To better protect the nation's critical digital infrastructure, lawmakers must enact policies to address a shortage of trained cybersecurity \n\nprofessionals, a panel of experts warned at a joint House subcommittee hearing on Tuesday.Stressing the urgency of the threats, witnesses from industry and academia told members of the Committee on Science, Space and \n\nTechnology's research and technology subcommittees that cybersecurity, as a profession, is hobbled by scant funding for research and \n\ndevelopment and education."I do not have to tell you that we are under attack in cyberspace. Those of us in the field of security have known about it for some time \n\nnow, but now the problem has broadened and deepened in scope," said Frederick Chang, president and COO of the data-analytics firm 21CT."The field of cybersecurity is too reactive and after the fact. We wait for something bad to happen, and then we respond. We lack the \n\nfundamental scientific understanding of causes, of solutions, of counter measures. Science uses words like 'evidence,' 'metrics,' 'repeatability,' \n\n'predictability.' In cybersecurity, these words are not used often enough," Chang added. "Indeed, when it comes to predictability, about the only \n\nthing we can predict with a high degree of confidence is that a determined hacker will be able to compromise the target system."Tuesday's hearing comes at the beginning of the new congressional session when lawmakers are once again working to build support for \n\nlegislation to bolster defenses against digital attacks on critical infrastructure operated by the government and private sector.Lawmakers and witnesses both expressed support for one such bill, the Cybersecurity Enhancement Act, which passed the House in 2010 \n\nbut did not clear the Senate. The authors of that \n\nmeasure, Reps. Michael McCaul (R-Texas) and Dan Lipinski (D-Ill.), are trying again in the 113th Congress. That legislation includes provisions to \n\nestablish cybersecurity grant programs, improve coordination among federal agencies and develop cybersecurity scholarships at the National \n\nScience Foundation.Whether the Cybersecurity Enhancement Act progresses as a standalone bill or as part of a more comprehensive package, McCaul is hopeful \n\nthat new cybersecurity standards, after years of debate, will become law in short order."I do believe this is the Congress when we will get cybersecurity legislation passed through the House, the Senate and signed by the White \n\nHouse," he said. "Whether it's criminal, whether it's espionage, whether it's cyberwarfare, we can't afford to wait any longer."But in the absence of congressional action, President Obama earlier \n\nthis month issued an executive order directing federal departments and agencies to develop a system for reporting cyberattacks, \n\nexpanding coordination with the private sector and other measures.That executive order, limited in scope by the bounds of presidential authority, was not designed as a substitute for cybersecurity legislation, \n\nwhich as a general matter enjoys strong bipartisan support."This challenge requires a thorough and comprehensive effort in both the public and private sectors," said Rep. Lamar Smith (R-Texas), the \n\nchairman of the full House science committee. "Private companies are increasing their investment in cybersecurity. Congress should support \n\nthose efforts. Only Congress can provide the incentives and protections that would permit necessary information sharing among companies \n\nand more importantly between private companies and the federal government." Of course, at a time of contracting agency budgets, finding new federal funding for cybersecurity research and development is a tall order. \n\nCybersecurity writ has never been a significant line item in the federal budget, amounting to just a fraction of a percentage point of government \n\nspending.But it might be time to make cybersecurity a bigger piece of the pie, Chang suggested, particularly given the increasing reliance on digital \n\nsystems across virtually every sector of the economy."If you think about the priorities that the nation is now placing on cybersecurity, the fact that it's something less than 1 percent seems to be \n\na small number. It's not for me to determine what the priorities are, but that just strikes me as sort of a low number," Chang said.The debate over cybersecurity often gives air to dire warnings and dramatic rhetoric, with officials warning of an event like a "cyber Pearl Harbor" or "cyber 9-11". Michael Barrett, the chief information security officer at PayPal, pointed out that the true extent of hacking and other criminal activity is \n\nshrouded by a shortage of information about attacks, and called for the government to undertake new research aiming to illuminate the scale of \n\nthe problem."What we have found from our years of combating cybercrime is that quantifying the full cost is difficult, if not impossible, because many \n\nincidents aren't reported," Barrett said. "Estimates of the magnitude and scope of cybercrime vary widely, making it difficult for policymakers and \n\nindustry to fully understand the problem and the level of effort needed to combat it. We recommend that policymakers fund some research that \n\nhelps fill some of the information gaps that currently exist as it relates to cybercrime. We believe that this research will be a critical tool in arming \n\npolicymakers, law enforcement and industry against the growing threat of cybercrime."Terry Benzel, deputy director for cyber networks and cybersecurity at the University of Southern California's Information Sciences Institute, \n\nurged a broader rethinking of the traditional approach to cybersecurity. Instead of a piecemeal focus on specific attacks and vulnerabilities, she \n\nsuggested a more holistic view of the threat landscape that would ingrain security across the enterprise."All too often our research is narrowly focused on single topics. For example, we have many people conducting excellent research in \n\ndistributed denial-of-service, worms, botnets and Internet routing, each studied individually and deeply," Benzel said."But believe me, our adversaries are not looking narrowly," she added. "In fact, they are looking at the combination of these different kinds \n\nof threats and vulnerabilities, as well as combining that with cyber-physical systems and social engineering. We can no longer afford to look \n\nnarrowly at the hard problems."Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and \n\non Google +.