Russian Hacking Concept Image

Episode 222: US Rep. Himes on Congress’s About-face on Cybersecurity

In this episode of the podcast (#222), we speak with Representative Jim Himes (D-CT) about Capitol Hill’s sudden and singular focus on cybersecurity – an about-face that he says was encouraged by the devastating Colonial Pipeline hack.


It is no news to anyone who has stayed abreast of the cybersecurity space that vulnerable software and hardware pose a serious risk to critical infrastructure in the United States. It is also no secret that sophisticated nation-state adversaries have made a habit of poking around inside sensitive government and corporate networks. 

For some reason, however, that message has mostly fallen on deaf ears on Capitol Hill. After all, the Senate first got breached on cyber risk to the government and economy more than 20 years ago, when members of the L0pht, an early hacker collective, casually informed Senators in 1998 that they could “shut down the Internet” in 30 minutes, if they wanted. 

Capitol Hill’s Long Learning Curve

Between 1998 and today there have been countless hearings on cyber risks and countless reports documenting the federal government’s ineptitude on matters of information security. There have been even more head-slapping pronouncements of lawmakers utter cluelessness when it comes to matters of technology. Senator Ted Stevens’s famous “the Internet is a series of tubes” statement from 2006 is just the most famous, but lawmakers continue to fall for dubious arguments, like intelligence industry assurances that desired backdoors in encryption algorithms are possible without undermining everyone’s security. 

That’s not to say that the ship of state isn’t slowly (slowly) turning, with the help of lawmakers on Capitol Hill who “get it” or that the body can’t put past lapses behind it and forge a brighter future for the public and private sector on matters of cybersecurity. The 2015 Cybersecurity Information Sharing Act is one great example. Among other things, it created the Federal Government’s first point agency on Cybersecurity, the Cybersecurity and Infrastructure  Security Agency or CISA.

DHS announces New Cybersecurity Strategy

U.S. Representative Jim Himes represents the 4th District of Connecticut.
U.S. Rep. Jim Himes (D-CT)

In this week’s podcast, we invited one of Capitol Hill’s most recognized voices on matters of information security: Congressman Jim Himes, a 7 term Democratic Rep. representing Connecticut’s 4th District.  On Capitol Hill, Himes serves on the Defense Intelligence and Warfighter Support (DIWS) Subcommittee and the Strategic Technologies and Advanced Research (STAR) Subcommittee. He is also a member of the House Financial Services Committee where he serves as the Chair of the Subcommittee on National Security, International Development, and Monetary Policy. He also serves as the Ranking Member of the NSA and Cybersecurity subcommittee.

Seeds of Destruction: Cyber Risk Is Growing in Agriculture

In this conversation, Congressman Himes and I talk about Congress’s dawning awareness of our nation’s vulnerability to cyber attacks – an awareness that the recent Colonial Pipeline ransomware attack helped cement. We also talk about the best way to counter the actions of foreign governments like those in Russia and China that are exploiting our reliance on the Internet and technology to undermine democratic institutions and make off with valuable intellectual property. 

I started off our conversation by asking Rep. Himes about how he has seen Congress’s thinking on cybersecurity change during his seven terms in office. 


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 


Episode 222 Transcript

[START OF RECORDING]

PAUL: Hello and welcome to The Security Ledger podcast. I’m Paul Roberts, Editor In Chief at The Security Ledger. In this episode of the podcast, #222:

CONGRESSMAN HIMES: And we have never really imposed a cost that would create a deterrent. And I think particularly with people like Putin, until Putin understands that there will be a significant cost to be paid, he’s going to keep doing it. He’s the classic playground bully who doesn’t understand anything other than the language of force.

PAUL: There’s no news to anyone who covers cybersecurity beat that vulnerable software and hardware pose a serious risk critical infrastructure in the United States, and that sophisticated nation-state adversaries have made a habit poking around inside sensitive government and corporate networks. For some reason, however, that message has mostly fallen on deaf ears on Capitol Hill. After all, the Senate first got briefed on cyber risk to the government and the economy more than 20 years ago, when members of the law of an early hacker collective casually informed senators in 1998 that they could shut down the Internet in 30 minutes if they wanted to. Between 1998 and today, there have been countless hearings on cyber risks, countless government reports documenting the federal governments ineptitude on matters of information security and defense. That’s not to say that the ship of state isn’t slowly turning with the help of lawmakers on Capitol Hill who understand cybersecurity. The 2015 Cybersecurity Information Sharing Act is a great example of that. Among other things, it created the federal government’s first point agency on cybersecurity, the Cybersecurity and Infrastructure Security Agency or CISA. In this week’s podcast, we invited one of Capitol Hill’s most recognized voices on matters of information security into the studio. Congressman Jim Himes is a seven-term Democratic Representative from Connecticut’s Fourth District. On Capitol Hill, he serves as a member of the House Permanent Select Committee on Intelligence, where he’s chairman of the Strategic Technologies and Advanced Research or Star Subcommittee. And he serves as the ranking member of the NSA and Cybersecurity Committee. In this conversation, Congressman Himes and I talk about Congress’s dawning awareness of our nation’s vulnerability to cyber attacks, an awareness that the recent Colonial Pipeline ransomware attack helped cement. We also talk about the best way to counter the actions of foreign governments. I started off our conversation by asking Representative Himes about how he has seen Congress’s thinking on cybersecurity change during his seven terms in office.

CONGRESSMAN HIMES: Yeah. So I’m Congressman Jim Himes. I represent the Fourth District of Connecticut, that’s South Western Connecticut. I’m in my 7th term, and I spend most of my time in Washington on intelligence issues as a member of the Intelligence Committee and on financial services issues as a member of that committee. And most recently, actually Interestingly, the Speaker of the House has asked me to chair the Committee on Economic Disparity.

PAUL: Congressman, welcome to Security Ledger podcast.

CONGRESSMAN HIMES: Thank you.

PAUL: You have really focused in your time in Congress on cybersecurity, on the House Intelligence Committee and the NSA and cybersecurity subcommittees. Can you talk about just in your time in Congress, kind of how this topic and Congress’s thinking around cybersecurity has changed?

CONGRESSMAN HIMES: Yeah, and change it has. I’m glad to report again. I’ve been doing this for coming on 13 years, and I would say that there’s been really a dramatic change in people’s level of education sense of urgency around cybersecurity. I sometimes joke that even a decade ago, you’d have people with three stars on their shoulders come in in front of the Homeland Security Committee or other committees, and you’d ask them about cybersecurity and you’d get blank stairs. And obviously, there’s been an awful lot of water under the bridge, so to speak, since then. The federal government, as it is, want to do arguably hasn’t moved quite as rapidly as it should, but it has moved quite rapidly to stand up organizations that are about defending our cyber infrastructure, developing offensive capabilities that theoretically could be used and sometimes are used for retribution or for other operations. And perhaps most importantly, there’s been really a high level of education given to members of Congress. It might have taken a while. It might have been the gas lines forming in Virginia because of the Colonial Pipeline fiasco. But legislators have come to realize how very important this issue is.

PAUL: Yeah. If there’s any doubt before. Right. People putting Petroleum into plastic supermarket bags is a good sign that things are going sideways a little bit. One of the issues that has really gained a lot of attention just in the last year or 18 months or so is ransomware attacks, obviously, because, I mean, they’ve been a problem for a while, but they have increasingly focused on critical infrastructure providers in one way or another. What is your thoughts on what role, if any, Congress and the federal government can play in this problem, which affects, obviously, local, state, federal governments as well as private sector entities? What’s to be done about it? It from a policy standpoint.

CONGRESSMAN HIMES: Yeah. Well, the answer to that is a lot. And you’re absolutely right. There was something about Colonial Pipelines and people in big gas lines reminiscent of the 70s that brought this home. I mean, it’s not like ransomware attacks are a new thing. We saw the city of Baltimore attacked a number of years ago, and, of course, we’ve sort of people, individuals and others have experienced this. But, yeah, there was something that made it very real when the Colonial Pipeline shut down for that period of time. And so there’s an awful lot more that we can all do. And you asked about the government in particular. But let me sidetrack you for 1 second and say that when you talk to the experts on this issue, whether those experts are inside the government or groups like Gartner, they will tell you that they almost never see a zero day attack. That it’s a tiny percentage of malware is unknown. And so probably the biggest thing we can do as a society, and I’m sure government can help on this is just to be a lot smarter and a lot more hygienic in how we do things. Patching our software, two factor authentication, being smarter about clicking on unknown links. I’ve always said that if all of us and I don’t just mean individuals out there on their laptops, this applies to corporate America, too. If we were just smarter and more competent about that stuff, we would take a very big problem and make it a lot smaller. But your question was about government and there, too, I think we have a lot of work we can do. Let me tell you a story, illustrate how poor I think the teamwork is when we see a ransomware attack. I was in a hearing on the intelligence committee talking to a very senior intelligence experts. When the thing was winding down. It was reported in the press that a ransom had been paid. We were very interested to know how our three letter agencies had been helpful and worked in partnership with Colonial Pipeline. And I asked a senior intelligence person, do we know if they pay, press reporting, that they paid a $4 million plus ransom? Do we know if that’s true or not? And the answer was, we don’t know. So to me, that is just perfectly illustrative of the fact that we have a lot of work to do to really crowdsource our responses to these things, to make sure that the government is perhaps literally sitting side by side with energy companies and banks. And what have you when these attacks come in, we’ve got a long way to go in that respect.

PAUL: I mean, one of the challenges in the United States is so much of our critical infrastructure is privately owned, not publicly owned. So these are either corporations, maybe publicly traded, maybe not that own and operate this infrastructure. And there’s obviously a long history of government kind of keeping its hands out of the private sector whenever possible. That ethos has prevailed in the past, where the government has preferred to let industry regulate itself rather than come in and do impose security mandates or do audits and that type of thing. Do you think that we’re kind of reaching an inflection point on that, given the track record of the private sector on this, which you have to admit is not great?

CONGRESSMAN HIMES: Yeah, I do. And what do I mean by that? We’re actually seeing bipartisan support for ideas like mandatory breach reporting. I would suggest that five years ago that probably would not have been true. There was lots of and you still hear the private sector saying, hey, wait a minute. We’re victims here don’t treat us like we’re the bad guys. From the standpoint of regulation, I think more and more we’re developing a more competent way of thinking about this what I like to think of as sort of FAA and aviation regulation way of thinking about this stuff, which is regulators working in partnership with the private sector to make sure that we’re safe with things like self reporting and mandatory reporting and that kind of thing. And I think there needs to be a little bit of a phase shift in our thinking, because, as you point out, there has always been kind of a bright line between where government gets involved in partnership or otherwise with the private sector. But let’s face it, I mean, 40 years ago, when I was a kid, networks didn’t exist. And so my ability to buy a quart of milk, my ability to withdraw money from a bank, my ability to get my news on the television, none of that was vulnerable to something, a threat that didn’t yet exist. And now we really learned this during COVID. If we didn’t know it before, our level of networking is almost existential in its existence. And, of course, that’s only going to become more true over time. So I think without in any way, shape or form, losing a respect for the values that we have to respect, the privacy of individuals. Nobody wants the FBI keeping their Social Security number or their wareabouts on a spreadsheet somewhere. So without in any way abandoning concepts of privacy, I do think we’re going to need to get much more comfortable over time with the government sitting side by side with the private sector on cybersecurity issues.

PAUL: Yeah. Coming back to ransomware you mentioned the whole ransom payment thing. And I listen to some of the Colonial Pipeline hearings. Congress people often seem fixated on the payment of ransom, how it was paid, the decisions involving being paid, the consequences of it being paid. What’s your take on ransomware payments? Let me just editorialize here. I think it’s kind of a dead end issue. I don’t think it’s the most relevant issue around ransomware, but it does seem to be a fixation of policymakers. Why do you think that is? And do you think it’s actually a really important issue?

CONGRESSMAN HIMES: I’m with you on this. I think it’s an overblown issue. And people who haven’t spent a lot of time in the space and have maybe thought about all of the military is a term left of boom, which is everything that leads up to a bad situation. Folks that haven’t thought about all of the vulnerabilities and the actions that happen before our ransom is paid sometimes sort of sees on that because it’s one of the more understandable elements of this. But the truth is that we don’t have a lot of clarity about the payment a ransom in the physical world, right. We don’t say to people if your cousin is kidnapped in Columbia, just to pick something, you can’t pay ransom. We don’t say that now. There are laws. You can’t pay money to terrorists. You probably can’t pay money to certain known and named criminal groups, but it’s very hard for the government to do what I think some people think it should do, which is to simply prohibit the payment in ransom, is if you have a small business in the business has ransom. All of their data has turned up. What the government is saying if they’re saying you can’t pay ransom, is that sorry you’re gone. And I think people need to sort of grapple with that. So I agree with you. I think there’s so much more we can do about being smart in our defenses about being United internationally to go after rogue groups that are undertaking these criminal activities, which, by the way, I think that’s a huge underexplored realm. None of us are safe, not the North Koreans, not the Iranians, not the Russians, not the Chinese. None of us are safe from rogue criminal operators. So I just think there’s so much more we can do before we have a very difficult argument about policies surrounding the payment of ransom.

PAUL: To that point, one of the things that the federal government has done recently or Congress, rather, is the Cyberspace Solarium Commission, which was really an effort to talk about high level government policy, is cybersecurity and come up with some recommendations. Can you talk a little bit about that Commission and some of the recommendations that came out of it?

CONGRESSMAN HIMES: Yeah. It was really a terrific effort. It was bipartisan and had knowledgeable and very practical members of Congress as well as outside experts of pining, and they came up with actually, unusually for a government report, it makes for a really good reading as well. And it makes a lot of the suggestions that have been talked about for a long time, but it just did. It obviously at a very high level, with a lot of policy makers involved, suggestions about better cooperation between the government and the private sectors. We’ve been talking about suggestions about making sure that we’re doing everything we can to coordinate the development of norms internationally. That’s not a sexy field, but the UN is beavering away through the government group of experts to try to develop norms and more clarity around things like who exactly is a rogue? How do we jointly go after them? I use a lot of Cold War metaphors, and sometimes I get some blowback for that. But one of the reasons we stayed safe in the Cold War, as horribly dangerous as that period was, was because we developed very clear doctrines around what was an act of war, what wasn’t what our procedures were for missile defense. And we shared those doctors with our, quote “enemies,” the Soviets, and they did the same with us. And as a consequence, because we knew each other’s doctrines, and we knew how. We worked really hard to make sure we knew how we thought about the threat. The level of risk was much reduced. We don’t have that today in the cyber realm. Nobody really knows what’s active war versus a crime. And we’ve got a lot of work to do to try to get to that point where we’ve got sort of common agreement internationally.

PAUL: Each month, the Security Ledger podcast informs and entertains an audience of thousands of technology and information security professionals. If that sounds like an audience your company is trying to reach, consider sponsoring one of our podcasts. We offer per episode sponsorships of our weekly podcast, which features news, analysis and discussion of the most important security topics of the day. You can also Commission a custom podcast that highlights your executives, researchers and subject matter experts. To learn more, point your web browser to SecurityLedger.com/sponsor.

CONGRESSMAN HIMES: I mean, one of the big takeaways from that Commission report was this notion of deterrence and pursuing a policy of deterrence, which is, of course, if you’re a student of the Cold War, was sort of the operating M.O. of the west, what does that mean in the context of cybersecurity and cyber attacks? And what could the US and its allies do to deter actors like Russia, China, Iran, North Korea from what they’ve been doing in recent years, which is pretty aggressive offensive cyber operations in the US and in North America and Europe?

PAUL: Yeah. I’m really glad you asked, because this has been a bugaboo of mine for twelve years now. I’ve had this argument with three different presidential administrations, and I’ve made the point repeatedly that one of the reasons we keep seeing these Russian and Chinese Russian, in particular attacks on our cyber infrastructure, whether it’s the DNC hack or the ongoing activities of the Russians and the Chinese is because we don’t impose a cost for them. Having done so, I remember being very disappointed when then President Obama ejected whatever the number was, 60 plus so-called diplomats, Russian diplomats from the country and shut down, I guess, some kind of facility in Maryland that was a slap on the wrist of Vladimir Putin compared to the chaos he was able to cause by hacking into the DNC computer system. And we have never really imposed a cost that would create a deterrent. And I think, particularly with people like Putin and I draw a distinction between the Russians and the Chinese, because the Chinese are doing a lot, a lot of theft. They’re going into our defense contractors and stealing intellectual property. That’s a little different than creating political chaos the way Russians are often trying to do. Until Putin understands that there will be a significant cost to be paid, he’s going to keep doing it. He’s the classic playground bully who doesn’t understand anything other than the language of force. And so what does that mean? That means there’s a lot of routes you can take here. We should have destroyed network equipment on the part of the GRU or the SVR, the Russian intelligence agencies. We should have messed with the financing. You could have picked a couple of Oligarchs and emptied their Swiss Bank accounts. Now I’m saying this a lot more quickly than I should say it because there’s obviously all sorts of equities that you take into account and you observe things like proportionality. But until Vladimir Putin, when he’s asked if the SVR can conduct this operation, has to think, oh, my God, the last time that happened, it caused chaos, X, Y, Z, he is going to keep doing it. Now, the counter argument you got me started here. The counter argument has always been, but we’re so much more vulnerable, and they’ll be a tit for tat, and they’re going to take down our networks. Well, what are they going to do, shut down a gasoline pipeline? So I really do think it is way past time that we use our offensive cyber capabilities to make leaders around the world think two and three times before they do what they’re doing otherwise every single day.

PAUL: So you bring up the problem with our own vulnerability. And obviously, Russia has $1.7 trillion economy, less than half the size of California’s. We have a $20 trillion economy. So we’re kind of the biggest glass house in the world. We are a huge economy. We are, as you said, heavily reliant on communications networks and the Internet to run our economy. And there are obviously endless opportunities for them to hurt us. And maybe our opportunities to hurt them are not quite as big. So what’s to be done?

CONGRESSMAN HIMES: Yeah. And that’s obviously the key question to which I guess I’d say two things. Number one, it’s not self evident to me that on the chess board, we’re in a much worse position than they are. Right. So let’s talk about economic and political power in the United States. It is immensely fragmented. There are all kinds of senators, all kinds of members of Congress, governors, mayors, all of whom matter. In Russia, there are probably a handful of people that matter politically, wealth and the private sector, we have a massively, robust private sector where wealth and economic power is highly fragmented and distributed. So it’s not clear to me they have a highly concentrated. The analogy I would draw is that when you get into a shooting war, you don’t want to put all of your tanks in a highly concentrated formation. And so it’s not immediately clear to me that the chess board is as grim as perhaps you describe it. Strategically speaking, I do think that there are individuals, businesses and financing in Russia that are very readily identifiable that we could mess around with in a way that would be very painful and very scary for Putin and his cronies. The other thing I would say is, of course, you do this in a way where you try not to escalate, because, yes, a lot of damage could be imposed on our people. We got a little taste of that with the Colonial Pipeline. And so I think what you do is you say there’s a new Sheriff in town. You saw what our capabilities are. We don’t want this to escalate, but you’re going to stop doing this. You are going to stop doing this. And by the way, you observe all of the standards and norms that you observe for offensive activity, proportionality minimization of of collateral damage, etc. So, again, I think that’s a scary world, but I don’t think it’s as scary as wondering next Monday what headline I’m going to read about what the FSB or the SVR did that week.

PAUL: Can I, I know one news item from mid-July was a distributed denial of service attack on the Russian Ministry of Defense’s website. Do you know whether that was something that the US military or government was behind?

CONGRESSMAN HIMES: Yeah, you’re in a realm here where I can’t talk about what I know very little as sensitive as our offensive cyber operations. So I can’t go there. However, I will point out, just to be helpful to your larger point, there have been press reports of some of the offensive operations that the NSA cyber command were reported to have undertaken that are pretty impressive. Some of the things that they talked about even doing around the election, the point being, we’re really, really good at this. And because we’re really, really good at this, we should, I think, demonstrate that fact to people who might otherwise think they’ve got a free pass with us.

PAUL: Okay. Can I talk about why I hope that wasn’t a US military operation?

CONGRESSMAN HIMES: Of course, of course.

PAUL: Which is, it’s pretty ham fisted, right? Like need us attack on their website. Pretty old school.

CONGRESSMAN HIMES: Pretty old school.

PAUL: It’s pretty kind of 1999. So I am hoping that when we’re projecting forward or defending forward, that it’s not DDoS attacks on Ministry of Defense websites.

CONGRESSMAN HIMES: Well, I have to be super careful in this realm, because since I do get briefed this stuff, I have to be very careful to not confirm things that are in the press. But let’s just say that there is a lot of press out there about in the last 20 years, some of the things that we were reputed to have done.

PAUL: Okay, you know what I’m saying, though, right?

CONGRESSMAN HIMES: Yeah. We have far more sophisticated people than those who would initiate a DDoS.

PAUL: We talk a lot about Russia, but, of course, China is doing this stuff as our countries like North Korea and Iran. Is it basically the same problem? Do we need to be, is it really a different problem set and response for each of these actors? Because we know their motivations are all slightly different, as are their capabilities.

CONGRESSMAN HIMES: I think of the Chinese and the Russian threats, which I would hold up as the two most significant cyber threats. I think of them very differently. I think of Putin’s activities and the Kremlin’s activities, almost like vandals. Sometimes it’s just about leaving that flaming bag of dog poop on your door step to show that it can be done to take off your shirt and flex your chest muscles. And that’s a little bit of a cartoon. I understand it is broad based. It is chest up.

PAUL: The shot off with the flexing muscles. That’s actually not a cartoon.

CONGRESSMAN HIMES: I know. I use that in to deliberately. The Chinese, of course, are much more targeted than what they do. There’s nothing sort of ego driven by Chinese intrusions. They are very targeted and primarily around something that we don’t do as a country, which is industrial espionage, steel our secrets and our commercial secrets. And they are exquisitely good at that, unfortunately. And we have not done nearly enough to defend. We also haven’t done, if you think about it, that we’ve talked a lot about deterrence today. That’s a little different, right. Because they’re not breaking things or they’re actually stealing plans for X, Y, Z. So no, I do think of the threats as very, very different and do require a different response. Look, if nothing else, I mean, we’re in a period of time where there is in Congress, hysteria is too strong a word, but just 24/7 concern about China and China is a very, very nuanced threat. Right. Because on the one hand, they’re doing some awful things that we disapprove of in the side and in other realms, including the way they treat their own people. But there’s not a thing sitting in the room you’re sitting in that doesn’t have China in its supply chain. They own trillions of dollars of US sovereign debt. That’s not true of Russia. So, yes, the toolbox and the chess board are very different.

PAUL: Let’s talk about some of the good news to come out. First of all, we have CISA, and you’ve talked about maybe a greater role for that agency. Last week, they came out with a new platform for federal agencies to use to do vulnerability disclosure programs. And I’m actually working on a story about some of the fruit that that has already born of federal agencies putting up vulnerability disclosure programs, inviting independent security researchers come in and kind of poke around and see if they can find security holes and stuff like that. So, CISA’s doing a great job. What would you like to see happen with that particular agency?

CONGRESSMAN HIMES: Well, yeah, great point. And I’m delighted to see that all of this churning in the Senate with infrastructure bills and reconciliation bills. Everybody is talking about more resources for not just CISA, but all of the government, some cybersecurity efforts. So what would I like to see? Number one, by the way, we’ve got a lot of work to do to get our own house in order. We’ve taken some steps inside the federal government, but even in the most sensitive networks, we constantly see intrusions. And so we’ve got a lot of work to do before we start telling other people what they need to do in securing our most sensitive national security secrets, and I can’t get into how successful, sadly, some of our opponents have been getting inside there. But you know about this stuff because you remember the SF 86 intrusion and all of that stuff. So we’ve got a lot of work to do to demonstrate and to use best practices inside the federal government. And then the other thing I would highlight is that I was a veteran of the Size Act legislation. I think it was 2015 where we fought this huge fight to get to start the process of getting I keep using the word crowdsourcing of getting the three letter agencies working with a private sector. We’ve got a long way to go to make sure that there is probably 24/7 interaction and sharing of information. Again, with care. We don’t want the NSA or the FBI having spreadsheets of Americans personally identifiable information, but I just don’t see a world where we don’t have all of the experts working in real time because the threats are constant. The threats are real time. And so I do think both internally in our own house, but also externally setting up a regime where we are working together on a 24/7 basis is where we need to go.

PAUL: Just give me your thoughts on the infrastructure deal. It’s percolating its way through Congress. What’s in there vis-à-vis cybersecurity? And is it enough?

CONGRESSMAN HIMES: Yeah. Great question. Great. Last question, actually. So I think of this deal, the bill is good for two reasons. Number one, it’s really well targeted, and that means that lots of people think there’s stuff in there that there should be, and some who think that it’s too big, etc. But look, I think of it as a 21st century bill. And what I mean by that is heavy on transit. It’s relatively speaking, lighter on bridges and highways, but it’s very heavy on mass transit, which is the future of traveling, certainly in more densely populated areas. It’s very heavy on broadband. And, of course, this points in the direction of what we’re talking about right now, making sure that the Tennessee Valley Authority provided electricity for the American South back in the 1930s, that every American is going to have access to broadband. And then, as I mentioned before, it has good resources for the federal government’s effort to secure the network behind all of that. The other thing I mentioned, there were two things that got me excited about it, in addition to the 21st century aspect, the fact that it’s going to be bipartisan. I guess I’m a little old school and I saw what happened on January 6, and I think Americans really need to see that the two parties can come together to pass something big and meaningful. That’s going to be, I think, a gift to our otherwise somewhat tattered democracy.

PAUL: I agree with you on that. Representative Himes, thank you so much for coming out and speaking to us on the Security Ledger podcast. It’s been a pleasure.

CONGRESSMAN HIMES: Thank you very much. Look forward to coming back. At some point.

PAUL: We’ve been speaking with Jim Himes. He’s a US Representative for Connecticut’s Fourth District. He was here talking to us about the changing thinking on Capitol Hill when it comes to cybersecurity and cyber risk.

[END OF RECORDING]

Comments are closed.