The United States needs a top-level cybersecurity coordinator, more powers for CISA, and cybersecurity-specific committees in Congress, the Cyberspace Solarium Commission said in its long-awaited report.
Established by the 2019 National Defense Authorization Act, the Cyberspace Solarium Commission was tasked with making recommendations on how the United States should overhaul its current cybersecurity strategy. The final report listed more than 75 recommendations for the executive and legislative branches of government, including establishing a national cyber director, allocating more powers to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) director, forming House and Senate Cybersecurity Committees, creating a Bureau of Cyber Statistics, and following a strategy of “layered” deterrence.
The biparisan panel was made up of representatives from both government and private sector. The commission included FBI Director Christopher Wray, Deputy Secretary of Defense David Norquist, Sen. Ben Sasse (R-Neb.), Rep. James Langevin (D-R.I.), and former Deputy Director of the National Security Agency Chris Inglis.
“The reality is that we are dangerously insecure,” Sen. Angus King (I-Maine) and Rep. Mike Gallagher, co-chairs of the commission, said in a statement. “Your entire life—your paycheck, your health care, your electricity—increasingly relies on networks of digital devices that store, process, and analyze data. These networks are vulnerable, if not already compromised.”
New Director
The commission said that a White House cabinet-level “national cyber director” was necessary in order to coordinate within the government and with the private sector. The position is very similar to the cybersecurity coordinator position that was eliminated by then-National Security Advisor John Bolton in 2018. There is one significant difference: the commission recommended the cyber director position be subject to Senate confirmation.
The commission did not suggest establishing one unified federal cyber agency—but gave the national cyber directory the responsibility of coordinating national efforts and recommended granting CISA more powers. The director of CISA should have power equivalent to a deputy secretary, a larger budget, and serve for five-year terms so that there is time for long-term planning, the commission recommended.
Other recommendations in the report regarding CISA would give the agency the authority to coordinate federal government and private sector readiness for major incidents and campaigns. CISA’s public-private integrated cyber-center would be given stronger connections to similar centers in other parts of the government.
“In my prior role as Director of the ICS-CERT at the Department of Homeland Security, we often struggled with interagency cooperation and I am pleased to see such collaboration called out,” said Marty Edwards, the vice president of operational technology at Tenable Security. Edwards served as the CERT Director in the Obama Administration.
Agency Shake-Up
The commission suggested changes to responsibilities held by other departments and agencies, including the Department of Homeland Security, State Department, and the Election Assistance Commission. One such recommendation was to give the State Department an assistant secretary focused on cybersecurity and the Election Assistance Commission would give a fifth member to vote on cybersecurity issues. The Department of Defense should review the Cyber Mission Force and perform vulnerability assessments of nuclear controls and weapons systems.
The Assistant Secretary of State for cybersecurity would give the State Department a central person to push conversations on norms of acceptable state behavior in cyberspace.
DHS should take the lead on a federally-funded research and development center to develop certifications for cyber-insurance products. The Commerce Department would head up a National Cybersecurity Certification and Labeling Authority. An interesting development would be the creation of the Bureau of Cyber Statistics, similar to the current Bureau of Labor Statistics.
DHS and National Security Agency should lead a Joint Collaborative Environment to expand access to threat information.
Congressional Moves
Several of the recommendations require Congressional approval, such as passing legislation to make “final goods assemblers of software, hardware, and firmware” liable for legal damages from known and unpatched vulnerabilities, to strengthen data security and privacy protection, and improve law enforcement tools. The expansion of powers and increased funding would also need Congressional approval.
“It's also high time that a federal law is passed that puts the onus on updating vulnerable hardware and software on vendors and/or final goods assemblers,” Edwards said.
For supply chain, the commission recommended that “Congress should direct the U.S. government to develop and implement an industrial base strategy for information and communications technology to ensure trusted supply chains.” There should be more labeling of information and communications technology products, and more threat hunting activities in the defense industrial base.
Congress should also carve out the responsibility for cybersecurity from existing committees and establish the House Permanent Select and Senate Select Committees on Cybersecurity. This is particularly important because oversight is currently scattered across multiple committees, which hampers Congress from addressing security topics effectively. The new committees, however, will not be involved with military or intelligence cyber-operations (Titles 10 and 50).
An interesting recommendation involved establishing a Cyber Response and Recovery Fund. The government would have the authority to declare a “cyber state of distress,” which would trigger state and local access to the fund, much in the way declaring a state of emergency allows local governments to ask for federal assistance.
Layered Deterrence
The strategy of “layered cyber deterrence” will reduce the "probability and impact of cyberattacks of significant consequence," the commission said. The three layers include promoting international norms to encourage responsible nation-state behavior in cyberspace, hardening the U.S. defenses to make attacks difficult, and a willingness to strike back against attackers. “Despite numerous criminal indictments, economic sanctions, and the development of robust cyber and nonn-cyber military capabilities, the attacks against the United States have continued,” the report wrote.
Third Way, a Washington, D.C.–based public policy think tank, noted that the recommendations in the report focused on a military response to cyberattacks, which “under-emphasizes the diplomatic and law enforcement efforts” to go after cybercriminals. Less than 1 percent of incidents ever result in the perpetrator being arrested.
“In most of the incidents that victimize Americans every day, a military response is inappropriate,” Mieke Eoyang, the vice president for national security at Third Way, said in a statement. “While we value the incredible work of the Commission, as Congress moves forward in considering its recommendations, we hope that they will also work to strengthen support to our government entities working to bring cybercriminals to justice."