Washington, D.C. – U.S. Senator John McCain (R-AZ), Chairman of the Senate Armed Services Committee, delivered the following remarks today at Arizona State University’s Cybersecurity Conference:
“Thank you for the kind introduction. I am grateful for the opportunity to address Arizona State University’s first annual conference on cybersecurity. This gathering represents the kind of path-breaking work ASU is famous for, and I am proud to see Arizona taking the lead.
“Cybersecurity issues are of the highest importance to our nation. The United States is confronting a more diverse and complex array of national security challenges since the end of World War II. We have long understood that rising threats from global terrorist networks and non-state actors present challenges different from those of the past. At the same time, great power competition—once thought a casualty of the ‘end of history’—has persisted. Russia and China continue to contest the rules-based liberal world order that is the foundation of our security and prosperity. But in many instances, we now see a blending of conventional and unconventional means of power projection, along with a profusion of actors that makes it difficult to distinguish crime or terrorism from state-sponsored activity.
“Against this background, the rapid development and deployment of information technology by American businesses and by our government has created new vulnerabilities. The entire information domain has become a potential battle space, and our enemies’ methods encompass everything from straightforward data collection to hacking attacks that might disable critical national infrastructure.
“Our democracy itself has become a target. As we all know, last October, 17 U.S. government agencies concluded unanimously that the Russian government had directed the theft and publication of e-mails from American citizens and political organizations in order to interfere in our election. Months of congressional hearings, testimony, and investigative work have demonstrated that Russia’s deliberate cyberattacks and disinformation campaign were designed to undermine faith in our democracy and our values.
“This was just one instance of a global cyber threat. In the last several years, Russian cyberattacks have targeted the White House, the Joint Staff, the State Department, and our critical infrastructure. Chinese hackers have reportedly targeted NASA, the Departments of State and Commerce, congressional offices, military labs, the Naval War College, and U.S. businesses, including major defense contractors. In 2015, for example, China compromised over 20 million background investigations at the Office of Personnel Management. Iran, too, has used cyber tools in recent years to attack the U.S. Navy, American partners in the Middle East, major U.S. financial institutions, and a dam just 25 miles north of New York City. And of course, North Korea was responsible for the massive cyberattack on Sony Pictures in 2014.
“Such attacks should concern us all—as Arizonans and Americans, as Republicans and Democrats, as citizens and patriots—and they underscore the complexity of our dangerous new environment. We must take our own side in this fight and ensure that our adversaries pay a price for these attacks. If there are no costs associated with cyberattacks, we can only expect them to continue.
"Unfortunately, leadership from the executive branch on cybersecurity has been weak. As America’s enemies seized the initiative in cyberspace, the last administration offered no serious cyber deterrence policy and strategy. And while the current administration promised a cyber policy within 90 days of inauguration, we still have not seen a plan.
“Despite inaction from the executive branch, the Senate Armed Services Committee has not stood still. We have been working to ensure that the Department of Defense (DOD) and our military have the resources, personnel, and capabilities necessary to deter, defend against, and respond to our adversaries in cyberspace.
“Over the past four years, the Senate Armed Services Committee has implemented more than 50 provisions focused on organizing and enabling DOD to address threats in cyberspace. These bills have included crucial requirements, such as the establishment of Cyber Command as a unified command and directing DOD to evaluate the cyber vulnerabilities of every major weapons system and all critical infrastructure.
“Our progress continues in the most recent National Defense Authorization Act. Since successive administrations have failed to produce a cybersecurity policy, the NDAA establishes one. It requires that the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter and respond to cyberattacks.
“Importantly, our bill defines the threat. Actionable attacks would include any malicious cyber activities targeting U.S. interests with the intent to cause casualties, to significantly disrupt the normal functioning of our democracy, or to threaten the U.S. Armed Forces or the critical infrastructure they rely upon. They would also include any cyberattack that is comparable to an armed attack on the United States or places a U.S. vital interest in peril. The NDAA further requires the Department of Defense to conduct a Cyber Posture Review to clarify U.S. cyber deterrence policy and strategy.
“Through such activity, the Congress plays a leading role in the formation of policy, and our work to emphasize the importance of cyber readiness is paying off. I was pleased by the president’s announcement last week elevating U.S. Cyber Command to the status of a unified combatant command. I also appreciated the administration’s commitment to ensuring that a future separation of the so-called 'dual hat' relationship between Cyber Command and the National Security Agency will be based on conditions, rather than arbitrary political timelines. Each agency will become more effective and capable as a result.
“But despite the significant progress we have made at DOD, much remains to be done, especially in the coordination of a whole-of-government approach to defending the homeland from cyberattacks. As organized today, the Department of Defense, the Department of Homeland Security, and the Federal Bureau of Investigation all have a role to play in defense of the homeland in cyberspace.
“Yet the cyber responsibilities of these agencies are often poorly defined, and each body lacks the full suite of legal authorities required to combat a dynamic threat that respects neither physical nor bureaucratic borders. My friends, I can assure you that our enemies are not the junior varsity. Until we reassess the cumbersome status quo, in place since the early years of the Obama Administration, our own capabilities will be needlessly limited.
“It makes little sense for us to continue down our current path, overgrown with bureaucracy and choked by duplication. Every witness that has testified before the Senate Armed Services Committee has agreed that we lack the resources and talent required to reproduce capabilities across multiple government agencies. Not surprisingly, this three-legged structure – DOD, DHS, and FBI – undermines the unified strategic guidance required to meet cyber threats and slows our response.
“Greater centralization will also enhance public-private collaboration in cyber defense. This dimension of the problem has gotten far too little attention, though common sense alone makes plain that in an economy like ours, where commercial innovation is usually well ahead of government, close cooperation is indispensable.
“That is why I am so proud of the work being done here in Arizona. I know of nowhere else in America where public-private partnership in cyber defense is better cultivated and developed. Here we already have in place new capabilities to share actionable information and to train Arizonans to repel cyberattacks. Our state has established an impressive array of unique assets, including the Arizona Counter Terrorism Information Center and its sister organization, the Arizona Cyber Threat Response Alliance.
“Arizona State University has taken the lead in academia, making a commitment to dramatically increase the output of cyber-qualified graduates. ASU’s leadership is critical to solving the number one challenge across the cybersecurity landscape—the need for a trained and capable workforce for both government and industry. Cyber-trained graduates lead the growth of our economy by strengthening our state’s strong defense sector and contributing to federal research.
“Arizona is already an established leader among technology states and a greenhouse for tech startups, so this comes as no surprise. Our state ranks among the top ten in tech industry employment, in tech sector contribution to the overall state economy, and in innovation. As companies relocate here or grow their operations in Arizona, they bring with them a capable cyber workforce. This successful cooperation of our universities with industry and government affirms Arizona’s leadership and gives us the opportunity to play a pivotal role in preparing the United States for the information warfare of the 21st Century.
“Again, I want to thank you all for attending the first annual Cybersecurity Conference at ASU. Your leadership on this issue is critical to better securing our state and our nation."