 In the interest of time, I'm not gonna go into detail on the congressman's bio, not least, because I want him to do a little bit of that. But suffice to say, Representative James Langevin been representing the second district, Rhode Island, since 2000. He's currently the ranking member of the House Services Committee, and highly relevant to this, the co-chair and indeed the co-founder of the Congressional Cyber Security Caucus. I should say, for the benefit of people who are hoping to see Senator McCain, unfortunately Senator McCain's schedule changed, but it is truly a case that the senator's loss is our gain. It gives extra time with Congressman Langevin who not only is one of the relatively few, perhaps there are increasingly more people in Congress who are taking an interest in cybersecurity, but very few have the understanding and knowledge of Representative Langevin. So I'd like to begin the conversation sort of in line with New America's sort of interest in understanding how people get into this field, and we had a little bit of that on the last panel, of you giving us a sense of how you sort of got to where you are, and what was it about cybersecurity that made you think this is the thing that one of the things that I want to focus on. Sure, well, I kind of come into this field by happenstance, if you will. I was the chairman at the time of the Emerging Threats Subcommittee on the Homeland Security Committee, and I thought most of the time we'd be looking at, looking at the chemical, biological, radiological, nuclear threats to the country and focusing on the really WMD issues. And I can still remember this day when my staff director came into me and said, boss, you really need to get this Aurora brief from Idaho National Labs and the vulnerability they discovered in SCADA systems that could lead to catastrophic failures in critical infrastructure. So I didn't know what a SCADA system was at the time. That has since changed dramatically, and it was a real eye opener. Since then, at that time after the brief, we started doing a deep dive on our vulnerabilities in cyber. And it became readily apparent that we have great vulnerabilities. We're obviously very dependent on the internet, but we also have great exposure in such a vast, well-attacked space and that it's an ongoing challenge. And so something to do that, I was asked to co-chair the CSIS Commission on Cybersecurity for the 44th Presidency. And then Mike McCall and I also created the Cybersecurity Caucus and still co-founders and current co-chairs of the Cybersecurity Caucus. And just one clarification. I'm not the ranking member of the Full Armed Services Committee. Adam Smith would be upset if I didn't start that record straight. By mistake, sir. But I am the ranking member of the Emerging Threats and Capabilities Subcommittee that has jurisdiction on oversight over NSA and U.S. Cyber Command. So, and I also am on the Cybersecurity and Infrastructure Protection subcommittees, a senior member on the Homeland Security Committee as well. And so looking, having been involved with sort of cybersecurity ACs on the hill for as long as you have and linking back again to the comments you made in the last panel, how much confidence can we have that Congress is learning about the issues and growing in its expertise? Well, clearly it's come a long way since I first started getting involved in this field. And I wish it were, I could claim that I have great influence over my colleagues or that all the great work that Mike McCall and I have done in terms of the number of briefings and all that, that that was the reason why there's this greater awareness on the challenges in cyberspace. Unfortunately, it's because of the enormous amount of hacks or intrusions and the cyber vulnerabilities that have been exposed due to high-profile attacks at Target or Sony, Saudi Aramco, the list goes on and on about the damage that has been done because of cyber intrusions, not to mention to a banking system and other challenges. But we obviously have a lot of work to do, but the awareness level has been raised both among my colleagues in Congress and now across the country. Now, they're getting better, but cyber isn't still everybody's issue in Congress. And I think one of the most important things that we really need to focus on is bringing down or eliminating the jurisdictional boundaries and battles that go on on different committees and subcommittees that have jurisdictional decisions. Right now, there are some 80 committees or subcommittees that have jurisdictional cybersecurity. I mentioned that in the previous panel, and that's just far too many. If we're able to, if we really want to get significant legislation through Congress, it's going to take a streamlining of jurisdiction and that's not what we do. So just picking up on that hook about getting legislation through. Last year, last Congress, we had the passing of the CISA, the Cybersecurity Information Sharing Act, which was sometime in coming and you had a role in that, I know. What's the next big topic for Congress? I mean, one piece of evidence that people are beginning to get is interested in cybersecurity is the number of bills that have been tabled this year with some cybersecurity. I'm guessing many of those will not get through. But what do you think people are willing to get behind and despite all the difficulties, get enough votes to take through? Sure, well, I think we're still going to focus on building the cyber workforce. That will be one. But I would also say that Congress is going to be more of an oversight role right now to look at the degree to which the information sharing legislation is having the desired effect. Or if not, why not? We want to get more of a point where we're allowing for greater machine to machine sharing of information. How are we doing in implementing that? I think the other thing that we need to look at and something that I'm going to be focusing on a great deal over this next couple of years and beyond is metrics. Focusing on determining what is working, what's not working. Because it's one thing to have these policies and say that this framework in place. But if we don't know the degree to which they're being adopted or the degree to which they're going to be effective, then we're doing ourselves a disservice. So I would say this is going to be a time for oversight. There will be other bills I'm sure that are going to be making their way through Congress. I have, for example, a vulnerability disclosure law that I'm proposing. And I'd like to see that move forward. But- Tell us a little bit more about that. So right now there's a patchwork of vulnerability disclosure requirements around the country. Some states are more aggressive of that than others. And yet I think the industry would prefer that we had a uniform standard. So my bill would be a 30-day vulnerability disclosure requirement that when a company is aware of the fact that they have been hacked, that company data or customer data has been stolen and their identity could be vulnerable, that there would be a requirement that as soon as they become aware of the cyber intrusion or the hack that they would have to disclose that within 30 days. And how confident are you of taking that through it? Well, it's going to be a work in progress. And I feel good about it, but I also know the jurisdictional challenges and the inertia trying to get things through this legislative environment is not going to be easy, but I think it's something that makes sense. And the more industry, by the way, or the private sector can chime in and saying that we need a law like that, the better off we will be more likely that something will make its way through Congress when it's a kind of a public-private partnership. The other piece of draft legislation that's attracting some attention is a bill proposing, providing the private sector a greater ability to hack back and gauge in active defense, which chimes with a sense that we've maybe seen, at least from the Trump campaign, if not more recently, of giving more responsibility to the private sector. Tom Bossett said last week at CSAS is reaching out to people on the Hill. Can you just give us a sense of what you're hearing from the administration and whether you think giving the private sector a greater role is something that Congress would get behind or not? Well, we haven't heard a whole lot from the administration on this yet, but I will say in Congress right now there doesn't seem to be the appetite for supporting any kind of hack-back legislation. And I'm in the camp of not supporting a hack-back legislation. I think there's a general understanding that there are, and there could be, and I'm sure there would be unintended consequences that would result in that. I mean, I kind of equate that to cyber-visual anti-ism, right? It's the, it may feel good at the time, but it's not a very responsible way to handle a cyber attack. And I think that's best left to law enforcement, to government, to handle at this point we need to work more closely with the private sector, obviously to close vulnerabilities and determine what the appropriate course of action would be if private sector is in fact hacked. But I think working through traditional channels is gonna be safer, more effective, on-run without the unintended consequences that haven't been fully vetted. Nate Fick, the CEO of NGame who started our conference described hacking back as responding to a snake by biting the snake. Yeah, that's a good analogy. Sticking for a moment with sort of government organizational issues. In your capacity as ranking member of the Emerging Threat subcommittee, one of the things that you'll be thinking about is how DOD is organizing itself to take on cyber mission. And there's been a lot of debate about the relationship between NSA and cyber command. Can you just give us a sense of where you stand on that and also where you think the mood music is going? Sure, well as you know the US Cyber Command is just elevated to its own combatant command and so that's the work in progress happening right now. And I'm very pleased that the progress has been made in developing the cyber mission forces within US Cyber Command. And whether it's the National Mission Force or the individual cyber mission forces within each of the services. And just recently the cyber mission forces were certified as unit capable. And so we're making progress there in training and US Cyber Command realizing its full mission and value to the Pentagon. But clearly modern warfare has forever changed, right? We're never gonna see modern warfare again ever break out either in small scale or large scale conflict without some type of a cyber component to it. So I'm pleased that they're moving in that direction and getting more proficient at using our cyber capabilities. There will be this ongoing debate in the near future as to whether or not NSA and cyber command should split. There will be an ongoing and emerging discussion and a decision that will have to be made. I right now, I don't believe that they're ready to split. I know that they should. I think they're in many ways, one is dependent on the other. And so I think to be effective going forward will that the relationship will always be there whether it's gonna actually split at some point down the road, it's very possible, but I think it's a ways off. Just staying with the sort of theme of security but taking more widely and looking at the international piece. One of the things that you've been vocal on is the sort of wider issue of deterrence in cyberspace. And my colleague Peter Singer testified in front of you in the last few weeks and made the point that we need to build a better deterrence strategy. How do you think we can do that better and what role do you think Congress can have in that? Well, I really do believe that we need some more clarification in terms of international agreements, in establishing international norms about what's acceptable and not acceptable in cyberspace. And too much of it is the wild west out there right now in cyber and the more we can have countries come to the table and develop these rules of the road, I think the better off will be. I think there was a strong value in having the US-China agreement that President Obama and President Xi had worked out. And we've seen benefits as a result of that, but without those types of broader agreements, we're still gonna be challenged internationally and dealing with cyber-related issues. So I know that that's something that is a work in progress. There was the talk about a cyber Geneva Convention, if you will, and I think that that is a laudable goal and we should work toward that. And talking to your Republican colleagues, how confident are you that some of the progress that we've had in terms of international agreements will be maintained against the background of the professed sort of America-first foreign policy from the administration? Do you think that cyber, the commitment to being strong on cybersecurity will balance the desire to sort of move away from multilateral arrangements? Yeah, so I certainly hope not. We'll wait to see the effect that President Trump's America-first policy will have. It's one thing to be talking about that on the jobs front. It's another, when you talk about security arrangements, I think we all benefit from both private partnerships, we all benefit from international cooperation on this. But I will say, one of the lessons learned is that I think that we, governments and the private sector should be working more closely together. And again, we're policy makers, are not digital natives in dealing with cyber-related issues. Staying close to the researcher community is important and this kind of maybe segues a little bit into the Wasnar arrangement. You read my mind. That was going to be my next question. Was it, so if you want to ask the question, do we keep it up? Well, I merely to say, and you referenced this a little bit on your last panel, for those people who are not aware, most people in this room might be, Wasnar is a non-proliferation agreement where it's traditionally been used through the Cold War to prevent proliferation of capabilities and two years ago, came to be applied to cyber capabilities. And as a result, there have been sort of unintended consequences for the international cybersecurity community. And so the Trump, the Obama administration tried to make changes and failed. Trump administration have said they're going to take this forward and the congressman has been sort of vocal in supporting and encouraging them to do that. So I guess my question is, firstly, how confident are you that we will get changes? And looking at it more widely, what does this tell us, what lessons can we learn for how we might develop sort of policy in the future? Well, this is a prime example of how, because the fact that negotiators at Wasnar were not as comfortable with IT or didn't realize, I think through the ramifications, we wound up using a kind of a Cold War legacy agreement as the guidepost. It was kind of a convenient vehicle to govern IT in intrusion software and preventing it from falling into the wrong hands. They tried to apply an agreement that they govern dual technology, not getting into the wrong hands, for example, protecting satellite technology, for example. And we find out that you couldn't apply, the issue of IT and satellites are very different. And so after the Department of Commerce was charged with writing the rules for implementing that, that's when the IT community came forward and said, well, wait a minute, you can't do this because you're gonna actually inhibit cybersecurity research and cybersecurity threat information sharing because Wasnar would have actually technically prevented from that kind of collaboration from actually happening. So staying closer to the cyber research community and partnering more will be essential going forward. Cool. We have 10 minutes to take some questions. So if you could put your hand up and we'll bring a mic to you. First question over here and then we'll come this way. Yes. Thank you, Congressman. Can you talk a little bit more about... If you could just begin by saying who you are and where you're from. Tom Reisen, I'm freelancing with Aerospace America. Can you talk a little bit about more how you said Congress should be more specific in its cyber security oversight? I'm wondering because in the 1970s Congress decided that intelligence oversight wasn't specific enough. It was spread across too many different committees like foreign affairs and et cetera. And so they had dedicated intelligence committees. Are we in a similar situation where cyber security is spread across too many committees? Yeah, so I think we're at some point may have to move in that direction and it may be time in the near future to have a committee that is charged more specifically with dealing with cyber related issues or whether you vest that in an existing committee or you create something new. I don't think that the current jurisdictional arrangement is conducive to seeing a complicated piece of legislation dealing with cyber moving quickly through the Congress. And I understand the concept of only the best ideas floating to the top. That's why the founding fathers designed our government. But in an environment where technology changes and moves so fast, I think we're gonna need a better mechanism for both oversight as well as policy solutions that need to be moved through Congress more quickly than what we see currently. And what would have to happen to make that shift? Yeah, it would require a rule change. Creating the House Permit Cycle Committee on Intelligence and the Senate Cycle Committee on Intelligence. It didn't happen overnight, but it really happened after the merry or the whole Watergate era as I recall it. And so what came out of the Church Commission, if you will, was one of the solutions was dealing with the challenges of jurisdictional battles and boundaries and whose has permanence in the particular topic they solved that by creating the select committees. So it would take the speaker making a decision on the House side, Majority Leader on the Senate side, or you have a meeting of the minds where it becomes self-evident that we need to have this type of a jurisdictional detente, if you will, and you have a committee that either exists currently that has preeminence in dealing with this legislation, or you have to create a new body. Another question, in the center here, please. Hey, Dan Arnato from the University of Washington. I just wanted to follow up on the discussion of export controls and how you think Vasinar can be reinforced so that the regime is stronger. I know we've had the case, for instance, of the export of technology to Syria that was diverted from Iraq under false pretenses. And I'm just wondering if you can explain a little bit more about how you think we can strengthen this regime either through Vasinar, perhaps through other instruments such as the Budapest Convention on Cybercrime, or potentially even a new instrument altogether. So I think that eventually you're gonna have to have a new agreement outside of Vasinar. I think that was, they tried to make that work there. And I think still we will see the appropriate change within Vasinar on this intrusion software. And export controls, I think we'll get through this one. But going forward, I don't think we can use necessary existing legacy agreements as the vehicle and we're gonna need something that is more current and relevant to the challenges that we're facing right now. So I do believe, and by the way, I will tell you on Vasinar, for what I understand there was pretty broad agreement after some very intense negotiating that, yeah, we see the problem, it took some time to get everyone there. But the United States on negotiators did a good job again working with industry as giving technical support, if you will, to making the point that we need to make changes. And I think most countries are there. We had actually, ironically, there was maybe one or two holdouts that wanted to go a little bit even further. And I think that that's, I think in the next round at Vasinar, I think we'll see progress. Other questions? Everyone on the side, please. Hi, I'm Libby Hennemuth from the Fletcher School of Law and Diplomacy. Thank you for this great conversation. My question has to do with what you were talking about earlier regarding metrics and understanding better what cybersecurity is working and what's not. Could you delve into more where you would start in that process? Are there any models that you would look to first? So right now, we don't really have an entity that is charged with determining the metrics of whether they're working or not. So for example, NSF maybe could be a place that we go to and have the National Science Foundation or NIST itself be the entity to determine metrics. But they don't have the resources or necessarily the expertise, more the resources, I should say, to be able to determine metrics and then weigh them and come out with a final determinant as to whether the things that we put in place are in fact working. So we're gonna have to figure out what the best way forward would be, but it's something that really has to be addressed and something that I'm gonna be working on in this Congress. And what do you think that process could look like? I'm guessing hearings and then potentially funding study or something? Yes, so I would like to see, and I'm in the process of looking at drafting legislation that would have a metrics requirement to it and then report language as to where we would house it and the cost that would be involved. So I expect within a short amount of time we'll actually have legislation that will do just that and put some more meat on the bones, if you will. But I think that's gonna be important going forward. And we also have the Congressional Research Service that we will work with in drafting something like this. And there's a number of paths that we can take and actually we would house it, but it's something that really has to be addressed. Time for one more question, Rhett. Sorry, it's on the same topic, metrics. There is a bill from the House Science Committee. Are you looking at that in terms of working on whatever legislation you might be drafting? Sure, I mean, collaborating with colleagues is gonna be important and I'm sure there's other people that have ideas beyond just myself. So it's still early in the new Congress, but there's gonna be, I'm sure, any other individuals that will be looking at a system for metrics. But we have some great resources in the IT and also in the tech community that will help us to put together the right framework for what metrics we would look at. But we put all this time and effort to putting together the NIST framework. And that was a great example of a public-private partnership. We had industry at the table developing that framework. But now we need to go moving forward to see whether or not it was, the NIST framework was effective or not and the degree to which we have, we are buying it, who's using it. The same thing goes for the information sharing legislation that we put forward, that the passed through the last Congress. It's one thing to have brought down the barriers to information sharing and that was a real problem. We had very nervous corporate attorneys. I think that was probably the, the legislation was mostly aimed at dealing with corporate attorneys because they were one of the biggest barriers to information sharing even though the Justice Department, for example, said that they're not gonna prosecute any corporations that share information for cybersecurity threat purposes. But the corporate attorneys said, yeah until we see it in writing it's not gonna happen. So we passed the information sharing legislation but now we're gonna see if actually companies are taking advantage of the opportunity to share the information and then how we can improve it going forward and get more buy-in by the way and getting more people participating. So we're running up against time. So final question from me. When we sit back here next year and look back on sort of first year of this Congress, first year of the administration, what's the one thing that you would like to have seen achieved in this space? We've had this framework, we've had CISO. What's this year's success story that you're looking and hoping to take forward? I would hope that we will do a better job of a path forward for protecting the dot gov network if you will. I think in the NSA and USI recommend the doing a better job at protecting the dot mill network. We need to have I think more focus on protecting the dot gov network and then working again in partnership to close the vulnerabilities in the dot com world if you will but right now from government standpoint we need somebody that's in charge that has both policy and budgetary authority that's something else that I'll be working on going forward to close vulnerabilities and in dot gov rated cyber vulnerabilities but there are great opportunities there. We haven't yet seen the direction the administration is gonna be taking on cyber. We're still waiting for cyber executive order from the president. I am pleased to hear that he is gonna be appointing a cyber coordinator and there was rumor that that position was gonna be done away with but a special assistant to the president for cyber so that position will stay. The other thing that I wanna see is whether or not we're gonna have a federal CISO that was something that President Obama had position that he had created and appointed at the end of his administration. I'm hoping that position stays but getting better organized within government is something that I'm gonna try to push forward and that I will gauge as a metric for myself as to whether or not we're moving the cyber ball forward. We look forward to having you back in 12 months time and working down that checklist to see where we've got to but if at the time being thank you very much for joining us and thank you very much for all you've done on this issue, thank you. Thank you.