Other witnesses included Gen. Keith B. Alexander (Ret. USA), President and Chief Executive Officer, IronNet Cybersecurity; Michael Daniel, President, Cyber Threat Alliance; and Frank J. Cilluffo, Director, Center for Cyber and Homeland Security, George Washington University. The hearing sought to provide a comprehensive assessment of the current cyber threat environment, helping to guide the Committee’s legislative and oversight efforts to defend U.S. domestic networks.

Click here to watch the hearing in full. 

Click here to read McConnell's written statement. 

Click here to read "A Civil Perspective on Cybersecurity," an op-ed by McConnell and Jane Holl Lute. 

Click here to review the U.S. Federal Cybersecurity Operations Team national roles and responsibilites. 

Below is McConnell's oral statement at the hearing.

Good morning Chairman McCaul, Ranking Member Thompson, and Distinguished Members of the Committee. Thank you for inviting me. 

I am Bruce McConnell from the EastWest Institute, an independent, non-partisan, non-profit that works with all major governments and the private sector to reduce security conflicts. Before EastWest, I served four years at DHS, departing in 2013 as the Acting Deputy Under Secretary for Cybersecurity. I also served at the O.M.B. under Presidents Reagan, George H. W. Bush, and Clinton.

Let me tell you what keeps me awake at night . . . what got me out of bed this morning to come see you. Last week I hosted a meeting near my home in Oakland, California. Two hundred government officials, industry geeks, professors, and activists from 35 countries spent three days developing answers to Apple vs. FBI, how to make smart cities into safe cities, improving capacity in cyber insurance, and, most important, developing rules of behavior for governments and companies in cyberspace. 

Have you ever seen your children and grandchildren swipe away the twenty-five smart phone apps they have open? Each of these apps enlivens some aspect of their lives, of our lives. We are grateful for this technology, and we depend on it. What is worrisome is that every one of those apps is an open door to well-funded, persistent state-sponsored attackers to intrude into our business or deny us the benefits of cyberspace. When I think about this for myself, it makes me mad. However, when I multiply that by the two billion people and millions of companies that are on the network today, and the billions of young people who are coming on in the years ahead, I foresee a global economic and political catastrophe unless we get those attackers under control. 

Today’s situation reminds me of the Gold Rush out in California 160 years ago. Some people made a lot of money, and it developed one of the great states in our Union. It also took us 30 years to establish law and order out there. Mr. Chairman, we don’t have 30 years to establish law and order in cyberspace. Military and intelligence agencies all over the world are equipped with the latest computers, communications, and cyber weaponry. These are good weapons. They are cost-effective, generally non-lethal, and they let us project force remotely and, often, stealthily. But there are two problems.

First, there is a runaway cyber arms race, led by the United States, Russia, China, Iran, Israel, some European countries, and North Korea. Over 30 countries have formed cyber offense units. There is no deterrence, no incentive not to do so. There is also an “information war” going on between East and West. It involves cyber burglary and publication of stolen information, like during the U.S. elections. This is part of a larger, damaging, degradation of the information space by the dissemination of fake news, political trolling, social media bots, and the weaponization of intelligence.  

We know the Russians and their surrogates are not the only attackers. There is always China. And, earlier this month, we learned about Western actions against North Korean missile systems and a variety of CIA practices. Even with the best motivations, these continuing, ungoverned state-on-state skirmishes in cyberspace undermine terrestrial security and stability. There is a growing risk of miscalculation and escalation that could spill over into direct physical harm to the United States and its citizens. And, if the credibility of cyberspace is further degraded, it will be useless as a medium for commerce and governance. People are already leaving e-commerce because they are afraid they will be victimized. 

So, what should the U.S. government do to respond? Fortunately, we have the answer to that question. In brief, we need cyber deterrence, governed by rules, and, we need cyber defense, governed by roles. 

Over the past two Administrations, the Executive branch worked on a bipartisan basis with this Committee and the rest of Congress, to establish clear roles for cyberspace security. The resulting laws and directives cemented the primary role of the Department of Homeland Security in protecting the Nation’s critical cyber infrastructure. In doing so, they also reflect two important values:

First, cyberspace is fundamentally a civilian space. The military, and NSA in particular, must protect our most valuable military and intelligence assets. But the military should keep out of our civilian infrastructure. It’s a long national tradition, and they have their hands full already. 

Second, securing cyberspace is a team effort. Agencies must work with each other and with the private sector in a seamless manner. 

In sum, the U.S. government needs to buckle down, work with the private sector and with other governments, and get it done. And it would be really great if you, on behalf of our kids and all the kids, could hold the federal agencies accountable for what you have already told them to do. 

Thank you, and I look forward to your questions.