kasto - Fotolia
NEW ORLEANS -- Rep. Cedric Richmond (D-La.) opened the (ISC)2 Security Congress 2018 this week by thanking the crowd for their cybersecurity efforts, and then he laid out a framework for how national, state and local governments have to do more to protect information systems and critical infrastructure.
"The secretary of Homeland Security recently warned that the next attack the magnitude of 9/11 won't involve airplanes; it will be a cyberattack," Richmond told Security Congress 2018 conference attendees. "Secretary [Kirstjen] Nielsen and I may not agree on many things, but we agree on this: The types of cybersecurity threats confronting the United States have changed, and we have no choice but to adapt to it."
Several thousand information security professionals gathered at Security Congress 2018, hosted by the International Information Systems Security Certification Consortium (ISC)2, a nonprofit organization focused on the professional development of its 142,000 members.
Richmond, who makes his home in New Orleans, serves on the House Committee on Homeland Security and is a ranking member of the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. Throughout his keynote address on "Cybersecurity at the Intersection of National Security and Policy," at Security Congress 2018, the congressman outlined recent legislation, partisan roadblocks and a call to action.
Richmond noted that, in May, the White House eliminated key cybersecurity positions, including the federal cybersecurity coordinator. But he said the National Cyber Strategy signed by President Donald Trump in September is a positive step. Richmond described the doctrine as a continuation of earlier cybersecurity policies and said the high-level National Cyber Strategy fails to address "interagency turf wars that have hamstrung cybersecurity policy for over a decade."
The U.S. House of Representatives passed a bill in December to create a cybersecurity agency in the Department of Homeland Security. The Cybersecurity and Infrastructure Security Agency Act of 2018 (H.R. 3359) amends the Homeland Security Act of 2002; it redesignates the Department of Homeland Security's National Protection and Programs Directorate as the Cybersecurity and Infrastructure Security Agency.
The bill passed the Senate with an amendment on Oct. 3, 2018. Richmond said he expects the H.R. 3359 to be signed by the president and become law by the end of the year.
H.R. 5011, the Election Security Act, was introduced by the U.S. House of Representatives in February.
"As of today, H.R. 5011 has just over 120 Democratic co-sponsors; although it has yet to attract one Republican co-sponsor, it hasn't stopped us," Richmond said.
H.R. 5011 is designed to "fund state grants to replace outdated, unsecure voting equipment; train election officials on cybersecurity best practices; and implement risk-limiting audits," he said.
Policy and skills gap
Richmond outlined three key strategies for addressing cybersecurity policy and workforce gaps.
First, federal and state governments must be structured and funded so they have the resources to find malware and remove it from their systems, as well as the ability to share that information with local governments.
Second, potential employees who take nonacademic avenues, instead of four-year degrees in science, technology engineering and math, should be considered on their merits by more organizations, in order to build a robust cybersecurity workforce.
And, third, more education is needed for the public regarding good cybersecurity hygiene practices.
"Although we have made progress in these areas," Richmond said, "progress has been too slow and inconsistent."
He also highlighted congressional data showing more than 300,000 unfilled security jobs in the U.S. in 2017 -- a "sharp jump" from 200,000 in 2015. The lack of diversity is another challenge, Richmond said. Women represent about 11% of the global security workforce, and African Americans and Hispanics make up less than 12%.
"It all comes down to one fundamental question," Richmond said. "Are we closing the gap on the number of cybersecurity professionals that we have and the number that we need?"
The (ISC)2 Security Congress 2018 is taking place this week, Oct. 8 to 10.