“I think we have to recognize the fact that when it comes to cyber, 80% of the critical infrastructure is owned by the private sector. And that’s not going to change. And so that requires, first and foremost, I think, a paradigm shift for how the national security bureaucracy approaches the problem, and a recognition that in some ways they’re not the main effort, they are the supporting effort. …

One of the things I’ve tried to do in my little role that I occupy here is to try and explain to my constituents why this matters, why cybersecurity or protecting critical infrastructure is not just something that the federal government does, people at DHS, or the Pentagon, or only matters if you work in DC. But how it affects every single small and medium-sized business in my district, how all of us who walk around all day with a phone in our pockets or probably more accurately in our hands with our face looking at it are vulnerable. Why this problem is not going away, and it’s increasingly a kitchen table issue as much as it is an issue that you discuss with the real experts on this podcast.”

That is Wisconsin Republican Congressman Mike Gallagher, who represents the state’s 8th Congressional District and has a background in military service, as well as work in the private and public sectors that gives him a unique perspective on lawmaking in the cybersecurity space.

Congressman Gallagher has also been instrumental in establishing the Cyberspace Solarium Commission. It’s a bipartisan, intragovernmental body with the purpose of creating a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences – which absolutely includes our critical infrastructure. He co-chairs the Commission with Senator Angus King (I-Maine).

The Congressman joined Hack the Plant for a wideranging discussion on why cybersecurity is national security, and how the government and the private sector can join forces to keep us all safe.

(Subscribe to Hack the Plant on Spotify or Apple, by RSS feed or search for it wherever you listen to podcasts.)

Transcript: 

Bryson Bort:

I’m Bryson Bort and this is Hack the Plant.

Today, I’m joined by Congressman Mike Gallagher, who represents the 8th District in Wisconsin.

In this episode, we delve into critical infrastructure security from the perspective of national security.

Congressman Mike Gallagher: 

I mean, in the past, we sort of had the advantage of basic geography, and 1000s of miles of oceans, and friendly neighbors to protect us. But in the cyber domain, those geographic distances are essentially meaningless…..we’ve seen have been kind of a huge wake up call for me and a few other legislators who tend to focus on these issues.

Bryson Bort:

We talk through Rep. Gallagher’s background in military service, public and private sector, which gives him a unique perspective on lawmaking for cybersecurity.

After seven years of service in the United States Marine Corps, he worked in Republican staffer for Middle East,  North Africa and Counterterrorism on the Senate Foreign Relations Committee….

Congressman Mike Gallagher: 

But that was the moment where I sort of thought, “Okay, something interesting is going on here. And I need to expand my aperture as someone thinking primarily about counterterrorism and counterinsurgency in the Middle East to thinking about cyber competition, and thinking in particular about the rise of China.” And that put me on a very long and complicated intellectual journey that has now culminated in the Solarium Commission.

Bryson Bort:

Rep. Gallagher has been instrumental in setting up the CyberSolarium Commission which he co-chaired with Senator Angus King. It was a bipartisan, intergovernmental body created by the John S.McCain National Defense Authorization Act for Fiscal Year in 2019. Its purpose: “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” In short, we’ve got to do something faster than the normal speed of government to protect ourselves.

Rep. Gallagher has worked in the private sector at a global energy and supply chain management company in Green Bay, Wisconsin.

Congressman Mike Gallagher:

Well, I think we have to recognize the fact that when it comes to cyber, 80% of the critical infrastructure is owned by the private sector. And that’s not going to change. And so that requires, first and foremost, I think, a paradigm shift for how the national security bureaucracy approaches the problem, and a recognition that in some ways they’re not the main effort, they are the supporting effort. …

one of the things I’ve tried to do in my little role that I occupy here is to try and explain to my constituents why this matters, why cybersecurity or protecting critical infrastructure is not just something that the federal government does, people at DHS, or the Pentagon, or only matters if you work in DC. But how it affects every single small and medium-sized business in my district, how all of us who walk around all day with a phone in our pockets or probably more accurately in our hands with our face looking at it are vulnerable. Why this problem is not going away, and it’s increasingly a kitchen table issue as much as it is an issue that you discuss with the real experts on this podcast.

Bryson Bort: 

Like myself, Rep. Gallagher is a huge nerd (we explicate below)…. he also has a master’s degree in Security Studies from Georgetown University, a second in Strategic Intelligence from National Intelligence University, and his PhD in International Relations from Georgetown.

Join us for a wide-ranging conversation on why cybersecurity is critical from a national security perspective, key challenges, and how the government as well as the private sector can join forces to keep us all safe.

Bryson Bort:

Okay. So, we’ll be doing the full intro in post production, so we just get right into it. Representative Mike Gallagher, What’s your story? Why did you run for office? What are you trying to do?

Congressman Mike Gallagher:

Man, that’s a very existential question there. Now, we’re first happy to be here. My story begins on a windy day, March 3rd, 1984, when I was born. I can fast forward, though. I am from Green Bay, Wisconsin. I come from a family of physicians, that also owned a pizza joint here. And I chose neither industry, I instead chose to go into the Marine Corps after I graduated from college. I’d studied Arabic in the Middle East as an undergrad and became fascinated by the region and figured that serving in the military would not only allow me to pay back a debt I felt I owed to the country, but also put those skills to good use.

So, spent seven years in the Marine Corps as a what’s called a counterintelligence, human intelligence officer. Deployed a couple times to Iraq, came back, worked in the Intelligence Committee for a little bit while still in uniform, worked on the Senate Foreign Relations Committee as the Middle East guy and the counterterrorism guy for a couple years and then had an opportunity to move back home to Wisconsin to work for our former governor, Governor Walker. When he ran for president, I was his national security adviser.

And then after that, campaign didn’t work out, just stayed in Wisconsin. And my plan was to embark upon a private sector career. And with a little bit of academia on the side, I’d used my GI bill to get my PhD, when an opportunity to run for office emerged. And even though I was not a political person, I had very little experience with politics and hadn’t really conceived of a political adventure. It’s kind of right place, right time and felt like I could continue to work on the national security issues that I had been working on in a different capacity as a legislator.

So here I am now in my third term, serving on the infrastructure committee and the defense committee, and also was very privileged to co-chair the cyberspace solarium commission with the great American Senator Angus king.

Bryson Bort:

Well, as a Marine, I’m sure that’s what biases you for this next question, because the world’s supply of crayons depends on our manufacturing to continue. So, why do you care about industrial control systems and the critical infrastructure sectors?

Congressman Mike Gallagher:

Wow, wow, that was a great preemptive strike on a Marine. I’ve heard the crayon joke, but I hadn’t heard it worked in quite that context. So I respect it. What’s the rating on this podcast? So, I’m not going to use very explicit profanity, but the story I might tell may involve a minor one, I can avoid it.

Bryson Bort:

I believe we can accommodate up to PG-13. And I would just like to point out that it’s my West Point background that allows me to weave such an eloquent tie-in.

Congressman Mike Gallagher:

Well, West Pointers have a lot in common with Marines. They all started off intending to be Marines and then you guys couldn’t hack it. So you went into West Point in the army, so that’s okay. But the head of Indo-Pacific Command, in my freshman year of Congress, Admiral Harry Harris, we were out in Singapore for some conference. And I’m still a new member of Congress, so if I see an admiral or a four-star general, I go back into the Marine Corps Captain mode immediately. Not really realizing I was a member of Congress at the time, but he leaned over to me and he said, “Hey, congressman Gallagher, you know what marine stands for, right?” And I said, “I don’t know admiral what does it stands for.” He said, “My ass rides in Navy equipment.” And I thought, that was pretty good. I hadn’t heard it before, so I love it. And now I’ve forgotten what the actual question was.

Bryson Bort:

Well, I’ll just give you a follow-up joke question then. And you know why the Navy has Marines?

Congressman Mike Gallagher:

Oh, boy. Why is that?

Bryson Bort:

Well, I mean, goats are way too messy on boats.

Congressman Mike Gallagher:

Ah, wow. We might be beyond PG-13 at this point. I love it. I will say like, it is a fun … Anytime I go to a veterans event in Northeast Wisconsin, the inner service jokes just immediately start and it’s an instant form of camaraderie among people here in my district that have served in uniform. By the way, why is your beloved army trying to weasel its way into the Indo-Pacific right now?

I mean, there’s a lot of water and air there. We don’t necessarily need the army to be meddling around and what should be a Navy Marine Corps fight, so that’s just a side note about strategy, we don’t really have to get into right now.

Bryson Bort:

I mean, I cannot speak on behalf of all of the army, my role with the military and the army as a service in specific is limited to my board advisor role at the Army Cyber Institute. So, I’m more helping shape the cyber strategy for the military than I am getting into the other four domains of food fighting.

Congressman Mike Gallagher:

Well, that’s good. But I think there’s a lot of interesting thinking going on among the services right now about, how do we adapt to this era of great power competition, where China’s the pacing threat, and part of that is the cyber threat? And I think a lot of services are trying to think through this very complex and difficult problem about, what does it mean to be a deter in the cyber domain? What is the role of the various military services in cyber competition and cyber deterrence? And I don’t think we’ve kind of arrived at the solution yet.

Bryson Bort:

Yeah, there’s a lot of debate, because I think a lot of folks still have the Cold War perspective of deterrence being a yes or no. And particularly when we look at the options that are with cyber, it’s very much a lot of gray. This is where I think they talk about a new version of Cold War, but we’re not actually at war. But there’s clearly all of the levels up to what would be consider open conflict happening with the fact that all of these internet connected computers are such interesting targets for all of that.

Congressman Mike Gallagher:

Well, it’s a very important philosophical point that did actually shape our thinking on the Cyber Solarium Commission, because I do think there’s lessons from the old Cold War that could be applied to the new. But there’s a very important difference between strategic nuclear deterrence, how we conceived it back then, which as you point out, there was zero room for failure. If deterrence fails, suddenly you’re involved in a nuclear war, that is a bad day.

And so, the primary mission of the military in many ways was to avoid war, was to keep the peace. Whereas in the fundamental line of departure for what I would call cyber deterrence is a recognition that it is constantly failing every single day, and you’re never going to have a perfect level of deterrence. The question is, how do you start to achieve some respectable posture of deterrence with rapid attribution and response, by hardening your defenses and reducing the attack surface that our cyber adversaries could exploit?

So, we spent a lot of time thinking through the basic question of whether deterrence is possible in cyberspace. And I think we arrived at a yes, but it’s not a yes in the same way that nuclear deterrence obtained in the early 50s and throughout the earliest stages of the Cold War.

Bryson Bort:

I agree. So, to tag it back to that question from earlier, on a previous episode, we had Colonel’s Erica Mitchell, and Doug Fletcher, who are the program managers behind the Jack Voltaic effort, which is been a domestic exercise to look at the roles of critical infrastructure on potential force projection.

We just did an interview with Daryl Haegley, out of the Pentagon. He oversees critical infrastructure for DOD, and so tying that back to critical infrastructure, why do you care about industrial control systems and critical infrastructure? What are your goals there?

Congressman Mike Gallagher:

Well, I think, to take it back one step … I mean, kind of my road to Damascus moment, when it comes to cyber and then I’ll move in specifically to critical infrastructure, was back in 2015, when I was still the Middle East focused analyst. But we had the OPM hack, and then a little bit later, I got a letter from the federal government saying that my military records were part of the hack, and were compromised. And there was this big debate within the Walker team about whether we called for canceling Xi Jinping state visit, that Obama should cancel that.

Bryson Bort:

The hack began in November of 2013, when the attackers, widely believed to be the Chinese, first breached the Office of Personnel Management networks and eventually exfiltrated 22 million SF-86’s, the extremely detailed record of personal details for a security clearance. “It is a very big deal from a national security perspective and from a counterintelligence perspective,” FBI Director James B. Comey said at a meeting at FBI headquarters. “It’s a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government.”

Congressman Mike Gallagher:

But that was the moment where I sort of thought, “Okay, something interesting is going on here. And I need to expand my aperture as someone thinking primarily about counterterrorism and counterinsurgency in the Middle East to thinking about cyber competition, and thinking in particular about the rise of China.” And that put me on a very long and complicated intellectual journey that has now culminated in the Solarium Commission. But when it comes to critical infrastructure, I think all of us at this time last year, so late March, early April of 2020, were trapped inside, very concerned about the pandemic and with very little understanding about how we were going to respond.

And then, quickly as we tried to ramp up production of critical testing materials, for example, or basic medical equipment. I mean, I spent half a month here in Wisconsin trying to figure out who produces testing reagent and where we would get it. We started to realize that owing in part to the complex nature of our globalized economy, our supply chains were very brittle or had single points of failure that could be exploited by our adversaries. And I always remember the moment when a Chinese Communist Party official threatened to cut off the export of life saving drugs in order to plunge the United States into a sea of Coronavirus, I believe was the phrase he used. As a moment where I think I realized that we were unacceptably dependent on hostile foreign powers for the manufacturing of basic devices.

And I do think that the biggest overall trend coming out of the pandemic is going to be to accelerate some form of selective economic decoupling from China and to force policymakers like myself to think about, “Okay, how do we define critical infrastructure? How do we make our critical infrastructure more resilient, so that anyone who wants to shut off the water supply in Green Bay, Wisconsin can’t do it. Anyone who wants to take down the energy grid in Milwaukee can’t do it?”

I think you’re starting to see a lot of people think through these problems, because they’ve realized that we are much more vulnerable than we thought. I mean, in the past, we sort of had the advantage of basic geography, and 1000s of miles of oceans, and friendly neighbors to protect us. But in the cyber domain, those geographic distances are essentially meaningless. And so, I think that combined with the solar wind tack, and a few other things we’ve seen have been kind of a huge wake up call for me and a few other legislators who tend to focus on these issues.

Bryson Bort:

So clearly, that’s a big deal. Why aren’t more lawmakers involved in these issues?

Congressman Mike Gallagher:

That’s a great question. I think the first thing is that they’re very complex. I mean, I don’t consider myself a cyber expert at all. I’ve done my best to study the issue as co-chairman of the Solarium Commission, and had the benefit of an incredible staff to help me out with that. But the issues tend to become very technical, they devolve into a lot of jargon, a lot of acronyms. And I think maybe that turns your average member of congress off a little bit.

And I don’t think there’s any immediate political reward for focusing on an issue like this, that may seem like an ish-issue, but affects everybody. And one of the things I’ve tried to do in my little role that I occupy here is to try and explain to my constituents why this matters, why cybersecurity or protecting critical infrastructure is not just something that the federal government does, people at DHS, or the Pentagon, or only matters if you work in DC. But how it affects every single small and medium-sized business in my district, how all of us who walk around all day with a phone in our pockets or probably more accurately in our hands with our face looking at it are vulnerable. Why this problem is not going away, and it’s increasingly a kitchen table issue as much as it is an issue that you discuss with the real experts on this podcast.

Bryson Bort:

Well, this is where I get to make a shameless plug. This is why we do Hack the Capitol, which is the annual conference to bring the technical community together to share in a less than technical way with legislators and policymakers here in Washington, DC. Again, I appreciate that you joined us back last year at Hack the Capitol 3, Hack the Capitol 4 is on May the 4th. And I agree, I think this is the part where I would point the finger at our own community, is we got a bunch of nerds who talk nerd. And nobody else talks nerd and nobody else cares.

And finding a way to translate those issues, I mean, it’s the same thing with the military. It’s about commander’s intent, it’s about mission. If I can’t put it in a way that’s about what’s changing, that’s happening somewhere, then no one’s going to do it.

Congressman Mike Gallagher:

Well, that’s such a good point. And it’s made me think of something. You could have the best IT person or CISA in your organization, you’re doing great work. But if cybersecurity hasn’t penetrated your entire culture, whether it’s the DODs culture, such that a Lance Corporal, CRAN eating Marine can understand what his cyber responsibilities are, or even within a cyber company, everybody, even someone just doing man in the front desk, understands what their responsibilities are. I think you open yourself up to attack.

And so, I think the federal government has a real challenge in translating some of these very complex topics in a way where that Lance Corporal can understand the commander’s intent, or we’re all operating under the same basic standards. I mean, it’s like if you work for the federal government, you’re doing two factor authentication on all your devices, or you’re doing X, Y, Z. Like what are the 10 basic cyber commandments that we’re all going to live by that will make us and by extension, our critical infrastructure more resilient? And we haven’t done that. We do have … I think you’re right, the nerds tend to talk to the nerds.

Maybe that’s just because the nerds are bad at talking to pretty girls and people that are nerds. I don’t know, maybe there’s like a basic high school logic that underlies all of this person as I think about this more.

Bryson Bort:

Yeah. That kind of got become like a phrenologist, or psychologist of this part of the conversation.

Congressman Mike Gallagher:

By the way, for the nerds listening, I was a nerd. So I can make those jokes, all right? I say it with love.

Bryson Bort:

We will duly note that you are listed in the nerd Pantheon and you have a fully-fledged license. Actually, no, I’m going to challenge you on that. Give me one proof of you being a nerd.

Congressman Mike Gallagher:

I’m reading a sci-fi novel right now. I mean, my bookshelf is filled with nerdy sci-fi books. So there’s your evidence.

Bryson Bort:

Okay, give me one.

Congressman Mike Gallagher:

I’m reading this book called Superego, by Frank Fleming, which is hilarious. And it’s about an assassin hitman … Not assassin, a hitman in a futuristic scenario. And then, I just read something called the Red Rising Trilogy, and I’m always game for watching a cheesy sci-fi movie as well. So there you go, nerds. I mean, I’m speaking your language.

Bryson Bort:

Have you read The Three Body-Problem trilogy?

Congressman Mike Gallagher:

I read the first book, I haven’t read the whole trilogy. And I feel like I have to read books two and three. The problem is I understand like it’s interesting as some sort of insight into China. But it’s not that fun of a read, I don’t know if you have a different opinion.

Bryson Bort:

So, the first part of the Three Body-Problem, like those first 40 pages where it starts in the Cultural Revolution, I thought was an interesting sort of counterprogramming insight into Chinese mentality and culture. The sci-fi stuff picks up really hard in book two and three, although I don’t think they were as good as book one.

Congressman Mike Gallagher:

Interesting, okay. Well, maybe I’ll have to return to it, so I can finish the trilogy. I have this very bad habit where if I start a book or a series, I feel duty bound to finish it, even if I’m not enjoying it. And I’m trying to wean myself off of that. And I had a friend who is an author who gave me a great little trick, which is that you take your age, and you subtract it from 100. And that’s the number of pages you are committed to reading. And if you’re not into it, if you are not compelled to turn to the next page after that number of pages, then you put the book aside, and you never come back to it.

So, think about, I’m 37, what would that be? I have to read 65 pages. Wait, is my math correct on that? I used to be 66. And then I can put it down. But if you’re 99, you only have to read one page. You’ve earned the right to throw a book away if it doesn’t grab you on the first page. And if you’re 100, you can just look at the cover. And if you hate the cover, you can throw it away. So this is a very useful concept.

Bryson Bort:

It’s funny, I was thinking about this exact thing this morning. So I’m 43 now and I was kind of pondering as I was looking at Nicole Pereira’s book that I’ve gotten halfway through. And it’s taken me a month to get halfway through it, that in my 20s I mean, I was reading three books at the same time, and I would finish them all within days. Now in my 40s, I never finish a book anymore.

Congressman Mike Gallagher:

I have a fine story about this. I went to college with Nicole Pereira. She was, I think, two years older than me and much more popular than I was. And I did this event with her and I forgot how I came up. But I’m like, “Oh, Nicole, so great to see you again. It’s been a long time since Princeton.” And she was just like, “What? What are you talking about?” It’s clear she did not know that she went to college with me. So, speaking of nerds being embarrassed, that was a very embarrassing moment for me.

Bryson Bort:

But you built up the courage to say hi.

Congressman Mike Gallagher:

That’s right. That’s right. I’ve come a long way.

Bryson Bort:

Well, I would imagine campaigning as a congressman would force you to be extroverted. I mean, you have to go and kiss babies, and shake hands, and talk to strangers non stop.

Congressman Mike Gallagher:

It does get you out of your comfort zone. Both just in terms of talking to strangers, but also, I’d say your intellectual comfort zone. And certainly my experience with the solarium was that. I mean, it was a big challenge and an area that was sort of outside my expertise that I got to take on and it was a really rewarding experience.

Bryson Bort:

So talking about the solarium, you were the co-chair with Senator King. Why was it called the Solarium Commission? Obviously, the throwback to the Eisenhower reference. And then, where are we with implementing those recommendations with respect to critical infrastructure?

Congressman Mike Gallagher:

Yeah. So, it was called the Cyberspace Solarium Commission as merged to the project solarium, which took place in 1953 in the first year of the Eisenhower administration, which was a competitive exercise of strategy design, where Eisenhower assembled three separate teams of seven people each, the brightest minds of the day to develop and debate alternative approaches to the Soviet Union.

Ultimately, this culminated in Eisenhower shifting away from Truman’s grand strategy, as codified in NSC-68. And coming up with the new look, which a lot of historians have subsequently concluded made containment sustainable and laid the foundation for containment over the subsequent decades of the Cold War. And the exercise is viewed as the best example of long-term strategic planning in American presidential history.

So, this Solarium Commission tried to replicate a bit of that magic, though, we were very conscious of the fact that none of us were Eisenhower, and none of us have the authority of the presidency and it was a congressionally-led organization. And we tried to leverage that as a strength by making our final product really a blueprint for action. We came up with a ton of proposals, and were able to get a lot of them effectuated into the National Defense Authorization Act, last year, which if you dig into those proposals, you’ll see we actually passed the most significant piece of cybersecurity legislation in American history, giving CISA the authority, for example, to do threat hunting on .gov networks, a variety of other things.

So, we feel like we’ve had a good initial bit of success with the recommendations. But we have a long way to go. We’re working on legislation that would attempt to resolve, for example, some of the problems uncovered in SolarWinds. It’s not just about securing the supply chain, we want to focus on public-private partnership to really shorten the timeline between system compromise and public discovery. This is one place where we really think we need to step it up. Countries like China don’t have that problem, they have civil military fusion, and that enables them to enlist companies as they please to accomplish national security missions.

We don’t have that capability, nor do we want to adopt that model. So, we’re trying to think on how we can enhance public-private partnership, especially when it comes to this issue of data breach reporting, without overstepping the boundaries that shape our free market democratic system.

Bryson Bort:

That’s a great segue. So China, of course, able to do a whole of nation approach, we’re more like a bunch of ferrets running all over the place. When it comes to critical infrastructure, it’s also a challenge. I mean, the different sectors outlined in PPD-21 are different levels of regulation, different levels of public-private ownership. What do you think the role of government versus the role of private industry should be in this space?

Congressman Mike Gallagher:

Well, I think we have to recognize the fact that when it comes to cyber, 80% of the critical infrastructure is owned by the private sector. And that’s not going to change. And so that requires, first and foremost, I think, a paradigm shift for how the national security bureaucracy approaches the problem, and a recognition that in some ways they’re not the main effort, they are the supporting effort. And they culturally, they have to change from this posture of need to know to a duty to share, and add value to the private sector.

You don’t want the private sector constantly suspicious of working with the federal government, either because it’s going to compromise their internal information or hurt their bottom line. So, I think there’s an overall cultural shift that needs to occur. And I think the federal government then needs to distinguish itself in certain key areas where the private sector simply can’t compete or just isn’t involved in.

I mean, they are a very sensitive intelligence streams that the federal government has that it could do a better job practically sharing with the private sector, if their infrastructure has been compromised. There are specialized personnel that work in the private sector that can add value to the private sector. And then, I think if you go back to incentivizing the private sector to step up, we really want the culture of cybersecurity to permeate through our companies in the United States.

So the question is, how do you incentivize things like 1-10-60 reporting?

Bryson Bort:

During a cyberattack, the time it takes you to identify and resolve a breach is critical. The 1-10-60 rule developed by Dmitri Alperovitch which he has testified on before the Senate Armed Service Committee is the goal of: 1 minute to detect, 10 minutes to investigate and 60 minutes to remediate is the goal to effectively contain an attacker breaking out into the network.

Paul Rosenzweig:

Hi, my name is Paul Rosensweig, and I’m a senior fellow at the R street Institute. As part of the cybersecurity and emerging threats team, one of the critical things that we’re focusing on as part of that team is threats to the critical infrastructure, the United States, and in particular, cyber threats, we’ve reached the point in time when cyber incidents could actually cause adverse physical consequences to people. In other words, we could lose the electric grid, and somebody might die. That is, I think you’ll agree, terribly significant change in the nature of our relationship to other places in the world. And so one of the things that we’re studying is how best to answer that challenge. how better to protect our critical infrastructure from cyber threats. To that end, one of our projects revolves around the idea of learning how to measure improvements in cybersecurity. Today, cybersecurity is an art you have we have no generally agreed upon widely adopted transparent and accountable metrics that let us say that one dam, for example, is more cyber secure than another. We have a sense of that from our qualitative judgments. But we don’t have any way of actually putting any numbers on. And so long as you can’t measure it. It’s not really science. It’s art and it’s preference. Want to go Lord Kelvin, the guy who, who gave us the Kelvin temperature scale, said, If you can’t measure it, it really doesn’t count as science. I’m obviously translating him a bit, but he was right. And so our goal, as part of our overall interest in the cybersecurity and national security, the United States is to help build a structure a policy structure and a legal structure and a technical structure that advances the idea of measuring cyber security.

One of the things we’re doing to advance the idea of measuring cybersecurity is advocate for and hope to help in the development of something known as the Bureau of cyber statistics, or BCS. The cyberspace solarium commission was a congressionally chartered commission, that representative Gallagher served on that recommended the creation of this agency. Think of it this way, we have a bureau of labor statistics, and every month, it publishes labor data, about how many unemployed we have how many won employment claims there are, how jobs are changing, that sort of thing. It’s how we know that jobs in the agricultural sector are going down and jobs in the cybersecurity sector are going up. We have other statistical agencies like that in the federal government, including the Census Bureau, and the Bureau of immigration statistics, for example, we don’t have any one stop shop for measuring incidents, events, and security metrics relating to cyberspace systems. And since it systems pretty much support 25% of the economy today, more or less, the absence of any measurable measurement metrics, and the absence of any federal agency to collect those metrics is a pretty glaring gap in our knowledge base. So we are looking towards the creation of a bureau of cyberspace. This is a BCS that will be stood up by Congress and chartered as part of one of the executive agencies of the government and would begin the process of defining and then collecting appropriate metrics for cybersecurity and making them available to the general public. So that decision makers, whether their corporate boards, or individual consumers could make reasonable decisions about their security, how much money they want to spend to be how secure I think that’s a great idea and I’m looking forward to seeing it develop during the coming Congress.

Congressman Mike Gallagher:

I think that we’re not doing enough in this space to foster that public-private partnership that I think is the foundation for success in this space.

Do you have a, maybe not a mandatory penetration testing process for publicly traded companies, but something that incentivizes companies to do routine penetration testing so that they can identify an intrusion, share that information with the public sector, and then both can work collaboratively on how to prevent it from getting out of hand.

And certainly with the SolarWinds hack, I think the fact that it went undetected for so long, and the fact that the initial detector was not the federal government, but FireEye, should be a wake up call.

Bryson Bort:

Related to the comment about 1-10-60, is one of the ideas that came out of the solarium, was around the concept of building a bureau of cyber statistics. Do you have any thoughts on that?

Congressman Mike Gallagher:

Well, obviously we support it. The idea is that this bureau would be charged with collecting and providing statistical data on cybersecurity, and the cyber ecosystem to inform policymaking and government programs. Obviously, anytime you are recommending the creation of a new bureau or organization, you’re going to encounter resistance. And I was sensitive to that, as the conservative on the commission, I didn’t want us to just propose new DHSs for everything. And I wanted to be conscious of some of the lessons, I think of the 9/11 Commission, that layering more bureaucracy on top of an already dysfunctional bureaucracy is not going to actually make us more secure in cyberspace.

So we really did try and strike the right balance. In fact, I think most of our recommendations are geared towards taking existing organizations and elevating them and empowering them with the authorities they need in order to get their job done. And then forcing them to work together, to play in the cyber sandbox a little bit nicer than they tend to do right now. So, we were very wary about creating new organizations.

But I do think that a bureau of cyber statistics would be a unique function that the federal government could perform and collect data that they could then make available to the private sector, because each individual company is going to be primarily focused on their bottom line and their little universe. And they have little to no incentive to consider the broader cyber ecosystem. So that’s an area where the federal government, I think, can step in and add some value.

Bryson Bort:

Going back to the thread on public and private partnership, trust is built off of expectation management and communication. So, here’s your chance to say your piece to what do you want the industry side to know about the process, and about how they can start to trust more and collaborate more with government?

Congressman Mike Gallagher:

Gosh, maybe this is gonna sound naive, but at least it was my experience through the commission. And the commission, you have to understand it was for legislators, two senators, two members of the House, Republicans, Democrats and an independent, Senator King is an independent. And representatives from the executive branch from every major National Security Agency, from DOD, from DHS, from FBI, from CISA. And we have remarkable participation, we had almost perfect attendance at every meeting we had, and we had knockdown drag out fully candid debates and discussions. We also had incredible outside experts as well, to inform our approach.

It was my experience in those discussions that everybody was trying to make a good faith effort to achieve that level of trust you reference, and achieve a productive partnership and to avoid the federal government coming in with a series of onerous regulations, or restrictive rules, or very draconian laws that forced the private sector to divulge information or do things that are either very costly are counterproductive.

Now, I’m not saying we struck the perfect balance, but I’m just telling you, there’s a lot of very patriotic and smart people, both in the legislative branch and in the executive branch of government that are trying to figure this out, and that are trying to abide by the legislative Hippocratic Oath of first, doing no harm. But it’s going to require a lot of work. And it’s going to require a lot of muscle memory of responding to various incidents, and flexing the various muscles that we have at the federal government to prove to the private sector that we can be a productive partner.

Which is why I do think it’s important to elevate CISA so that it can accomplish that function of providing value and outreach to the private sector and to state, and local, and tribal, and territorial governments, which is why I think it’s important to have a National Cyber director who can interface with fortune 500 companies and constantly be reaching out to them to build that trust. So, I don’t know that answers your question. And maybe there’s no easy answer, but it’s certainly something where we tried to strike the right balance.

Bryson Bort:

There are no easy answers to any of this. If we could all sit around with a few beers and solve everything, then it wasn’t that hard to begin with. So, what did you mean by elevate CISA?

Congressman Mike Gallagher:

Yeah. Well, both just as a matter of pay and rank elevating the director of CISA one level up, also extending that person’s tenure in the job to give them a bit more freedom to maneuver and a bit more freedom from the political winds, which tend to blow in a variety of different ways. But I think even more importantly over time … And then finally giving CISA the authority to do things like threat hunting on .gov networks, which thankfully, we just did. And I do think that’s a very meaningful change. And we’ll have to evaluate over this this year, whether it does what we intended to do.

Beyond that, I think maybe the most important component of that is the human component. It’s how do you … And Angus and I said this in our chairman’s letter at the beginning of the report, how do you make CISA a sexy as the NSA? How do you put CISA in a position where it can compete for top level talent with Google and Microsoft and the NSA and win? I mean, you’re never going to be able to compete on money, even if we use all of the authorities we have to hire the very talented nerds and pay them more than we’d pay your average government employee, you’re never going to be able to match Google’s salary. And all the amenities that come with working at these companies.

Yeah, I’d like someone to do my laundry at work, and then have unlimited red vines licorice in a fricking moped that I can jet from my desk to other desks, but the federal government is not going to do that. We can complete our mission though, we can make our mission very cool and we can give talented cyber operators the tools they need to accomplish that mission. I think that’s what the NSA does very well. And so, we try to think through how do we put CISA in a similar position where it can be a very attractive and desirable place to work for the best and the brightest around the country.

Bryson Bort:

I just want to make sure I’ve got you on record correctly, that we are giving CISA 20x the budget it has today?

Congressman Mike Gallagher:

We’re giving everyone at CISA a hoverboard and Google amenities. No, that’s not what I’m suggesting.

Bryson Bort:

I was teasing because NSA has 20 times the budget of CISA.

Congressman Mike Gallagher:

Yeah. But [crosstalk 00:33:34] somewhere in between 20x and status quo is the right answer. I think we’d all agree that CISA has an important job to do that’s going to get more important and will probably require a lot more resources. I mean, one of the things we asked in the NDAA is for General Nakasone and some of the military officials that do cyber to do a force structure assessment of our cyber mission force in DOD. And we’ll see what they come back with, and I guarantee you, it’s going to be that we need more resources than we have today, just because the problem has gotten bigger and the threat landscape has gotten so much more vast.

Bryson Bort:

When you talked about elevating CISA, and this is going to lead to a follow up question, just a short follow up question. One of the things that I personally think is that we’ve given too much weight to the General Nakasone position, and I’m not even going into the dual headed nature versus what the director of CISA who effectively represents domestic cyber security in that conversation.

Congressman Mike Gallagher:

Exactly. And honestly, I don’t think anyone could credibly say that the director of CISA, even though I admire Chris Krebs did amazing work, his predecessors did amazing work. I don’t think they would say that they had the same seat at the Interagency Table or in the Situation Room, that general Nakasone does. It’s just not the case. And so we got to fix that imbalance over time because CISA has an incredibly important job.

Bryson Bort:

So, where I was leading with that, you talked about trying to create the director position not only at a different level, but with a different tenure. Is that more like the way the FBI director has a longer tenure?

Congressman Mike Gallagher:

Yeah, but not quite as long. A five year tenure as opposed to, I think FBI is a 10 year tenure if I have my numbers correct.

Bryson Bort:

Yeah.

Congressman Mike Gallagher:

But I mean, that’s kind of the idea. I mean, maybe recent history suggests that FBI director is not the most apolitical model, but I think the basic logic remains the same.

Bryson Bort:

You mentioned the National Cybersecurity director position and the potential staff that would come with that. That’s something that has been a hot debate since what was the closest thing to the role previously was done away with a few years ago, we’ve had Anne Neuberger come over from NSA into a very powerful position. What are your thoughts on the importance of those roles? And what we can be seeing from those folks?

Congressman Mike Gallagher:

Well, as my good friend, Senator Angus King would repeatedly remind us in the course of these debates, there needs to be one throat to choke, as he puts it colorfully. And I do think there’s a lot of confusion, at least from the perspective of Capitol Hill as to who’s in charge when it comes to cyber? Who is that person that we can go to and a pure NSC position like Anne Neubergers, that’s all well and good if you sit in the White House, and are very skeptical of Congress, but it’s less useful for legislators who need to interact with the experts.

And certainly NSA officials are under no obligation to repeatedly testify before Congress and share information with us and often hide behind need to know and presidential information in order to avoid sharing information with Congress. And so, we really tried to look at what the best model would be. There’s no perfect model. But I think at least I came to the conclusion that, among the many options this was the simplest, and the one that would get you to that single throat to choke that Senator King was aiming at.

And we really thought that a model built upon something like the US Trade Representative, which has its own staff, isn’t extraordinarily big, is highly specialized, and has to interact with Congress is the right model. So, I understand the skepticism that comes from executive branch officials, and certainly a lot of this will depend on who the personality is of the person that occupies the position for the first time. But I can just tell you, there are a lot of people in Congress that are committed to making it work. And I think it would be a mistake for the White House to ignore that congressional intent because it’s now a matter of US law, and so they ignore it at their own peril.

Bryson Bort:

If you could wave a magic, and since we’re talking about industrial control systems, it’s air gapped wand. What is one thing you would change? So independent of reality, you got magic at your hands here.

Congressman Mike Gallagher:

Oh, interesting. And this is like very powerful magic that we had.

Bryson Bort:

It is whatever you want it to be, science fiction. 23rd century technology at your fingertips.

Congressman Mike Gallagher:

Yeah. Well, at the broadest level … And this gets to the debate about the NCD. I think if we had a magic wand, we would rebuild our national security infrastructure in general and our cybersecurity infrastructure in particular from scratch, but failing a magic wand appearing, we are left having to reform the existing system. And I think, a separate cyber agency, as some have repeatedly advocate for would actually end up being the most bureaucratic solution because it would just be layered on top of CISA, of cybercom, NSA, everything else we have right now. So, that would be one thing.

Beyond that, if I could wave a magic wand. Well, this isn’t necessarily cyber specific, but it is related to the question of critical infrastructure and dependency on foreign countries, it is become apparent to me that there are certain areas where we are just going to have to onshore or near shore manufacturing. And we can all talk about what our biggest concern is, whether it’s rare earths, or whether it’s pharmaceuticals or certain progressive colleagues of mine suggest electric vehicles are a national security issue. I disagree with that.

There seems to be an emerging consensus on the idea that semiconductors are critically important. And indeed, the geopolitical importance of Taiwan is in part connected to the fact that TSMC is located there. And by taking over Taiwan, she could hold the rest of the world hostage with a dominant position in semiconductors. Right now, if you’re trying to buy a new car it’s very expensive, because there’s a chip shortage that’s causing companies like Volvo to shut down their manufacturing. So there’s a lot of domestic economic implications.

So I think right now if I can wave a magic wand, I would take some of this money that we seem to be wasting on a lot of foolish things. In the last Coronavirus bill, or in this $2 trillion Green New Deal bill. And I would use it to jumpstart two or three domestic chip fabs in the industrial Midwest. And if you gave me a second magic wand, that absolve me from being labeled a homer or a parochial person, I would situate all of those in Northeast Wisconsin, and then we could save the world with our manufacturing prowess here in the industrial Midwest.

Bryson Bort:

Just like a politician to take a wand and turn it into a lamp with three wishes?

Congressman Mike Gallagher:

That’s right. That’s right. And then I would convince every kid in America to get off social media and spend their days interacting with other human beings, that would be my fourth wish.

Bryson Bort:

You waved your magic wand, in your case the genies gone, now we’re looking into the crystal ball, five year prediction of one good and one bad thing that you think is going to happen with critical infrastructure?

Congressman Mike Gallagher:

Well, I do think SolarWinds, Microsoft Exchange, a few other things are canaries in the coal mine, and possibly though the details remain murky to me. What happened with I believe it was a water system in Florida is another suggestion that the system is blinking red, I fear that the dystopian future we tried to describe in the opening pages of our solarium report is going to become a reality in the next five years, and we’re going to witness a massive, catastrophic cyber attack on critical infrastructure that will actually create physical destruction or loss of life. I really do worry about that.

On the positive side over the next five years. Well, I mean, listen, I’m always an optimist about the Green Bay Packers. I think we’re going to win a few Super Bowls in the last three years of Aaron Rodgers career here, so that’s a positive. What else? I guess my less humorous answer would be. I do think that there is an emerging bipartisan consensus when it comes to China in Congress, and even though we might disagree about certain approaches, or certain programs, or proposals, I think as I work with my colleagues on the Armed Services Committee, whether it’s my co-chair of the Supply Chain Task Force, Alyssa Slotkin, or Jimmy Panetta, or Stephanie Murphy, I think they share the recognition that the Chinese Communist Party is far and away our foremost geopolitical challenge and that we are at the early stages, not the late stages of a competition that is going to be incredibly important for the next few decades.

And so, there’s a lot of people earnestly working across the aisle right now to try and cement that consensus in a way that people have good faith did in the early Cold War, and that gives me a lot of optimism for the future, even though there’s some scary things on the horizon geopolitically.

Bryson Bort:

As a Washington football team fan, I have no empathy for you.

Congressman Mike Gallagher:

I have a solution to your problem by the way, I’ve said this before, but for those who are worried about the name and defensive nature of it, back in the Revolutionary War days or prior to the Revolutionary War, a lot of the frontiersman settlers hardcore people in America at the time were buckskins, and there was something called a buckskin militia. That was basically just a bunch of hardcore dudes around that time. Why not rename them as the Buckskins, so you could still be the skins but you would also have this cool tie to America’s origin that I think would strike a patriotic chord with all of the the skins fan in the greater DC area. Boom, I’ve just solved it.

Bryson Bort:

And meanwhile here we are wondering why we still have the honor we have, and what’s going to be quarterback next year, and is our linebacker core going to be healthy? I mean, but no, we could just finally get a good name. Yeah, sure that’ll solve it.

Congressman Mike Gallagher:

Listen, I don’t get paid for these ideas, I should, but that’s a freebie for all the Waukee football team fans out there.

Bryson Bort:

Thank you so much for joining us.

Congressman Mike Gallagher:

Happy to be here. This is a lot of fun, and thanks for what you’re doing with this podcast. It’s absolutely important and I really love it, so thank you.