{"id":193239,"date":"2026-03-05T21:16:00","date_gmt":"2026-03-06T02:16:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/05\/when-congress-gets-hacked-why-cyber-oversight-cant-wait\/"},"modified":"2026-03-06T00:25:08","modified_gmt":"2026-03-06T05:25:08","slug":"when-congress-gets-hacked-why-cyber-oversight-cant-wait","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/05\/when-congress-gets-hacked-why-cyber-oversight-cant-wait\/","title":{"rendered":"When Congress gets hacked: Why cyber oversight can\u2019t wait"},"content":{"rendered":"

When Congress gets hacked: Why cyber oversight can\u2019t wait<\/a><\/p>\n

https:\/\/federalnewsnetwork.com\/commentary\/2026\/03\/when-congress-gets-hacked-why-cyber-oversight-cant-wait\/<\/a><\/p>\n

Publish Date: 2026-03-05 21:16:00<\/a><\/p>\n

Source Domain: federalnewsnetwork.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

There is an urgent need for stronger congressional leadership in cyber policy, especially when it comes to countering China\u2019s persistent, aggressive intrusions.<\/p>\n

Andrew Grotto<\/p>\n

March 5, 2026 4:24 pm <\/p>\n

4 min read <\/p>\n

In January, news broke that a notorious People\u2019s Republic of China (PRC) cyber espionage campaign called Salt Typhoon compromised email systems used by House of Representatives staffers. The affected systems included the committees responsible for monitoring and countering China\u2019s influence, including the China, Foreign Affairs, Intelligence and Armed Services committees.
\nCongress is more than just a victim, however. It also has a constitutional responsibility to ensure that cyber laws and budgets are adequate to support the nation\u2019s cyber defenses, and to be transparent about its own cyber challenges. In line with the president\u2019s anticipated cybersecurity strategy, there is an urgent need for stronger congressional leadership in cyber policy, especially when it comes to countering China\u2019s persistent and aggressive intrusions into U.S. infrastructure.
\nCongress should lead by example. Federal agencies are required under federal law to report major cyber incidents to Congress within seven days of identification. Many private businesses are also subject to incident disclosure requirements, such as data breach notification requirements (for privacy breaches), critical infrastructure incident reporting (for companies in a critical infrastructure sector) and material cyber incident reporting (for public companies). Congress should develop and publish a formal incident reporting and disclosure policy that includes public disclosure, subject to narrow restrictions for protecting national security.
\nAnother way Congress should lead by example is taking a hard look at its own IT infrastructure. Details about how the PRC gained access to Congress\u2019 emails in this latest breach are still limited, but if the executive branch\u2019s experiences with cyber incidents are any indication, it\u2019s possible that security shortcomings in the IT products used by Congress such as Microsoft 365 contributed to the breach. If that\u2019s the case, Congress should press vendors on why these security shortcomings exist, demand better service from them, and threaten to switch to a different vendor if the incumbents can\u2019t deliver.]]><\/p>\n

2025 was not a good year in security for legacy federal IT contractors. For example, in July, Microsoft was found to be using engineers based in China \u2014 and therefore subject to Chinese laws requiring that people or organizations there aid PRC surveillance \u2014 to support the Defense Department\u2019s networks. Secretary Pete Hegseth shut Microsoft\u2019s program down in August and President Donald Trump signed a law in December banning the practice, but the fact that Microsoft had such a program in the first place highlights the company\u2019s enormous confidence in its ability to keep DoD locked in as a customer.
\nTo make the switching threat credible, Congress will need to examine whether and to what extent the incumbents have Congress \u201clocked in\u201d to using their products. Switching costs impede competition by undermining the credibility of threats to switch. And when the competitive pressures on incumbents are weak, so are their incentives to make their systems safer. Lock-in does not happen purely by accident; some IT vendors actively cultivate it as part of their sales strategies. Microsoft, for example, reportedly structured business dealings with the federal government to achieve lock-in. To lead by example, Congress must determine if and how much it is locked into its existing vendors, and whether that is inhibiting better cybersecurity.
\nExecutive branch agencies face similar challenges, so whatever lessons and insights Congress derives from an examination of its own degree of captivity to incumbents are likely to be applicable to the executive branch as well. IT modernization is reportedly a core element of the Trump administration\u2019s forthcoming cybersecurity strategy, but the administration will need congressional support to push modernization. That\u2019s because the incumbent IT providers have cozy deals with many of their federal agency customers \u2014 deals that cost taxpayers more money than the quality and security of the services is worth. The incumbents will fight modernization that puts these deals at risk.
\nFinally, Congress should hold a round of hearings focused on the cyber threat emanating from China and how Congress can support the Trump administration and private industry\u2019s efforts to counter the threat. National Cyber Director Sean Cairncross has correctly observed that U.S. policy does not adequately deter adversaries\u2019 malicious cyber activity. The U.S. must find ways to impose tangible costs on adversaries, including through offensive cyber operations and other punitive measures.
\nBut another major reason why is that cyber defenses are uneven, at best, across critical infrastructure and government networks. Stronger defenses would also change adversaries\u2019 cost-benefit calculus for cyberattacks. With the White House\u2019s upcoming cyber strategy expected to focus on shaping adversary behavior and bolstering critical infrastructure resilience, this will be an important step in the right direction.
\nAndrew Grotto founded and co-directs the Program on Geopolitics, Technology, and Governance at Stanford University\u2019s Center for International Security and Cooperation. He serves as the faculty lead for the Cyber Policy and Security specialization in Stanford\u2019s master\u2019s in international policy program. He is also a visiting fellow at the Hoover Institution. He was the Senior Director for Cyber Policy on the National Security Council in the Obama and Trump administrations. He advises technology companies including Google Cloud on digital risks and is on the board of directors for Slamfire, a AAA video game studio.
\n]]><\/p>\n

Copyright
\n \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

When Congress gets hacked: Why cyber oversight can\u2019t wait https:\/\/federalnewsnetwork.com\/commentary\/2026\/03\/when-congress-gets-hacked-why-cyber-oversight-cant-wait\/ Publish Date: 2026-03-05 21:16:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":193240,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2025\/03\/GettyImages-2163464821.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24],"class_list":["post-193239","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/193239"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=193239"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/193239\/revisions"}],"predecessor-version":[{"id":193241,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/193239\/revisions\/193241"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/193240"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=193239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=193239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=193239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}