Jim Langevin on how Congress has come 'a long way from where we first started' on cyber
When Jim Langevin entered Congress in 2001, cybersecurity was barely on the radar for most lawmakers.
But a drumbeat of hacks and escalating digital threats prompted Langevin, who this year left office after 22 years representing Rhode Island’s 2nd congressional district, to help create the House Cybersecurity Caucus in 2008. As its co-chair, Langevin both raised awareness of the issue and proposed countless measures to strengthen America’s cybersecurity.
Langevin was appointed to the Cyberspace Solarium Commission in 2019, which was created by Congress to develop a strategic approach to defending against major cyberattacks, and helped draft dozens of recommendations. More than half of the recommendations, including the establishment of a National Cyber Director, have been implemented or are close to implementation.
Langevin recently spoke to The Record about his cybersecurity efforts in Congress, the direction he thinks the new Congress will go, and which lawmakers will likely make cybersecurity a priority issue. He also spoke about his plans after public life, which include leading a cybersecurity study group at Brown University. The conversation below has been lightly edited for clarity.
Adam Janofsky: When you look back at your time in Congress, what are you most proud of when it comes to cybersecurity accomplishments?
Jim Langevin: There are a number of things I'm very proud of — part of it is raising the awareness of the issue both among my colleagues and the public. I wish I could take all the credit for that, but a good part of it is because of the high-profile hacks and cyber intrusions that have occurred that get most of the credit. But I was there early on trying to raise awareness of the importance of the issues, so I chalk it up in the win column.
In terms of things that I directly had a hand in, we were able to create the Cybersecurity Caucus which was important, and the most important thing I've been involved in with respect to cyber over the years is the Cyberspace Solarium Commission and the more than 80 recommendations that came out of the Commission's report. The Commission's charge was to create an overarching strategy for better protecting the United States against cyberattacks of significant consequence, and among the recommendations the most important one in my mind — something I've been working to create for 10 years — was the National Cyber Director in the executive office. Chris Inglis is that first ever National Cyber Director.
I’m very proud of the work that Chris Inglis is doing — he's the right person for the job and it's important that he's there serving as the principal advisor to the President on cybersecurity issues. He's the coach on the field pulling together our cyber policy, making sure all the oars are being pulled the right direction.
Then beyond that, of course, is the work we've done to elevate CISA [the Cybersecurity and Infrastructure Security Agency]. I applaud Jen Easterly in the extraordinary work that she and her team are doing at CISA, trying to protect the .gov network, but also the work that they're doing in terms of working with private sector critical infrastructure to make sure that they are more secure and that the private sector has a place to go in the government that can offer meaningful assistance.
Serving on the Cyberspace Solarium Commission was one of my proudest achievements.
— Jim Langevin (@JimLangevin) December 22, 2021
From the National Cyber Director to the JCPO, we turned dozens of recommendations into law.
Thanks to our shared work, U.S. cyber defenses are stronger than ever before.https://t.co/6PHW34ZgWV
There are a number of other things that I'm proud of, I’m pleased with the progress we’ve made, but clearly there's still a long way to go since cybersecurity is a moving target and we're never going to get to the point where we can say we're 100% secure. There is no such thing. But we can continue to buy down our risk as much as possible and close that aperture of vulnerability that currently exists — we’ve gotten it a little bit smaller but there’s more work to do.
AJ: If you compared the size of the cyber threat landscape when you joined Congress to what it is now, would you say that it has gotten better or worse?
JL: It depends how you look at it. It's a vast attack space and we at least have better situational awareness. We're better organized. There are better policies in place to protect the country against cyber threats. But we're not out of the woods — I don't know that we ever will be — we’re just better prepared. And we're not naive to the fact that cyberattacks can happen. Catastrophic things could happen, but we're building a new resiliency, we're getting prepared and we have better recovery plans in place so that we can hopefully pivot in the event of a major cyberattack. So I would say that we're a long way from where we first started — we weren’t prepared at all. We have now the right structure, people and policies in place to better protect the country in cyberspace.
AJ: On the flip side, are there any items that you didn't get to, or that you hope the new Congress takes up?
JL: There are a few areas. First of all, I still believe that we should create the Joint Collaborative Environment, which would be an entity that would presumably be housed most likely within the JCDC [Joint Cyber Defense Collaborative] and it would allow closer collaboration between the government — particularly the intelligence community — and systemically important critical infrastructure. Not all critical infrastructure is systemically important per se, but think of entities that if they were hit then it wouldn't just be the company having a bad day, but it would be the country having a bad day. Think Colonial Pipeline as an example. What we really need to see is a kind of common situational awareness for both government and private sectors to analyze and understand the threats that we're facing. Common operating tools so that the government — specifically the intelligence community — and private sector critical infrastructure can analyze threat data in real time and not just pass emails back and forth about critical threats. I think that's important.
The other thing I'd like to see get across the finish line is the Bureau of Cyber Statistics. It's wonky, but we don't have a lot of good data helping us to assess what's working well in cybersecurity and what's not. It would answer the question a lot of people have, which is how do we spend our next cybersecurity dollar to get the best bang for our buck — the best return on investment. I think that would help not only the government to appropriate precious tax paid dollars, but also in the private sector helping to make the business case for where and how and why we should invest in cybersecurity.
Funding is going to be incredibly important for CISA and other areas of government, but also working with state, local, territory and tribal governments to help them modernize their IT infrastructure. There are a lot of antiquated systems out there that are hard to defend, hard to update, hard to modernize. And they're easy targets for hackers to get into, especially the ransomware attackers. So if we can update our IT systems, make them more easy to defend, if we can hopefully incentivize federal state, local, territory and tribal governments to migrate data to the cloud, it goes a long way toward stronger cybersecurity. But you can’t just put the data in the cloud and think it's going to run automatically. State and local governments especially don't have the resources to do this all on their own. We need federal investment to help in that area. State and local governments are never going to be able to defend against nation state attacks, so let’s let them do what they do best — deliver services to their constituents — and leave security to the security experts, and migrating data to the cloud will allow that to happen.
One last thing I want to mention is further investment in developing cybersecurity talent. You can have great policies in place, but if you don't have the people to actually execute the policies we're still going to be fighting a tough battle. Right now we're still way under-resourced on the human capital, on the workforce talent needed to protect the country, and especially the private sector critical infrastructure.
AJ: In terms of where you think the new Congress will go on cybersecurity, the GOP is promising budget cuts — do you think that cyber will be on the chopping block? Or do you think they might accomplish some of these things that you're describing?
JL: I still think there is broad bipartisan support for cybersecurity. It's one of the few areas where I wouldn't say it’s immune to budget cuts, but my colleagues in Congress understand the threat and the need for resources to defend the country in cyberspace. So further investments in CISA and the important mission that they're doing there is important. They need to continue to grow their indigenous workforce there, so that they have their own workforce cyber talent and they don’t have to rely on others, like asking for help from U.S. Cyber Command. CISA needs its own area of expertise. I think that there's broad bipartisan support still for the resources for cybersecurity in this country.
AJ: What's next for you?
JL: Well right now I'm unwinding a little bit and looking to achieve a better work-life balance. It's been an incredible honor to serve in Congress over the last 22 years, and I've been in public life for over 30 years now. But the frequent travel and the living in two places at one time takes its toll. And I want to be able to stay closer to home. So I'm going to be doing some things in academia. I’ll be doing some teaching, working with young people and involved in a couple of college campuses. And then I'm going to be doing some things in the private sector, but it'll be a portfolio approach, not just one thing. But I still hope to be involved in cyber policy. I hope to still lend my talents to strengthening our cybersecurity, I'll just be doing it from the private sector perspective now.
AJ: You mentioned Chris Inglis earlier, and it's been reported that he's planning to retire from his position. Do you have any desire to be the next National Cyber Director?
JL: Not at this point right now. I really want to continue to achieve that work-life balance, and I don't know that being National Cyber Director would achieve that. I'm just in awe and deeply appreciative of Chris Inglis for his outstanding record of public service both when he was in the military and the NSA, and now our National Cyber Director. He's done such extraordinary work standing up the National Cyber Director Office and helping to write the cyber strategy. I'm looking forward to that coming out, and I hope Chris stays there for a very long time. Unfortunately that may not be the case from what I hear, but I’m deeply appreciative of what Chris has done and will continue to do.
AJ: What would you like to see from that office going forward?
JL: Well I want to see the national cyber strategy being produced. I want to see the National Cyber Director’s role and that office continue to mature and strengthen and be the very point person and office for coordinating our national cyber policy going forward and making sure that we're pulling all the oars in the right directions. That it makes sure all the departments and agencies are taking cybersecurity seriously, that they're investing appropriately in their IT and cybersecurity budgets and capabilities. And, you know, that everything that the government can be doing is hopefully being done to strengthen our cybersecurity posture.
AJ: Who should we be looking to lead on cybersecurity issues in Congress now?
JL: There's a handful of people. I wish more people would do it, but you're gonna see I think Elissa Slotkin (D-MI). Elissa is the person that I asked to be the Democratic lead on the Cybersecurity Caucus, to be the new Democratic co-chair along with the Republican congressman Michael McCaul (R-TX). He and I co-founded and co-chaired it since it started. Also Andy Kim (D-NJ) is someone to look to on cybersecurity issues along with Eric Swalwell (D-CA). Someone else who's shown an interest in this is Dutch Ruppersberger (D-MD). On the Republican side, you also see Mike Gallagher (R-WI). Elise Stefanik (R-NY) takes an interest in both cyber and AI issues. So, there's a number of good colleagues on both sides of the aisle that will continue the fight for stronger cybersecurity, I have no doubt.
AJ: Do you think the new House Homeland Security Committee chair Mark Green (R-TN) will make cyber one of his key issues? Does he have any background or knowledge of cybersecurity?
JL: I'm not sure on that. I'm sure he will make it a priority. And Yvette Clarke (D-NY) and Bennie Thompson (D-MS) [on the committee] take cybersecurity seriously. So, there will still be a number of people on both sides of the aisle that will continue it. But I don't think I've had any direct conversations with the new chairman on that, but I'm sure he understands that cyber is a growing and existing threat that we need to address. And I stand ready to testify before Congress or talk to my colleagues about these issues. I see that as a responsibility going forward since I was involved on these issues for so many years.
AJ: A couple questions on CISA… Do you think CISA needs to be a $5 billion agency like John Katko (R-NY) has suggested?
JL: I don't recall the current budget for CISA — would that be going upward or down? Where is it right now?
AJ: Upwards — Maybe double what CISA’s budget was when he said it.
JL: Well I won't disagree with John Katko that it needs more resources. It goes back to what I said before that we need to grow its inherent capabilities so that it can stand out on its own, develop its own cyber expertise. For example, with the right amount of people and expertise to defend .gov. And it’s a pretty vast responsibility to be an important resource to the private sector. If we want CISA to be able to bring meaningful things to the table, to help the private sector, they have to have resources and people to do that. So that requires the budget to grow.
AJ: CISA has gotten some criticism lately — how would you rate the job they’re doing?
JL: I think that they're doing an outstanding job. You know, it's a young agency, they're going to have growing pains, we all get that. But I applaud Director Easterly for her leadership and the people that she has around her, she's assembled a great team. I think she's got the right vision. She was the one that proposed creating the JCDC, which is valuable to both the government and the private sector. The Joint Cyber Planning Office is important.
I am deeply frustrated and disappointed by the recent reporting about @CISAJen and the hardworking men and women at @CISAGov.
— Jim Langevin (@JimLangevin) December 22, 2022
As I have said over and over – @CISAJen has done a phenomenal job of leading the agency, and under her leadership, CISA is firing on all cylinders. 1/
We want to get out ahead of the threats. We want to identify the threats, we want to wargame them out. We want to be able to understand how to respond to them quickly. We can work hard to stay one step ahead of our adversaries and prevent the cyberattacks from happening in the first place, but if they do happen, how do we reconstitute quickly? That's something else that we need to see happen — we have to recognize that we are getting hit with cyberattacks and if we were to get hit with something significant, we want to be able to prioritize what we need to do to get our economy back up and running again. If a company or entity gets hit and goes down, get that up and running again. And we do that by buying and exercising for these potential eventualities. To do that, it takes resources.
One thing I would like to see — I was hoping to see before I left — is the force structure assessment that is pending right now, but CISA did its part. We're waiting for the White House now to clear it and to make it public. But I give high marks to Director Easterly and her team at CISA for the work that they are doing. For young agency, I think they're hitting the mark, they're doing well.
AJ: Do you think someday you might want to be in charge of CISA?
JL: Oh, I don't have any plans to do that. I'm looking forward to being close to home here in Rhode Island. There are many ways to serve, and I did my 22 years in Congress. I’m in Washington right now and I don't envision myself coming back here anytime soon permanently, full time. But you never say never, who knows what the future holds.
Adam Janofsky
is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.