Floor Statements

Washington, D.C. ­– U.S. Senator John McCain (R-AZ), Chairman of the Senate Armed Services Committee, delivered the following opening statement today at a hearing on roles and responsibilities for defending the nation from cyber attacks:

“The committee meets today to receive testimony on the U.S. government’s policy, strategy, and organization to protect our nation in cyberspace. To begin, I’d like to thank Senators Rounds and Nelson for their leadership on these issues in our cybersecurity subcommittee. This hearing builds upon the good work that they and their subcommittee have done this year to tackle the critical challenge of cyber.

“This is a challenge that is growing more dire and more complex. Not a week passes that we do not read about some disturbing new incident—cyberattacks against our government systems and critical infrastructure, data breaches that compromise sensitive information of our citizens and companies, attempts to manipulate public opinion through social media, and of course, attacks against the fundamentals of our democratic system and process. And those are just the ones we know about.

“This is a totally new kind of threat. Our adversaries, both state and non-state actors, view the entire information domain as a battlespace, and across it, they are waging a new kind of war against us—a war involving but extending beyond our military, to include our infrastructure, our businesses, and our people. The Department of Defense has a critical role to play in this new kind of war, but it cannot succeed alone. And to be clear, we are not succeeding. For years, we have lacked policies and strategies to counter our adversaries in the cyber domain, and we still do. This is, in part, because we are trying to defeat a 21st century threat with the organizations and processes of the last century. This is true in the executive branch. And frankly, it is also true here in the Congress. And we are failing.

“That is why this committee is holding today’s hearing, and why we have taken the unorthodox step of inviting witnesses from across our government to appear today. Our witnesses are the senior officials responsible for cyber within their respective agencies, and I want to thank them for joining us and welcome them now:

  • “Ken Rapuano, Assistant Secretary of Defense for Homeland Defense and Global Security;
  • “Scott Smith, Assistant Director for the Cyber Division, Federal Bureau of Investigation; and
  • “Chris Krebs, Under Secretary for the National Protection and Programs Directorate at the Department of Homeland Security.

“I would also like to note at the outset the empty chair at the witness table. The committee invited the principal U.S. cyber official, White House Cybersecurity Coordinator Rob Joyce. Many of us know Mr. Joyce and respect him deeply for his significant expertise on cyber and his many years of government service at the National Security Agency. Unfortunately, but not surprisingly, the White House declined to have its cyber coordinator testify, citing executive privilege and precedent against having non-confirmed NSC staff testifying before Congress. While this is consistent with past practice on a bipartisan basis, I believe the issue of cyber requires us to completely rethink our old ways of doing business.

“To me, the empty chair before us represents a fundamental misalignment between authority and accountability in our government today when it comes to cyber. All of our witnesses answer to the Congress for their part of the cyber mission. But none of them is accountable for addressing cyber in its entirety. In theory, that is the White House Cyber Coordinator’s job, but that non-confirmable position lacks the full authority to make cyber policy and strategy and direct our government’s efforts. And that official is literally prohibited by legal precedent from appearing before the Congress. So when we, the elected representatives of the American people, ask who has sufficient authority to protect and defend our nation from cyber threats, and who is accountable to us for accomplishing that mission, the answer is—quite literally—no one.

“The previous administration’s struggle to address this challenge between DOD, DHS, and the FBI—well-intentioned though it was—led to a result that is as complex and convoluted as it appears in this chart. Given that no single agency has all of the authorities required to detect, prevent, and respond to incidents, the model has created significant confusion about who is actually accountable for defending the United States from cyberattacks. Meanwhile, our increasingly capable adversaries continue to seek to exploit our vulnerabilities in cyberspace.

“Facing similar challenges, a number of our allies have pursued innovative models to emphasize increased coordination and consolidation. In doing so, they have significantly enhanced their ability to react and respond to incidents and to share information across government and with the public. For example, the United Kingdom recently established its National Cyber Security Centre, an organization that orchestrates numerous cyber functions across the British government under one roof sitting side-by-side with industry.

“Today’s hearing is an opportunity to have an honest and open conversation. Our concerns are not meant to be critical of our witnesses’ leadership—or of your organizations—as each of you are limited by the policy and legal frameworks established by Congress and the administration. Our intent is to better understand the coordination and de-confliction underway between agencies and to identify where and how we can improve. The last thing any of us wants is to waste precious time during a major cyber incident because everyone who rushed to the scene thought they were in charge, but none had the authority—or even worse, realizing after a cyber incident that your organizations were not prepared and resourced to respond based on a flawed assumption that someone else was responsible.

“I thank the witnesses for their service to our country and their willingness appear before this committee as we continue to assess and address our cyber challenges.”