During a House Homeland Security Committee hearing held before the congressional recess, Rep. Mark Green (R-TX) questioned experts about the VA spending on compliance.
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Category
🗞
NewsTranscript
00:00The testimony today has been superb. My questions will be to reiterate points
00:08you've made. In fact, I just told my senior staffer for cybersecurity to get
00:15copies of everyone's testimony and provide it at the cyber subs meeting. The
00:18cyber subs committee, I started this last year, some of you may be aware of this,
00:22where we meet all the cyber subcommittees to try to get a whole of
00:26government approach here. We're gonna send copies of your testimony to every
00:30cyber subcommittee member in this Congress. This was excellent, thank you.
00:37If Congress has a duty, let me make this point, Congress has a duty that we
00:42have shirked over 40 years in both parties and passed off to the
00:45bureaucracy. The Constitution is really clear. A lot of these things that the
00:51administration is now closing, Chevron deference and the Supreme Court have
00:57ruled, it really belonged to Congress in the first place and we never should have
00:59passed it off to the doggone administration and the bureaucracy, right?
01:03And so I get that there's some frustration that certain things are
01:07being closed, but I mean constitutionally, we need to do that here. It's a part of
01:13our oversight obligation, it's a part of our, particularly reporting and review
01:19boards and things like that. I was told yesterday, and I don't know if it's
01:25completely true, I got a fact-check this, but the VA spends a billion dollars on
01:28compliance. Does that seem reasonable? A billion dollars on compliance? These
01:34conflicting rules in this, all this time I think, Ms. Hogseth, you said 30% on
01:41actual just checking the box compliance and 70% on real cybersecurity. Was that
01:48the ratio you quoted? 30 to 50% of the chief information security officer's
01:53time is spent on that and 70% of their teams. Ridiculous. Let me ask this question, what is
02:01the average time to close a vulnerability when one's been identified?
02:05And I just, give me a number of days and I'm gonna run the, average vulnerability
02:11closing the door takes how long? Take a guess. You're gonna hate this answer.
02:18It depends. Great. True, if it's a critical vulnerability, firms work to close that
02:25within days if possible. It all depends on whether you're reliant. More than four? It would depend on how
02:31much control you have over it. If it's something that resides within a third
02:34party, you have less control and ability to move quickly to close it. Okay. Yeah, I
02:39don't want to speculate, sir, on an average, but I will tell you that if you
02:42look at the recent attacks that are coming from nation-states, it's taken
02:47weeks, months, and it's still a process underway. Yeah, I'm not sure we've patched
02:52the telecom breach yet. So if we're talking about like browsers, they can
02:55close them in hours, but if you're talking about operational technology, it
02:58takes days. Days. Yeah. Yeah, and SEC pulls the number four days out of their
03:03backside and thinks that they're doing shareholders a positive, but when they
03:10announce that they've got a hole in the door or in the wall and it's not going
03:16to be closed, it invites attack from everybody. It's the stupidest thing I've
03:22ever heard of. Let me ask this question. We've got to go and figure out all this
03:26list of duplicity, list of conflicting. How best do we as Congress, does this
03:34subcommittee and the subcommittees across our Congress figure out all the
03:41list of duplicative requirements and contradictory requirements? How do we
03:47go get this information? So first of all, I appreciate what you said about the
03:52coordination across all the committees of jurisdiction. I think understanding
03:56the first thing a cyber CISO or CSO is going to do is inventory their entire
04:03system to understand where vulnerabilities might be. I'd say that
04:06Congress needs to inventory the system, understand where all the regulatory
04:10requirements are, so that we can start to work, do the hard work of harmonizing. And
04:14just to foot stomp something that you said about the lunacy of the SEC rule,
04:22adversaries, and to talk about the vulnerabilities and the time to patch,
04:28adversaries watch our response. And I understand, you know, the importance of
04:32sunshine and transparency, but we also have to understand that intelligent
04:37adversaries are leveraging our transparency when perpetrating attacks
04:42and seeing how we respond. Don't we list the identified
04:46vulnerabilities somewhere in a database that the bad guys can sit there and take
04:51a look at, and then challenge and find where that vulnerability is anywhere in
04:55the system? Those vulnerabilities become a little less important when
04:59everybody knows about them. So there is that. There's always that legacy system
05:04that's still running the old thing that nobody catches, and it's an open door.
05:08That's what worries me there, Mr. Schwartz. I was gonna say, I mean, they
05:11shouldn't, you shouldn't post, this is one of the reasons we say, don't, we
05:16need a patch before you post a vulnerability. A patch has to exist, but
05:19then people actually have to patch. We've just got to get everybody to download the
05:22patch. Thank you, I yield.