When Congress gets hacked: Why cyber oversight can’t wait

Staff Editor 2026-03-05
When Congress gets hacked: Why cyber oversight can’t wait

When Congress gets hacked: Why cyber oversight can’t wait

https://federalnewsnetwork.com/commentary/2026/03/when-congress-gets-hacked-why-cyber-oversight-cant-wait/

Publish Date: 2026-03-05 21:16:00

Source Domain: federalnewsnetwork.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

There is an urgent need for stronger congressional leadership in cyber policy, especially when it comes to countering China’s persistent, aggressive intrusions.

Andrew Grotto

March 5, 2026 4:24 pm

4 min read

In January, news broke that a notorious People’s Republic of China (PRC) cyber espionage campaign called Salt Typhoon compromised email systems used by House of Representatives staffers. The affected systems included the committees responsible for monitoring and countering China’s influence, including the China, Foreign Affairs, Intelligence and Armed Services committees.
Congress is more than just a victim, however. It also has a constitutional responsibility to ensure that cyber laws and budgets are adequate to support the nation’s cyber defenses, and to be transparent about its own cyber challenges. In line with the president’s anticipated cybersecurity strategy, there is an urgent need for stronger congressional leadership in cyber policy, especially when it comes to countering China’s persistent and aggressive intrusions into U.S. infrastructure.
Congress should lead by example. Federal agencies are required under federal law to report major cyber incidents to Congress within seven days of identification. Many private businesses are also subject to incident disclosure requirements, such as data breach notification requirements (for privacy breaches), critical infrastructure incident reporting (for companies in a critical infrastructure sector) and material cyber incident reporting (for public companies). Congress should develop and publish a formal incident reporting and disclosure policy that includes public disclosure, subject to narrow restrictions for protecting national security.
Another way Congress should lead by example is taking a hard look at its own IT infrastructure. Details about how the PRC gained access to Congress’ emails in this latest breach are still limited, but if the executive branch’s experiences with cyber incidents are any indication, it’s possible that security shortcomings in the IT products used by Congress such as Microsoft 365 contributed to the breach. If that’s the case, Congress should press vendors on why these security shortcomings exist, demand better service from them, and threaten to switch to a different vendor if the incumbents can’t deliver.]]>

2025 was not a good year in security for legacy federal IT contractors. For example, in July, Microsoft was found to be using engineers based in China — and therefore subject to Chinese laws requiring that people or organizations there aid PRC surveillance — to support the Defense Department’s networks. Secretary Pete Hegseth shut Microsoft’s program down in August and President Donald Trump signed a law in December banning the practice, but the fact that Microsoft had such a program in the first place highlights the company’s enormous confidence in its ability to keep DoD locked in as a customer.
To make the switching threat credible, Congress will need to examine whether and to what extent the incumbents have Congress “locked in” to using their products. Switching costs impede competition by undermining the credibility of threats to switch. And when the competitive pressures on incumbents are weak, so are their incentives to make their systems safer. Lock-in does not happen purely by accident; some IT vendors actively cultivate it as part of their sales strategies. Microsoft, for example, reportedly structured business dealings with the federal government to achieve lock-in. To lead by example, Congress must determine if and how much it is locked into its existing vendors, and whether that is inhibiting better cybersecurity.
Executive branch agencies face similar challenges, so whatever lessons and insights Congress derives from an examination of its own degree of captivity to incumbents are likely to be applicable to the executive branch as well. IT modernization is reportedly a core element of the Trump administration’s forthcoming cybersecurity strategy, but the administration will need congressional support to push modernization. That’s because the incumbent IT providers have cozy deals with many of their federal agency customers — deals that cost taxpayers more money than the quality and security of the services is worth. The incumbents will fight modernization that puts these deals at risk.
Finally, Congress should hold a round of hearings focused on the cyber threat emanating from China and how Congress can support the Trump administration and private industry’s efforts to counter the threat. National Cyber Director Sean Cairncross has correctly observed that U.S. policy does not adequately deter adversaries’ malicious cyber activity. The U.S. must find ways to impose tangible costs on adversaries, including through offensive cyber operations and other punitive measures.
But another major reason why is that cyber defenses are uneven, at best, across critical infrastructure and government networks. Stronger defenses would also change adversaries’ cost-benefit calculus for cyberattacks. With the White House’s upcoming cyber strategy expected to focus on shaping adversary behavior and bolstering critical infrastructure resilience, this will be an important step in the right direction.
Andrew Grotto founded and co-directs the Program on Geopolitics, Technology, and Governance at Stanford University’s Center for International Security and Cooperation. He serves as the faculty lead for the Cyber Policy and Security specialization in Stanford’s master’s in international policy program. He is also a visiting fellow at the Hoover Institution. He was the Senior Director for Cyber Policy on the National Security Council in the Obama and Trump administrations. He advises technology companies including Google Cloud on digital risks and is on the board of directors for Slamfire, a AAA video game studio.
]]>

Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

More Stories

Google Identifies Cybersecurity Threat Used By Hackers To Target Older iOS Versions Possibly Developed By US Government

Google Identifies Cybersecurity Threat Used By Hackers To Target Older iOS Versions Possibly Developed By US Government

Staff Editor 2026-03-05
Fortinet Is a Cybersecurity Giant With a Growing Security Portfolio

Fortinet Is a Cybersecurity Giant With a Growing Security Portfolio

Staff Editor 2026-03-05
Why should businesses be optimistic about AI in cybersecurity

Why should businesses be optimistic about AI in cybersecurity

Staff Editor 2026-03-05

You may have missed

How personality shapes the way we perceive artificial intelligence

How personality shapes the way we perceive artificial intelligence

Staff Editor 2026-03-06
Google Identifies Cybersecurity Threat Used By Hackers To Target Older iOS Versions Possibly Developed By US Government

Google Identifies Cybersecurity Threat Used By Hackers To Target Older iOS Versions Possibly Developed By US Government

Staff Editor 2026-03-05
The use of artificial intelligence to advance ESG goals for businesses

The use of artificial intelligence to advance ESG goals for businesses

Staff Editor 2026-03-05
Pipe Dreams in Silicon Valley: How Much Can We Trust Artificial Intelligence?

Pipe Dreams in Silicon Valley: How Much Can We Trust Artificial Intelligence?

Staff Editor 2026-03-05
APRA AMCOS And SOCAN Call For Creator Protections In Artificial Intelligence Era

APRA AMCOS And SOCAN Call For Creator Protections In Artificial Intelligence Era

Staff Editor 2026-03-05

Terms and Conditions - Privacy Policy