Is this Iowa congressman the next House Republican point man on cyber?

As House Republicans hunt for new members who can steer their work on cyber issues in the wake of a high-profile departure, a freshman lawmaker is stepping up to try to fill the void.

Rep. Zach Nunn, a 44-year-old Iowa Air National Guard intelligence squadron commander who likely arrived in Congress with more cyber experience than any other new member in history, has quickly emerged as a leading contender to succeed the recently retired Mike Gallagher as a leading House Republican voice on cyber policy.

In the 16 months since he took office, Nunn has rolled out a steady stream of legislation and policy proposals to address the security implications of artificial intelligence and the cyberthreats facing America’s critical infrastructure. He has raised cyber issues during hearings of the House Financial Services Committee, where he sits on the national security subcommittee, and he has tried to get his colleagues to focus on the digital security challenges facing rural communities, which make up a significant portion of his constituency in Iowa’s 3rd District.

Succeeding Gallagher as Republicans’ cyber champion will be a daunting task. Gallagher not only chaired the House’s select committee on China and the Armed Services cyber subcommittee but also co-led the Cyberspace Solarium Commission, which produced dozens of reforms. In a recent interview, Nunn said Gallagher’s departure left “a real void” on cyber policy, and he pledged to work with colleagues to carry Gallagher’s vision forward.

“I want to be a net help,” Nunn told Recorded Future News, “to ensure cybersecurity, artificial intelligence, [and] the threat posed by near-peer adversaries stays at the forefront of our national security conversations.”

Watching others wake up to the issue

Few lawmakers focusing on cyber issues bring so much government experience to the task. Before entering politics as an Iowa state legislator, Nunn served from 2008 to 2011 as the senior counterintelligence officer for cyber issues at the Office of the Director of National Intelligence and from 2011 to 2013 as a director of cyber policy at the National Security Council.

Nunn had a front-row seat to the government’s evolving approach to cybersecurity, as increasing nation-state threats forced policymakers to realize the power of the internet to cause chaos. This was the era of Iran’s devastating cyberattack on Saudi Aramco and North Korea’s stunning breach of Sony Pictures. Nunn said these attacks showed the White House how cyber could “have a direct impact on economies, on the ability to operate in the kinetic space, as well as the diplomatic space.”

Nunn also watched as China began its push for emerging-technology dominance through companies like the telecom giant Huawei. China and other U.S. rivals “were coming online with infrastructure that was going to fundamentally change where we were” geopolitically, Nunn said, by helping those adversaries “influence us and actually control access to a lot of our data.”

At the NSC, Nunn tried to “bring the federal government on board with what the private sector was experiencing on a daily basis,” so policymakers understood that nation-state cyber threats had grown beyond espionage against defense contractors. “We were going to have to defend the entire internet,” he said.

Deterrence and dominance

Nunn’s vision for bolstering U.S. cybersecurity has two major components: convincing adversaries that they will pay a price for cyberattacks and establishing an unshakable foothold in markets for cutting-edge technologies.

Nunn said he’s disappointed with President Joe Biden’s approach to deterrence. “The administration today has lacked that ability to prosecute, to identify and ultimately [to] deter threat actors who are posing very big risks to everybody from our national defense entities down to our hometown schools,” he said.

“Deterrence in cyberspace is possible,” Nunn added, but for it to work, the U.S. has to “deploy countermeasures effectively.” Translation: Biden needs to step up the use of U.S. Cyber Command’s offensive capabilities, which Nunn has seen firsthand during his Air Force service.

Nunn at the Iowa State Fair in August 2023. Image: Gage Skidmore / CC BY-SA 2.0

Nunn also wants the U.S. to partner with other countries on aggressive pushback to cyberattacks. He drew an analogy to the Western coalition that helped Israel fend off an Iranian missile barrage last month. “We've got to be able to do the same thing in cyberspace, oftentimes with folks who we wouldn't be able to work on maybe any other issue with.”

Equally pressing is the need for the U.S. and its Western allies to out-compete China in the race to deploy 5G wireless networks, build powerful AI models, develop quantum computers, and harness other emerging technologies. “For the United States to be a leader in the infrastructure of this is absolutely critical,” Nunn said, referring to this as “owning the battlespace itself.”

The threats in that battlespace are growing more diverse every day. “We’re now looking at things like very advanced blockchains,” Nunn said. “China is moving directly in an area which not only is going to compete with us, but they may end up being the only viable large-scale actor who can operate in this space.”

Nunn and Rep. Abigail Spanberger (D-VA) co-introduced a bill last year to prohibit the government from using Chinese-owned blockchain infrastructure. China’s dominance of this technology is “a thousand times worse than whatever China is doing at TikTok,” Nunn said.

Spanberger called Nunn “a strong partner in addressing threats to our economic and national security” and said she was proud to work with him “to keep Americans’ data out of the hands of our adversaries, strengthen our nation’s defenses against threats from maligned uses of artificial intelligence, and keep our nation competitive.”

Focused on vulnerable infrastructure

In addition to advocating a more aggressive deterrence strategy, Nunn is also pushing new approaches to defending critical sectors of the U.S. economy. He’s proposed more bills to that effect than perhaps any other first-term lawmaker.

In April 2023, three months after a cyberattack shut down Des Moines public schools, Nunn introduced a bill that would expand the Cybersecurity and Infrastructure Security Agency (CISA)’s resources and guidance for schools and centralize information about cyber threats to education systems. Nunn said he was disturbed by the long-term ripple effects of the Des Moines breach on hundreds of student victims: “That is going to echo out throughout those kids’ lives.”

The more than 150,000 public water systems in the U.S. also face increasing cyber threats, as recent Iranian and Russian attacks have demonstrated. Last June, Nunn and Rep. Don Davis (D-NC) proposed legislation that would task the Department of Agriculture’s local community support teams with offering cyber aid to rural water facilities.

In rural communities, “having a water tower is a luxury,” Nunn said, “let alone having a [chief information security officer] who sits in town being able to effectively combat a cyber threat.”

Nunn wants to turn land-grant universities into technical resources for local communities, modeled on Iowa State University’s large USDA-funded cybersecurity engineering program.

The food and agriculture sector also faces major economic and national security risks from cyberattacks, and Nunn wants to increase the government’s focus on those threats. Shortly after introducing his water bill last June, Nunn proposed legislation that would create “Regional Agriculture Cybersecurity Centers” at U.S. universities to conduct research, monitor threats and design custom technology to help protect farms, processing plants and other facilities from hackers intent on tainting food or stealing trade secrets.

Unlike some other Republicans, Nunn is open to new federal regulations covering these and other critical infrastructure sectors. “We have so many requirements for getting a home loan today,” he said, “but we have none of the comparable cybersecurity requirements for food supply distribution or water access throughout the country.”

Even so, Nunn warned against enacting sprawling new rules that would “crush” small infrastructure operators with paperwork and distract them from real security improvements.

Worried about AI — and Biden 'overreach'

No lawmaker can focus on cybersecurity today without a plan for addressing the myriad opportunities and risks of artificial intelligence. In March, Nunn and Spanberger introduced the Artificial Intelligence Practices, Logistics, Actions and Necessities (AI PLAN) Act, which would require key departments to collaborate on a plan to combat AI-powered misinformation, election interference and financial crimes.

Nunn said he was worried about rapidly proliferating AI-fueled hoaxes, like fake kidnapping scams and false reports of explosions at government buildings. “This is the kind of attack vector that is coming online with a low barrier to entry, but a highly effective capability.”

Still, in discussing the Biden administration’s AI safety agenda, Nunn echoed other Republicans who have criticized the president's use of the 1950 Defense Production Act to compel AI developers to report the results of their security testing. The DPA is meant for wartime, he said, and the U.S. is not “in an artificial intelligence war frame right now.”

Nunn said he’s concerned about “overreach coming out of Biden's bureaucracy,” in which officials are “writing rules of the road when they don’t even know what the road itself looks like.”

The U.S. should provide “a long runway for the tech innovators,” Nunn said, “because our adversaries have no guardrails in this space. They're gonna throw as much as they can at it.”