Cybersecurity hasn't topped the priority list this year for Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, but as he begins to take a closer look at a prime issue within his jurisdiction, it's clear the former businessman wants to nudge the debate toward tapping the expertise of the private sector and the cyber war-fighting skills of the military.
There's "no timeline" for producing cyber bills out of the committee, the Wisconsin Republican said in an interview, but he pledged to work cooperatively with ranking member Claire McCaskill, D-Mo.
McCaskill said in an interview she wanted to closely examine the Trump administration's cyber efforts, but Johnson's interest appears to be focused on finding the experts who can craft real-world answers, most likely in the private sector.
During a May 10 hearing — the panel's first this year on cyber issues — McCaskill said "discussions have begun" within the committee and with counterparts in the House on legislation to elevate cybersecurity functions at the Department of Homeland Security, a longtime goal of House Homeland Security Chairman Michael McCaul, R-Texas.
Such legislation is poised for markup in McCaul's committee and is probably the most likely cyber candidate for congressional action this year. But Johnson has had little to say about that issue.
Johnson said that DHS reorganization was "part of the solution," but that answers to the nation's cyber challenges rest "primarily with the private sector."
The important thing at this stage, Johnson said in the interview, is "laying out the reality" of where the country stands on cyber. He said he was encouraged by what he heard at the hearing from a panel of policy experts, that the nation's cyber problems can be "addressed at the source and that we don't need to hire tens of thousands of people" for a government campaign against cyber attacks.
An "at the source" solution would involve empowering technologists to bake security into their products and conceptualize new approaches on the private-sector side and articulating a deterrence policy that takes advantage of the U.S. military's formidable skills in cyberspace and U.S. economic power throughout the world.
To that end, President Trump on May 11 signed an executive order that for the first time explicitly calls for development of a comprehensive deterrence policy that would lean on both military and economic might.
Trump's new executive order also calls for an accelerated effort to advance international collaboration on cybersecurity.
The May 10 Senate hearing was sparsely attended and abbreviated, as Democrats used procedural rules to halt all committee action amid the uproar over the firing of FBI Director James Comey.
Still, the panel collected an extensive list of far-reaching recommendations that fit neatly into Johnson's vision of how responsibility should be divided between government and the business world.
Johnson's main takeaways from the hearing, he said, were making clear to adversaries that there is a price to pay for cyber attacks, moving responsibility for securing the Internet away from end-users and tapping into private-sector expertise to formulate solutions.
"Stop thinking the cyber threat is something the consumer can fix," Steven Chabinsky of White & Case LLP, a member of former President Barack Obama's cybersecurity commission, testified at the session. "We need to move it as far away from the end-user as possible and resolve the problems at their source, not at their destination."
Chabinsky and Kevin Keeley, a cyber incident response director at Monsanto and captain in the Missouri National Guard, both suggested more aggressive government responses to cyber incidents, with Keeley advocating more military-directed "offensive cyber operations as a counterpoint to cyber attacks."
Afterward, Johnson noted Chabinsky's analogy of the water crisis in Flint, Mich., as "a great one," saying that current lines of cyber responsibility between government and industry are akin to telling every homeowner in Flint that they must build their own water purification system.
Johnson also said he has spoken recently with Jared Kushner, the president's son-in-law who is heading up a government IT modernization effort from his post in the White House.
"He's grappling with the same issues [and] problems of tapping into the private sector" for expertise, Johnson said. "We need to get at how to overcome those hurdles."
The president's new executive order appears to provide a framework for getting at the deterrence question that Johnson raised, requiring key agencies to report within 90 days on "strategic options for deterring adversaries."
Reorienting the cyber discussion away from thinking up new ways to persuade consumers to be more careful online will take longer. But Johnson said he wanted to get this conversation started and, perhaps most importantly, engage "the best and brightest minds" to help move the cyber dialogue to a new plane.
"The federal government is usually tactical," Johnson said at the hearing, with a certain businessman's disdain. He said policymakers should find the experts and provide the incentives for them to begin supplying the solutions.
It's a different take, but cybersecurity is a different kind of problem.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of "Hacked: The Inside Story of America's Struggle to Secure Cyberspace," published by Rowman and Littlefield.