11.14.18

Rounds Opening Statement at Cybersecurity Subcommittee Hearing

Hearing entitled, “Private Sector Perspective on DoD’s Cybersecurity Acquisition and Practices

WASHINGTON—U.S. Sen. Mike Rounds (R-S.D.), Chairman of the Senate Armed Services Cybersecurity Subcommittee, today delivered opening remarks at a hearing on the private sector perspective on the Department of Defense’s (DoD) cybersecurity acquisition and practices.

 

“The Department’s cybersecurity acquisition is slow, decentralized and often overly reliant on the National Security Agency’s product evaluation and indigenous production,” said Rounds in his opening remarks. “And, because of this, the department’s capabilities often pale in comparison to the best available in the private sector. While we have confidence that the department will bolster its cybersecurity in due time, we believe that this improvement could come as a result of improved cooperation with private sector cybersecurity companies and reconfiguration of the department’s cybersecurity capabilities to better match the state-of-the-art offerings in the private sector.”

 

Rounds’ remarks, as prepared for delivery:

 

The Cybersecurity Subcommittee meets this afternoon to receive testimony on the Department of Defense’s cybersecurity acquisition and practices from the private sector.

 

Our witnesses are:

 

  • Mr. Dmitri Alperovitch, Co-founder and Chief Technology Officer, CrowdStrike Inc.;
  • Major General John Davis, U.S. Army (Retired), Federal Chief Security Officer, Palo Alto Networks;
  • Mr. Francis Landolf, Principal, Core Consulting, LLC; and
  • Mr. Ronald Nielson, Vice President and Chief Technology Officer, Parsons Corporation.

 

Every single day, adversaries attack the Department of Defense through cyberspace, attempting to gain critical information about our ongoing operations, weapon systems and servicemembers.

 

These attacks are only as successful as the department’s cybersecurity capabilities and practices allow them to be.

 

And to its credit, the department possesses many extremely effective operators, program suites and mitigation tools to protect its networks and computing infrastructure.

 

However, the department’s cybersecurity and cybersecurity operations are decentralized, which means that certain DoD components exhibit better cybersecurity than others.

 

In other words, the department has produced pockets of excellence within the DODIN (Department of Defense Information Network), but opportunities remain for the department to improve its cybersecurity capabilities and practices across the enterprise.

 

For example, the department’s centralized cybersecurity operators, the Defense Information Systems Agency, often lack visibility into networks across the department.

 

Further, the department’s cybersecurity operators—including CYBERCOM’s cyber protection teams and the thousands of IT/cybersecurity specialists maintaining the department’s networks—are not particularly well-integrated with each other or with the cybersecurity capabilities used across the department.

 

The department’s cybersecurity acquisition is slow, decentralized and often overly reliant on the National Security Agency’s product evaluation and indigenous production.

 

And, because of this, the department’s capabilities often pale in comparison to the best available in the private sector.

 

While we have confidence that the department will bolster its cybersecurity in due time, we believe that this improvement could come as a result of improved cooperation with private sector cybersecurity companies and reconfiguration of the department’s cybersecurity capabilities to better match the state-of-the-art offerings in the private sector.

 

We hold this hearing today to find out how the department and Congress can achieve these advances. We look forward to our witness’ commentary on questions to include:

 

Where are the department’s cybersecurity capabilities, architecture and operators lacking as compared to the cybersecurity leaders in the private sector?

 

What capabilities can the private sector provide to fill these gaps?

 

And how are the department’s acquisition processes and cybersecurity policies failing its cybersecurity?

 

###