Congress is now moving to implement some of the recommendations contained in the Cyberspace Solarium Commission Report, which was released earlier this year. The 122-page report was impressive in its thoroughness. When it made its debut in March, it was not clear which, if any of its many ideas would become realities.
Indeed, the report appeared at an inauspicious moment. The release coincided with the onset of COVID-19 pandemic. The seriousness of the report also stood in contrast to the unpredictable and often contemptuous stance the administration had taken about government regulation in general. The “solarium” reference in the report’s title seemed almost ironic. It was an allusion to the Eisenhower-era conclave of nuclear war strategists who met secretly in the White House’s solarium—serious men who plotted America’s course in a time of grave national peril.
We are not in that kind of administration today. To be fair, though, cybersecurity policy has advanced under the Trump White House, perhaps despite a lack of direct interest from the executive himself. Cybersecurity is neither sexy nor controversial, so experts can work quietly on policies that make sense—without having to worry too much about smear campaigns, cynical news leaks and various other staples of Washington dysfunction.
The recommendations and industry reactions
The House and Senate have gone to work and produced somewhat different sets of recommendations based on the report. They are part of the massive, annual National Defense Authorization Act (NDAA). The recommendations will now be subject to the conference process, so the final NDAA will probably include some of the original House and Senate proposals.
A summary of the House and Senate bills is included below. The House amendments are mostly structural. They focus on strengthening the Cybersecurity and Infrastructure Security Agency (CISA) and appointing a National Cyber Director. The Senate’s proposals are more expansive, with an emphasis on military cyber security. It is gratifying to see them pay attention to cyber weaknesses in American weapons systems. This is a serious issue that needed remediation.
Industry response has been enthusiastic, with Michael Daly, Chief Technology Officer of Raytheon Intelligence & Space, for example, commenting, “The House amendments address some of the most important recommendations of the Commission Report, predominantly focused in the area of strengthening cybersecurity governance.”
“This empowers the Cybersecurity and Infrastructure Security Agency with leadership and authorities, and calls for the creation of risk management agencies. This is a huge win for our national cyber security.” – Michael Daly, Chief Technology Officer of Raytheon Intelligence & Space
In particular, Daly was pleased with the proposed creation of an Office of the National Cyber Director. He said, “This empowers the Cybersecurity and Infrastructure Security Agency with leadership and authorities, and calls for the creation of risk management agencies. This is a huge win for our national cyber security.” Tom Kellermann, head of cybersecurity strategy at VMware Carbon Black, felt that “the strategic opportunities for action delineated within their thoughtful report lay out a holistic strategy for civilizing American cyberspace and actively disrupting the cyber insurgency that our adversaries have stoked.”
“The strategic opportunities for action delineated within their thoughtful report lay out a holistic strategy for civilizing American cyberspace and actively disrupting the cyber insurgency that our adversaries have stoked.” – Tom Kellermann, head of cybersecurity strategy at VMware Carbon Black
Still more work to do
Industry leaders, while pleased with the Congressional moves, still feel there is more work to do to realize the vision of the Solarium Commission. Andrew Howard, CEO at Kudelski Security, noted, “Ultimately, these recommendations are just a first step and, frankly, more will be needed. This report puts a lot of emphasis on product vulnerabilities, rightly so. Additional emphasis by companies on layered security and rigorous testing is needed.” For instance, Howard would like to see rules mandating vendors to continue security patches as long as they support a product.
“Ultimately, these recommendations are just a first step and, frankly, more will be needed.” – Andrew Howard, CEO at Kudelski Security
Michael Daly felt that there were two areas that could be enhanced by adding legislative proposals to the NDAA. One is to improve the accurate and timely attribution of cyber incidents. The other is to authorize funding for the Cybersecurity Moonshot. This proposal would require the Department of Commerce to establish national cybersecurity grand challenges to achieve high-priority breakthroughs in cybersecurity. In Daly’s view, the Moonshot is “particularly crucial, because it is a mechanism for laying the foundation for continuous improvement and engaging the whole-of-nation in strengthening our cybersecurity posture and our economy.”
Tom Kellermann had two additional proposals of his own, which align with testimony he gave in front of the House Finance Sub-Committee in June. He suggests that the government create a tax incentive for companies that dedicate at least 10 percent of their IT budgets towards cybersecurity and comply with the NIST Cyber Security Framework. He would also like to see a modernization of anti-money laundering and forfeiture regulations to empower the government to seize the virtual currencies and digital payments which are used in cybercrime conspiracies.
The US is at least two steps away from seeing much real impact from the Solarium Commission. First, the House and Senate bills must go through conference. Whatever emerges from that process will then be subject to implementation by various agencies in the executive branch. The good news is that the proposals don’t appear to be very expensive. They are low-voltage, common sense ideas that should not be too controversial. However, they do deal with bureaucratic structure and people, so it’s possible they’ll get bogged down in in-fighting and “slow walking” sorts of traps.
The next few months will be interesting.
House of Representatives Solarium-related amendments to the FY21 NDAA
- Solarium Recommendation 1.3 – Establish a National Cyber Director.
- Solarium Recommendation 1.4 – Strengthen the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security
- NDAA Amendment #320 – Establishes a fixed 5-year term for the Director of CISA and makes Assistant Directors career (as opposed to political) appointees. (Richmond, Katko, Langevin, Gallagher)
- NDAA Amendment #329 – Requires the Secretary of Homeland Security to conduct a review of CISA’s force structure and facilities in light of increased operational requirements (Ruppersberger, Katko, Langevin, Gallagher)
- NDAA Amendment #162 – Enhances CISA’s ability to protect federal civilian networks by authorizing continuous threat hunting on the civilian networks. (Mark Green, Langevin, Gallagher, Katko)
- NDAA Amendment #318 – Authorizes CISA to provide shared cybersecurity services to smaller agencies to assist in meeting Federal Information Security Modernization Act requirements. (Kathleen Rice, Gallagher, Langevin)
- Solarium Recommendation 3.1 – Codify Sector-specific Agencies into Law as “Sector Risk Management Agencies.”
- Solarium Recommendation 3.3.5 – Establish a Biennial National Cyber Tabletop Exercise.
- Solarium Recommendation 4.4 – Resource a Federally Funded Research and Development Center to Develop Cybersecurity Insurance Certifications.
- Solarium Recommendation 4.5.2 – Develop a Strategy to Secure Foundational Internet Protocols and Email.
- Solarium Recommendation 5.1.3 – Empower Departments and Agencies to Serve Administrative Subpoenas in Support of Threat and Asset Response Activities.
- Solarium Recommendation 5.4 – Establish a Joint Cyber Planning Cell under CISA.
Senate bill details for cybersecurity in the FY21 NDAA
- 1611. Modification of position of Principal Cyber Advisor.
- 1612. Framework for cyber hunt forward operations.
- 1613. Modification of scope of notification requirements for sensitive military cyber operations.
- 1614. Modification of requirements for quarterly Department of Defense cyber operations briefings for Congress.
- 1615. Rationalization and integration of parallel cybersecurity architectures and operations.
- 1616. Modification of acquisition authority of Commander of United States Cyber Command.
- 1617. Assessment of cyber operational planning and deconfliction policies and processes.
- 1618. Pilot program on cybersecurity capability metrics.
- 1619. Assessment of effect of inconsistent timing and use of Network Address Translation in Department of Defense networks.
- 1620. Matters concerning the College of Information and Cyberspace at National Defense University.
- 1621. Modification of mission of cyber command and assignment of cyber operations forces.
- 1622. Integration of Department of Defense user activity monitoring and cybersecurity.
- 1623. Defense industrial base cybersecurity sensor architecture plan.
- 1624. Extension of Cyberspace Solarium Commission to track and assess implementation.
- 1625. Review of regulations and promulgation of guidance relating to National Guard responses to cyber attacks.
- 1626. Improvements relating to the quadrennial cyber posture review.
- 1627. Report on enabling United States Cyber Command resource allocation.
- 1628. Evaluation of options for establishing a cyber reserve force.
- 1629. Ensuring cyber resiliency of nuclear command and control system.
- 1630. Modification of requirements relating to the Strategic Cybersecurity Program and the evaluation of cyber vulnerabilities of major weapon systems of the Department of Defense.
- 1631. Defense industrial base participation in a cybersecurity threat intelligence sharing program.
- 1632. Assessment on defense industrial base cybersecurity threat hunting.
- 1633. Assessing risk to national security of quantum computing.
- 1634. Applicability of reorientation of Big Data Platform program to Department of Navy.
- 1635. Expansion of authority for access and information relating to cyber attacks on operationally critical contractors of the Armed Forces.
- 1636. Requirements for review of and limitations on the Joint Regional Security Stacks activity.
- 1637. Independent assessment of establishment of a National Cyber Director.
- 1638. Modification of authority to use operation and maintenance funds for cyber operations-peculiar capability development projects.
- 1639. Personnel management authority for Commander of United States Cyber Command and development program for offensive cyber operations.
- 1640. Implementation of information operations matters.
- 1641. Report on Cyber Institutes Program.
- 1642. Assistance for small manufacturers in the defense industrial supply
chain on matters relating to cybersecurity