speed up the process. So I think it is cumbersome now. I think it can be better. We know what good marketplaces look like. There are security and other kinds of implications that we have to think about all the time. But I’m very committed to trying to make this work better.”
Portman: “We’d appreciate working with you on that, particularly given the opportunity we have post-COVID. We’ve had this experience during COVID that worked pretty well and would help in terms of that responsiveness. On accountability, again, this is an issue that I think is a deep concern of not just mine, but a lot of members of this Committee. In the federal government, we have CISA and Jen Easterly is up for the CISA confirmation. We have CISO at OMB. We have the National Cyber Director and Mr. Inglis is the nominee for that job. We also have the Deputy National Security Adviser for Cyber, all have, not just roles in cybersecurity, but coordinating roles in cybersecurity. I am concerned about the overlap. I am concerned about the duplication leading to a lack of accountability.
“I noticed in the conversation earlier, Mr. Inglis, you talked about how the job is one of encouraging coherence, unity of purpose, partnership for the private sector. And CISA talked about the partnership with the private sector. You talked about ensuring a national strategy. You talked about this being sort of like a coach, Ms. Easterly, the role that Mr. Inglis would play, if confirmed, and that you were the quarterback. What is CISO? Is CISO the running back? And what is the Deputy National Security Adviser? Is that a defensive player or linebacker? I mean, I really, all joking aside, I think we have a real opportunity here with real experts coming into these jobs to be able to be sure we’re not duplicating efforts. And frankly, without accountability, no one’s in charge. So ultimate accountability. If everyone’s in charge, no one’s in charge. So can you speak to that briefly, Ms. Easterly?”
Ms. Easterly: “Yes, Ranking Member Portman, thank you very much for that question, because I do think it’s incredibly important. As I said in my opening statement, cyber is, and has to be, a team sport. But I 100 percent agree with you that accountability is critical. I come before you as the nominee for Director of CISA. If I’m confirmed, I would expect you and Secretary Mayorkas and the Committee to hold me accountable for the very specific operational mission that CISA has to manage and mitigate risk to our digital and physical critical infrastructure and resilience, so working with all of our partners. So that’s what I would expect to be held accountable for.”
Portman: “Okay. In the wake of the Colonial Pipeline hack, we have a lot to talk about. They didn’t even manage to work with you guys. They reached out to the FBI. The FBI reached out to your prospective new agency. I mean, if that’s your responsibility at CISA, should you be confirmed, it doesn’t seem to be working very well. So we have lots to talk about. And I know Mr. Inglis, you and I talked about having a whiteboard exercise where we can actually see all these different roles, and that doesn’t include all the roles at the agencies where there’s also accountability. We look forward to working with you on that, but I would like a commitment from you all today that you will help us to ensure that we have the right people in the right place and that we’re not overlapping responsibilities so that we can more effectively provide both the defense and the offense on cybersecurity.”
Ms. Easterly: “I commit to that.”
Portman: “Thank you.”
Mr. Inglis: “I commit to that.”
Portman: “Thank you, thank you, Mr. Chairman.”