Testimony: CSIS's James Lewis

Prepared congressional testimony from James Lewis of the Center for Strategic and International Studies, Sept. 16, 2008

Testimony
House Committee on Homeland Security
Subcommittee on Emerging Threats, Cyber Security, and Science and Technology
"Cyber Security Recommendations for the Next Administration"
James A. Lewis
Center for Strategic & International Studies

Sept. 16, 2008

I thank the Committee for the opportunity to testify on the work of the CSIS Cyber Security Commission on Cyber Security for the 44th Presidency. As you know, this Commission was established a year ago. It held its first meeting in November 2007. Our goal is to identify concrete actions that the next Administration can take to improve cyber security. We are composed of 40 individuals with extensive experience in cyber security and in government operations, and our work has been supported by a number of eminent experts in this field. We have also received invaluable assistance from the Department of Defense, the intelligence community, the FBI, and from elements of the Department of Homeland Security. Let me also note that you, Mr. Chairman, and your colleague Representative McCaul have provided essential support and guidance during the course of our work. Your leadership has been crucial for shaping the report and in moving the Commission forward.

The starting point for the Commission's work was that the lack of cyber security and the loss of information were doing unacceptable damage to the U.S. It has been 10 years since the first reports called attention to America's vulnerability in cyberspace. Unfortunately, the situation has gotten worse, not better, during the intervening decade. That cyberspace now provides the foundation for much of our economic activity is not readily apparent. However, those who wish to do harm to the U.S. have not failed to notice the opportunities created by the weaknesses of U.S. networks. There has been damaging losses of valuable information. These losses occurred in both the government and the private sector, creating major risks for national security and doing major damage to U.S. global competitiveness. We are also deeply concerned by the idea that these intruders, since they were able to successfully enter U.S. networks to steal information without being detected, could just as well be leaving something behind, malicious software that could be triggered in a crisis to disrupt critical services or infrastructure.

I should note that when we began our work, the Administration had not announced its National Cyber Security Initiative (NCSI). We appreciate the willingness of some departments to share the details of this highly classified activity to those of us who hold the appropriate clearances. As a group, we believe this initiative has begun to make a tremendous contribution to improving U.S. national security, and we applaud those who are struggling to implement it. We have adjusted our work in light of the initiative; it has brought progress, but there is still much work to be done.

The CSIS Cyber Commission hopes to have finished its work by November of this year. So our discussion today must necessarily reflect that in some instance, the group has not finished its work on key recommendations. What I and my colleagues can do, however, is brief the committee on the issues we have identified and some of the options we are considering.

Let me begin by noting our two most important findings. The first is that cyber security is now one of the most important national security challenges facing the U.S. This is not some hypothetical catastrophe. We are under attack and taking damage. Our second finding is that the U.S. is not organized and lacks a coherent national strategy for addressing this challenge.

These two findings inform our work and our recommendations, and the Commission has identified several broad areas where we recommend that the next Administration take immediate action. These are to develop a comprehensive national security strategy for cyberspace; to reorganize the governance of cyberspace to provide accountability and authority; to rebuild relationships with the private sector; to modernize cyberspace authorities; and use regulation and federal acquisitions to shape markets.