Senators urged the Trump administration on Wednesday to develop a comprehensive strategy for deterring and responding to cyber threats, voicing concerns about vulnerabilities in U.S. infrastructure.

Members of a Senate panel heard testimony on Capitol Hill from experts on threats to internet-connected devices and critical infrastructure, with many lawmakers pointing to a heightened risk of hacking and cyber espionage.

“We are exceptionally vulnerable in our system. I do agree that one of the prime things that we have to move is some actual deterrence,” Sen. James Lankford (R-Okla.) said.

“I would hope that we can work with this administration to help actually get that close, so worldwide there is a relationship internationally that if you hack into our systems and if you steal our information, or if you destroy systems, here are the boundaries and here’s what our response is,” he added.

{mosads}The issue has taken center stage in Washington in the wake of high-profile cyber intrusions and attacks in both the public and private sectors, and has been amplified by Russian interference efforts in the presidential election. 

Sen. John McCain (R-Ariz.), chairman of the Armed Services Committee, expressed frustration on Tuesday over the Trump administration’s lack of a strategy to address cyber threats despite his pledge to deliver an anti-hacking plan within 90 days of taking office. 

“We were hopeful that after years without any serious effort to develop a cyber deterrence policy and strategy from the last administration, the new administration promised one within 90 days of the inauguration,” McCain said at a hearing about U.S. Cyber Command.

“But 90 days have come and gone, and no such policy and strategy has been provided.”

Wednesday’s hearing was the first focused on cybersecurity for the Senate Homeland Security and Governmental Affairs Committee this year.

Sen. Ron Johnson (R-Wis.), who chairs the committee, used his opening statement to highlight threats from ransomware and networks of infected internet-connected devices called botnets.

Johnson voiced particular concern about the United States’ vulnerability to a cyberattack on its electric grid, citing hacks that targeted Ukraine’s power grid in 2015 and 2016.

“We would have a much more difficult time. We are probably more vulnerable because of the advancement of our technology. That’s part of the problem with the internet of things … we become more and more dependent on the electrical grid, more and more dependent on the internet, and as a result we are far more vulnerable,” Johnson said. 

“We better start defining these things. We ought to start laying out some pretty strong lines.”  

The committee received input from four experts, including a former FBI cyber official and a member of the Missouri National Guard who leads a cyber incident response team at agriculture giant Monsanto.

Broadly, they underscored the need for the U.S. to take steps to secure critical infrastructure from cyber threats.

Jeffrey Greene, senior director of global government affairs and policy at Symantec, floated the possibility of removing critical assets from the internet — or otherwise finding ways to secure them in the event of an intrusion.

Steven Chabinsky, the former FBI official who now leads a privacy and cybersecurity division at law firm White & Case, recommended that the government lead an international effort to rid the world of major botnets in the next two years. 

“If you look at what botnets generate, it includes economic espionage with command and control, it includes financial theft with the command and control of credential stealing, malware, and it obviously includes attacks through [distributed denial-of-service attacks] of our energy grid and other critical infrastructure,” Chabinsky said. 

“I believe that it would be an effective way of building international community as well as determining the vast different roles of government and private sector,” he added.