House Homeland Security hearing spotlights economic incentives, secure-by-design and software accountability
Loading...
Summary
A House Homeland Security field hearing in Silicon Valley focused on shifting economic incentives in cybersecurity, promoting secure‑by‑design software, and exploring liability and procurement levers to raise the cost to attackers and reduce preventable vulnerabilities.
A House Committee on Homeland Security field hearing at the Hoover Institution in Silicon Valley on Oct. 11, 2025, centered on how changes to economic incentives, procurement and product design could reduce cyber risk to U.S. critical infrastructure.
Lawmakers and witnesses said the current economic balance favors attackers and urged policies and market changes to shift responsibility away from under‑resourced victims. "The cost and incentives associated with cyber security are currently imbalanced in favor of the attacker rather than the defender," Chairman Green said, citing an IBM finding that "the global average cost of a data breach in 2024 was nearly $4,900,000." The committee heard proposals to use procurement, certification and possible liability to create stronger incentives for secure products.
The hearing brought together former national security officials and private‑sector cybersecurity leaders to argue that manufacturers should build security into products rather than relying on end users to fix insecure defaults. Jack Cable, CEO and cofounder of Corridor, said, "Most cyberattacks exploit preventable vulnerabilities in software products or insecure default configurations." Cable and other witnesses urged wider adoption of secure‑by‑design practices and procurement standards that reward demonstrable product security.
Wendy Whitmore, chief security intelligence officer at Palo Alto Networks, highlighted the operational effect of better engineering and automation: "Every single day, Palo Alto Networks blocks up to 31,000,000,000 cyberattacks. Up to 9,000,000 of those daily attacks represent novel method attack methods never previously seen." Witnesses argued that better engineering, paired with automated detection and response, can lower defenders' operational costs and reduce reliance on point‑in‑time compliance checklists.
Panelists described specific tools and market mechanisms lawmakers could use. Janette Manfra, head of global risk and compliance at Google Cloud, recommended harmonized baselines and reciprocity among certification regimes, pointing to FedRAMP and tooling such as OSCAL to streamline authorization. Cable and others recommended expanding secure‑by‑default practices—randomizing initial passwords, enabling multifactor authentication by default—and stronger procurement rules so buyers demand better product security.
On the question of accountability, witnesses debated liability and safe harbor. Cable urged Congress to consider a software liability regime that holds manufacturers responsible for preventable vulnerabilities while providing clear safe harbors for compliance. Manfra and Whitmore emphasized clarity, transparency and measurable security outcomes as practical paths to raise baseline security without stifling innovation.
The committee said it will explore legislative and procurement options, including harmonized standards and incentives for secure products, but no formal vote or directive was taken during the hearing.
