WASHINGTON – An empty chair fielded question after question from an angry Senate panel Thursday, after a White House cybersecurity coordinator invoked executive privilege and skipped the hearing.
Representatives from the FBI, the Pentagon and the Department of Homeland Security testified beside the empty chair, telling the Senate Armed Services Commitee they are working to increase coordination and communication.
But much of the hearing was focused on Rob Joyce’s empty chair, which Sen. John McCain, R-Arizona, said showed “a fundamental misalignment between authority and accountability” in cybersecurity efforts at a time when Russians are meddling in an attempt to “destroy the fundamentals of democracy.”
When Sen. Elizabeth Warren, D-Massachusetts, asked if the agency was “prepared to fully prevent another round of cyber intrusions into our election systems in 2018 and 2020,” Christopher Krebs, of the Pentagon’s National Protection and Programs Directorate, said there is “still work to be done.”
“We are not going to flip a switch and be 100-percent secure,” he said.
Arizona officials said Thursday they have not been dissatisfied with the help they have received from federal agencies, but added that there is a growing need for help of all sorts, from hardware to communication.
“Arizona works with DHS and other agencies when they let us know best practices and help identify hackers,” said Matt Roberts, a spokesman for Arizona Secretary of State Michele Reagan.
Roberts said that what the state needs most from the federal government is help buying new voting machines. It’s a conversation that many secretaries of state are having, he said, noting that it has been more than a decade since the federal government provided funding for voting infrastructure.
Roberts said that there is some overlap between federal agencies dealing with the state, but that local officials of the federal agencies do a good job keeping things straight.
Frank Grimmelmann, president and CEO of Arizona Cyber Threat Response Alliance, said that communication – between private entities and federal, state and local agencies – is the real key to dealing with a “fast and nimble enemy that doesn’t have those communication silos.”
“What we need is a fast-response infrastructure that doesn’t have bureaucratic hurdles, in order to respond to an enemy,” Grimmelmann said. “I am confident that the state of Arizona is on top of it and can do everything it needs to protect the upcoming election with existing policies.”
Those policies include a presidential policy directive, known as “PPD-41,” issued by President Barack Obama that delegates duties to different agencies in response to cyberattacks.
But Sen. Jack Reed, D-Rhode Island, noted that the directive only deals with responding to cybersecurity events and does not allow for getting out ahead of them.
In heated exchanges with senators, Assistant Secretary of Defense for Homeland Defense and Global Security Kenneth Rapuano said there are “issues associated with federal authorities to engage” in cybersecurity for elections, which is a state function.
Rapuano cautioned against “reassigning more responsibility for incident response” to the Defense Department, saying it would break the tradition of “not using the military for civilian functions.”
McCain blasted that argument saying “those issues could be corrected by legislation … they’re not engraved in tablets.” The idea that the Pentagon should not get involved is emblematic of disorganized federal response, he said, pointing out that a cyberattack was still an attack.
This is “one of the reasons why we’ve been so frustrated,” McCain said, citing Rapuano’s statement that, “Well, it’s not the Department of Defense’s job.”
“It is the Department of Defense’s job to defend this nation – that’s why it’s called the Department of Defense,” McCain said.