Senators say feds leave local officials on their own on cybersecurity

Cybersecurity representatives of, from left, the Defense Department, the FBI and the Department of Homeland Security testify next to the empty chair, far left, of a White House official who refused to appear before the Senate Armed Services Committee. (Photo by Isaac Windes/Cronkite News)

The chair of the White House Cybersecurity Coordinator Rob Joyce sits empty at the witness table. Still, members of the Senate Armed Services Committee directed question to the empty seat of Joyce, who invoked executive privilege for his refusal to appear. (Photo by Isaac Windes/Cronkite News)

WASHINGTON – An empty chair fielded question after question from an angry Senate panel Thursday, after a White House cybersecurity coordinator invoked executive privilege and skipped the hearing.

Representatives from the FBI, the Pentagon and the Department of Homeland Security testified beside the empty chair, telling the Senate Armed Services Commitee they are working to increase coordination and communication.

But much of the hearing was focused on Rob Joyce’s empty chair, which Sen. John McCain, R-Arizona, said showed “a fundamental misalignment between authority and accountability” in cybersecurity efforts at a time when Russians are meddling in an attempt to “destroy the fundamentals of democracy.”

Sen. Elizabeth Warren, D-Massachusetts, said the lack of federal coordination leaves local governments “by themselves to fight a sophisticated cyber-adversary like Russia.”

She repeatedly asked Christopher Krebs, of the Pentagon’s National Protection and Programs Directorate, whether the agency had the funds, or intent, to bolster state cyber defenses. Krebs said the agency is “exploring its options.”

When Warren asked if the agency was “prepared to fully prevent another round of cyber intrusions into our election systems in 2018 and 2020,” Krebs said there is “still work to be done.”

“We are not going to flip a switch and be 100 percent secure,” he said.

Arizona officials said Thursday they have not been dissatisfied with the help they have received from federal agencies, but added that there is a growing need for help of all sorts, from hardware to communication.

“Arizona works with DHS and other agencies when they let us know best practices and help identify hackers,” said Matt Roberts, a spokesman for Arizona Secretary of State Michele Reagan.

Roberts said that what the state needs most from the federal government is help buying new voting machines. It’s a conversation that many secretaries of state are having, he said, noting that it has been more than a decade since the federal government provided funding for voting infrastructure.

Roberts said that there is some overlap between federal agencies dealing with the state, but that local officials of the federal agencies do a good job keeping things straight.

Frank Grimmelmann, president and CEO of Arizona Cyber Threat Response Alliance, said that communication – between private entities and federal, state and local agencies – is the real key to dealing with a “fast and nimble enemy that doesn’t have those communication silos.”

“What we need is a fast-response infrastructure that doesn’t have bureaucratic hurdles, in order to respond to an enemy,” Grimmelmann said. “I am confident that the state of Arizona is on top of it and can do everything it needs to protect the upcoming election with existing policies.”

Those policies include a presidential policy directive, known as “PPD-41,” issued by President Barack Obama that delegates duties to different agencies in response to cyberattacks.

But Sen. Jack Reed, D-Rhode Island, noted that the directive only deals with responding to cybersecurity events and does not allow for getting out ahead of them. And McCain said that the Obama administration action, “well intentioned as it was, led to a result as complex and convoluted as” previous plans that failed to name a lead agency.

In heated exchanges with senators, Assistant Secretary of Defense for Homeland Defense and Global Security Kenneth Rapuano said there are “issues associated with federal authorities to engage” in cybersecurity for elections, which is a state function.

Rapuano cautioned against “reassigning more responsibility for incident response” to the Defense Department, saying it would break the tradition of “not using the military for civilian functions.”

McCain blasted that argument saying “those issues could be corrected by legislation … they’re not engraved in tablets.” The idea that the Pentagon should not get involved is emblematic of disorganized federal response, he said, pointing out that a cyberattack was still an attack.

This is “one of the reasons why we’ve been so frustrated,” McCain said, citing Rapuano’s statement that, “Well, it’s not the Department of Defense’s job.”

“It is the Department of Defense’s job to defend this nation – that’s why it’s called the Department of Defense,” McCain said.

He ended the hearing by warning that lawmakers “have authorities that I don’t particularly want to use” to get results on what he called the biggest national security threat.

“Unless we are allowed to carry out our responsibilities to our voters who sent us here, then we are going to have to demand a better cooperation and a better teamwork than we are getting now,” McCain told the witnesses.

But he also thanked the witnesses, adding that he was “certainly not blaming you for not being able to articulate to us a strategy which is not your responsibility.”

He went on to echo other committee members who called for action to fill the empty chair, including the possibility of subpoenaing Joyce.

“When we see the person in charge at an empty seat here today then we are going to have to react,” McCain said. “The committee is going to have to get together and decide whether we are going to sit by and watch the person in charge not appear before this committee – that’s not constitutional, we are coequal branches of government.”