Innovation Nation: Leveraging Technology to Secure Cyberspace and Streamline Compliance

2025-05-28

Loading video...

Summary

The Committee on Homeland Security convened a field hearing in Silicon Valley to explore how public and private sectors can collaborate to address economic models of cybersecurity, analyze the cyber threat landscape, examine regulations, and advance technology to improve America's cybersecurity posture [ 00:11:53-00:11:56 ]

. The session brought together committee members and expert witnesses to discuss critical issues and potential solutions in an environment renowned for innovation [ 00:12:01 ] .

Themes

The Cyber Threat Landscape and National Security

The meeting highlighted the severe and escalating cyber threats from aggressive nation-state actors like China, Russia, Iran, and North Korea . Specific campaigns like Volt and Soul Typhoon were cited as evidence of adversaries preparing for potential conflict by compromising critical U.S. infrastructure . Speakers expressed concern about the American public's unawareness of these pervasive attacks, emphasizing the urgent need for a clear explanation of the context and gravity of the threat . The discussion underscored the importance of strengthening deterrence by rapidly imposing costs on attackers and improving system resilience through both defensive and offensive capabilities [ 00:43:14-00:43:33 ]

. It was noted that current economic models of cybersecurity favor attackers due to the low cost of inflicting damage compared to the high costs faced by victims [ 00:15:02 ] .

Secure by Design and Software Liability

A key theme was the necessity of "secure by design" principles, advocating for software manufacturers to embed security from the outset rather than placing the burden on end-users . The concept of "secure by default," where products ship with secure configurations (e.g., strong default passwords, multi-factor authentication), was emphasized [ 00:59:51 ]

. Witnesses suggested that software companies should be held more accountable for preventable vulnerabilities, possibly through a software liability regime, and that government and private sector buyers should demand better security practices from suppliers ("secure by demand") [ 00:49:19 ] . The need for clear standards, transparency in procurement, and a shift from compliance checklists to outcome-based security measures was also highlighted .

Regulatory Harmonization and Compliance Modernization

The existing regulatory landscape was described as burdensome, costly, and a hindrance to innovation [ 00:14:46 ]

. Speakers called for a more agile, risk-based regulatory approach that prioritizes tangible security outcomes over mere checklists . The ideal approach would involve aligning baseline requirements across sectors while allowing for complementary, non-duplicative sector-specific rules . Leveraging well-established standards like FedRAMP and OSCAL was recommended, along with ensuring reciprocity between different certification regimes to streamline compliance efforts and reduce redundant investments .

Innovation and AI in Cybersecurity

Innovation, particularly through Artificial Intelligence (AI), was presented as crucial for modernizing cyber defenses . AI can analyze vast amounts of security data in real-time, automate responses, and improve overall security outcomes while reducing costs . However, concerns were raised about AI introducing new vulnerabilities, with studies indicating that a significant portion of AI-generated code can be vulnerable . This necessitates "secure AI by design" and robust R&D to ensure rapid software development does not compromise security . The tension between fast AI adoption and the implementation of necessary security protocols was also acknowledged .

Public-Private Partnerships and Information Sharing

The importance of strong public-private partnerships and effective information sharing was a recurrent theme for collective defense against cyber threats . The Cybersecurity Information Sharing Act of 2015 (CISA 2015) was highlighted as a vital mechanism for this collaboration and its reauthorization was strongly supported by witnesses . Suggestions were made to enhance the Joint Cyber Defense Collaborative (JCDC) by making it more responsive, structured, and ensuring two-way information exchange [ 00:40:15 ]

. There was also a strong call for the federal government to recognize and actively defend the "cyber border," emphasizing that the private sector should not be solely responsible for defending against nation-state attacks [ 00:55:43 ] .

Cybersecurity Workforce and Education

Discussions focused on the critical need to attract, develop, and retain cybersecurity talent . Concerns were raised about the exodus of technical talent from government agencies like CISA and the impediments to attracting international talent . Recommendations included fostering digital literacy from a young age, requiring security courses for computer science degrees, and providing hands-on experience through bug bounties and competitions . The idea of a mandatory "Cyber 101" course at universities and promoting cross-disciplinary cyber education (e.g., for lawyers, doctors, teachers) was also put forward . Enhanced collaboration between military and civilian academic institutions for workforce training and exchanges was encouraged .

Quantum Threats

The panel briefly addressed the looming threat of quantum computing, noting China's advancements in quantum technologies [ 01:20:10 ]

. Witnesses stressed the urgency for organizations to take post-quantum cryptography seriously and to begin implementing defensive capabilities, as the process is complex and time-consuming, far exceeding the projected NIST timelines [ 01:21:28 ] . Both Google and Palo Alto Networks reported investing significantly in post-quantum cryptography research and solutions .

Tone of the Meeting

The tone of the meeting was largely collaborative, bipartisan, and marked by a shared sense of urgency regarding cybersecurity challenges [ 00:38:48 ]

. Participants displayed a strong concern for national security and the economic implications of cyber threats . There was a notable optimism about the potential of innovation and technological solutions, particularly AI, to address these issues [ 00:13:04 ] . The discussion maintained a practical focus, aiming to identify actionable solutions and policy recommendations through constructive dialogue among government, industry, and academia .

Participants

Transcript

Marjorie Taylor Greene

The Committee on Homeland Security will come to order and without objection, the chair may declare the committee in recess at any point. Today's field hearing will explore how the public and private sectors can work together to address the economic models of cybersecurity To do this, we will examine the cyber threat landscape, cyber regulations, and the technology that will improve America's cybersecurity posture. I want to thank the members of the committee who made it out for this and took time to join us here in Silicon Valley. I now recognize myself for an opening statement. Well, good afternoon, and I want to thank all of you for coming today. The topic is one that is incredibly important for our country. And I thank the Hoover Institution for hosting this on such an incredibly beautiful campus. And I don't know who brought the weather here. Is it like this all the time? I mean, it's incredible. It's not a coincidence that we're holding today's hearing here in the middle of Silicon Valley. Since World War II, Silicon Valley has been the world's shining example of what a nation can accomplish when innovation is unleashed. It's the home of some of America's most talented and creative minds, innovators who are spearheading major breakthroughs in technological development from semiconductors to social media. Silicon Valley has produced innovations that have changed the way we work, communicate, and complete our daily tasks. As we know, great technological advancements come with great responsibility. I'm here today to emphasize the importance of prioritizing our cybersecurity as we build new capabilities that will continue to change the world. And I have prioritized cybersecurity for myself in this Congress and for the Committee on Homeland Security. And I hope the industry partners that are here and across the country will join us in this mission to improve our cyber resilience against nation states, as well as criminal actors.

Marjorie Taylor Greene

Strengthen our offensive posture and develop new capabilities that incorporate security from the start. I strongly believe that allowing American innovation to flourish is critical to strengthening our national security. And that's why we must start by injecting some common sense into the regulatory regime. The increasingly burdensome, costly, and duplicative requirements placed on our innovators are stifling our innovation and hindering our national security. Instead, we must continue to explore technological solutions for regulatory compliance and ways that we as Congress can help de-conflict and simplify cyber regulations. This priority pairs well with another focus of mine this Congress, changing the economic models of cybersecurity. The costs and incentives associated with cybersecurity are currently imbalanced in favor of the attacker rather than the defender. According to a report by IBM, the global average cost of a data breach in 2024 was nearly $4.9 million. In many cases, to inflict multimillion-dollar damage on U.S. businesses, attackers only need some degree of technical knowledge and a laptop, a fraction of the costs faced by their victims. Fixing the economic models of cybersecurity will require a concentrated effort across industry and our government. First, we must raise the cost of cyber attacks for our adversaries. From strengthening our offensive posture in cyberspace to creating innovative cybersecurity solutions, the United States must make it more challenging and costly for adversaries to strike. Secondly, we must ensure that American businesses, especially private owners and operators of critical infrastructure, are investing heavily in cybersecurity. There needs to be a greater demand for products designed with cybersecurity in mind. accompanied by a supply shift toward more secure information technology and operational technology.

Marjorie Taylor Greene

There is an undisputable connection between what happens here in Silicon Valley and the security of U.S. critical infrastructure. The technology and cybersecurity solutions produced here have applications across all critical infrastructure sectors. By improving investment in cybersecurity and raising costs for our adversaries, the entire nation will be more secure. Cybersecurity truly is a team sport. Our collective defense against cyber threats relies upon private-public partnerships and information sharing. We want to turn that information sharing into action. And I'm grateful for Chairman Garbarino's efforts to preserve and enhance these partnerships, including through the reauthorization of CISIS 20-2015, and I look forward to discussing other ways to strengthen public-private partnerships in cybersecurity. I want to thank our witnesses for joining us today. I look forward to discussing the current threat landscape with each of you and to examine ways that we can realign the economic models of cybersecurity. Our discussion will position us well to delve into finding solutions with some of our nation's most prominent innovators during the breakout session that follows this hearing. We have much more work to get done and to get to where we need to be. But I'm confident that if we work toward these objectives together, we will accomplish our mission.

Sign up for free to see the full transcript

Accounts help us prevent bots from abusing our site. Accounts are free and will allow you to access the full transcript.