The House Armed Services Subcommittee on Emerging Threats and Capabilities (“Subcommittee”) convened its first hearing of the 112th Congress on February 11, 2011, to examine the role of the Department of Defense (“DoD”) in cyberspace. Subcommittee Chairman Thornberry (R-TX) noted that the Subcommittee’s new name underscored its focus on ensuring that the United States is prepared to deal with emerging threats (e.g., cyber threats) and nurturing capabilities to address these threats. He explained that our expectations of the DoD to protect us in the physical world are clear, but that expectations are less clear in the area of cyberspace. Chairman Thornberry further suggested that the subcommittee should examine whether the government (through the DoD and other departments) is authorized to act in this area. Subcommittee Ranking Member Langevin (D-RI) expressed concern that the government may lack the authority to mandate certain protections to keep the country safe in the realm of cyber and stated that it was a “tragedy of the commons” that no one, including industry, was willing to address the issue.
In a search for a solution, dialogue ensued among the Subcommittee members and witnesses, in which all agreed at a high level that the DoD, civilian government, and industry each have a role to play. Witness testimony also suggested that industry’s commitment to addressing cyber threats has increased in the past few years, and that industry’s role as a partner in cybersecurity could be improved through increased information sharing by the government. At the same time, witnesses recommended that the government could do more to create a welcome environment for industry to share its experiences pertaining to cyber threats with the government.
As the hearing came to a close, Chairman Thornberry concluded that witnesses were in agreement on the following: (1) the government should take some action to address cyber threats; (2) such action could take the form of incentives or mandates to increase cybersecurity; and (3) at a minimum, the DoD should ensure that the appropriate entities in the private sector have access to information from the DoD to help protect those private systems over which they have control.
In the months to come, the debate over the appropriate role for the government in cybersecurity is sure to continue, both in the congressional arena and within the Administration.