|On the same day another committee was considering amendments to the FY 2021 NDAA, a committee looked at recommendations to change US cyber policy|
One of the committees with jurisdiction over a number of the recommendations made by the Cyberspace Solarium Commission (CSC) held a virtual hearing to examine some of the panel’s policy and statutory suggestions to improve the cybersecurity of the United States. The hearing was chaired by one of the CSC members and all four witnesses were on the CSC. Those facts taken together with the timing of the hearing (i.e. right before the House is set to amendments embodying the CSC recommendations to the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395)) suggested the audience is House Democratic leadership, Senate Republican leadership, the Senate Armed Services Committee, and other stakeholders.
The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, & Innovation Subcommittee held a virtual hearing on 17 July titled “Cyberspace Solarium Commission Recommendations” with the following witnesses:
- Senator Angus King (I-ME), Co-Chair, Cyberspace Solarium Commission
- Representative Michael Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
- Hon. Suzanne Spaulding, Commissioner, Cyberspace Solarium Commission
- Ms. Samantha Ravich, Ph.D., Commissioner, Cyberspace Solarium Commission
Consequently, given the subcommittee’s jurisdiction over the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), and the latter’s responsibility for helping non-defense civilian agencies secure their networks and systems, the subcommittee spent a fair amount of time discussing how to improve both entities.
Representative James Langevin (D-RI) chaired the hearing even though Representative Cedric Richmond (D-LA) is chair of the subcommittee. As mentioned, Langevin served on the CSC and has offered a number of amendments to be debated when the House considers the FY 2021 NDAA this week. In his opening statement, Langevin asserted
- The realities of 2020 make clear that a comprehensive, whole-of-nation approach to cybersecurity is a necessity, but we do not yet have one. We lack a clear leader in the White House whose mission it is to focus on cybersecurity. We lack clear understanding of roles and responsibilities, both within government and between government and the private sector. We lack clear metrics to measure our progress.
- The Cyberspace Solarium Commission report cannot fix all the challenges we have in cyberspace. But it does chart a bold course, and it does not shy away from the tradeoffs we will need to make to decisively improve our cybersecurity posture. The report makes clear that everyone – from government to private sector companies to Congress itself –needs to make meaningful changes.
- We need to expect more from government: closer coordination across agencies, stronger collaboration with critical infrastructure, and, critically, a greater emphasis on planning. And we need to strengthen government agencies – in particular CISA – to do so.
- We also need to expect more from the private sector. We need companies to truly accept the risks they take in cyberspace by accepting the consequences of failing to protect their data and networks.
- We also need technology companies – what the report calls “cybersecurity enablers” – to do more to make the secure choice the default choice. Too often, we see a rush to be first to market, not secure to market. Too often, we see entities like ISPs not protecting their small and medium sized customers because they don’t believe it’s their job.
- Most importantly, where the public and private intersect, at the nexus of critical infrastructure that this committee is charged with protecting, we need to ensure the private sector is doing its part to protect itself while acknowledging that they can’t go it alone.
- The recommendations I am most interested in hearing about today are, strengthening the Cybersecurity and Infrastructure Security Agency (CISA) and its workforce, evaluating CISA’s facilities needs, strengthening the CISA Director position and making the Assistant Directors career, the National Cyber Director, authorizing CISA to threat hunt on the .gov domain, securing email, developing a strategy to secure email, and modernizing the digital infrastructure of state and local governments and small and mid-sized businesses.
- As Ranking Member on the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee, my top priority among the Commission’s recommendations is strengthening and clarifying the CISA’s authority and vastly increasing its funding to allow it to carry out its role as the Nation’s risk manager coordinating the protection of critical infrastructure and federal agencies and departments from cyber threats. I introduced this recommendation as a bill, which requires CISA to assess what additional resources are necessary to fulfill its mission. This assessment should examine CISA’s workforce composition and future demands and report to Congress on the findings.
- Under the bill, CISA would also evaluate its current facilities and future needs including accommodating integration of personnel, critical infrastructure partners, and other department and agency personnel and make recommendations to the General Services Administration (GSA). GSA must evaluate CISA’s recommendations and report to Congress within 30 days on how best to accommodate CISA’s mission and goals with commensurate facilities. The facilities evaluation dovetails with the Commission’s recommendation for an integrated cyber center within CISA.
- I reintroduced my bill elevating and strengthening the CISA Director position to reflect the significance of the role, making the position the equivalent of an Assistant Secretary or military service secretary. My bill limits the term of the CISA Director to 2, 5-year terms, which ensures the agency has stable leadership. It also depoliticizes the Assistant Director positions by making them a career.
- A related legislative proposal that I am working with colleagues to pass, clarifies CISA’s authority to conduct continuous threat hunting across the .gov domain. This will increase CISA’s ability to protect federal networks and allow CISA to provide relevant threat information to critical infrastructure.
- Finally, the recommendation to establish a National Cyber Director within the White House is another legislative proposal I am cosponsoring. This Presidentially-nominated and Senate-confirmed National Cyber Director would be the principle cybersecurity advisor of the President, tasked with developing, counseling the President on, and supervising the implementation of a National Cyber Strategy. This leadership will bring focus to our Nation’s cybersecurity as a top strategic priority.
- Although there are many well-intentioned, capable people working hard to advance sound cybersecurity policy throughout the executive branch, the lack of consistent leadership from the White House has stunted progress. Over two years ago, for example, the White House green-lighted the elimination of its Cyber Security Coordinator. The result is a lack of effective coordination among Federal agencies who compete for cybersecurity authorities, responsibilities, and associated budgets – and Federal agencies approaching Congress with conflicting priorities. The time has come for that to stop.
- Toward that end, I appreciate and support the Commission’s recommendation that Congress establish a National Cyber Director. I understand Congressman Langevin has authored legislation to implement that recommendation and has also submitted it as an amendment to the NDAA. I fully support both efforts.
- I similarly appreciate the Commission’s recommendations regarding strengthening the Cybersecurity and Infrastructure Security Agency and more clearly defining the roles and responsibilities of CISA and sector risk management agencies. Right-sizing CISA’s budget and equipping it with the authorities necessary to carry out its mission to secure Federal networks, while also supporting critical infrastructure, has been a bipartisan priority of Committee Members.
- I am particularly interested in hearing Ms. Spaulding’s thoughts on these recommendations given her perspective as the former Under Secretary of the National Protection and Programs Directorate.
- Additionally, I am interested in discussing Commission recommendations related to implementing a “carrot and stick” approach to encourage private sector collaboration with the Federal government’s cybersecurity and defense efforts, particularly the proposed codification of “systemically important critical infrastructure.”
- Finally, I would be remiss if I did not address the Commission’s observation that Congress’ fractured jurisdiction over cybersecurity frustrates efforts to achieve a comprehensive, cohesive approach to cybersecurity. I agree. And while I disagree with the Commission’s recommendation on that point, rest assured that I am working to address the underlying problem.
In a joint statement, CSC Members
- Ultimately, the Commission developed a strategic approach of “layered cyber deterrence” with the objectives of actively shaping behavior in cyberspace, denying benefits to adversaries who exploit this domain, and imposing real costs against those who target America’s economic and democratic institutions in and through cyberspace. Our critical infrastructure–the systems, assets, and entities that underpin our national security, economic security, and public health and safety—are increasingly threatened by malicious cyber actors. Effective critical infrastructure security and resilience requires reducing the consequences of disruption, minimizing vulnerability, and disrupting adversary operations that seek to hold our assets at risk. We believe the future of the U.S. economy and our national security requires both the executive branch and Congress work in tandem to prioritize and grant the following recommendations.
- First and foremost, the Commission found that the federal government lacks consistent and institutionalized leadership, as well as a cohesive, clear strategic vision on cybersecurity. As a result, we recommend that Congress establish a National Cyber Director in the Executive Office of the President to centralize and coordinate the cybersecurity mission at the national level. The National Cyber Director would work with federal departments and agencies to bring coherence in the development of cybersecurity policy and strategy and in its execution. The position would provide clear leadership in the White House and signal cybersecurity as an enduring priority in U.S. national security strategy.
- Second, the government must continue to improve the resourcing, authorities, and organization of the Cybersecurity and Infrastructure Security Agency (CISA) in its role as the primary federal agency responsible for critical infrastructure protection, security, and resilience. We recommend empowering CISA with tools to strengthen public-private partnership. Of particular value would be the authorities needed to aid in responding to attempted attacks on critical infrastructure from a variety of actors ranging from nation-states to criminals. Currently, the U.S. government’s authorities are limited exclusively to certain criminal contexts, where evidence of a compromise exists, and do not address instances in which critical infrastructure systems are vulnerable to a cyberattack. To address this gap, Congress should grant CISA subpoena authority in support of their threat and asset response activities, while ensuring appropriate liability protections for cooperating private-sector network owners.
- Third, elements of the U.S. government and the private sector often lack the tools necessary for successful collaboration to counter and mitigate a malicious nation-state cyber campaign. To address this shortcoming, the executive branch should establish a Joint Cyber Planning Office under CISA to coordinate cybersecurity planning and readiness across the federal government and between the public and private sectors for significant cyber incidents and malicious cyber campaigns. Within a similar vein, Congress should also direct the U.S. government to plan and execute a national-level cyber table-top exercise on a biennial basis that involves senior leaders from the executive branch, Congress, state governments, and the private sector, as well as international partners, to build muscle memory for key decision makers and develop new solutions and strengthen our collective defense.
- Fourth, the United States must take immediate steps to ensure our critical infrastructure sectors can withstand and quickly respond to and recover from a significant cyber incident. Resilience against such attacks is critical in reducing benefits that our adversaries can expect from their operations–whether disruption, intellectual property theft, or espionage. Congress should direct the executive branch to develop a Continuity of the Economy Plan. This plan should include the federal government, SLTT entities and private stakeholders who can collectively identify the resources and authorities needed to rapidly restart our economy after a major disruption. In addition, the Commission recommends establishing a Cyber State of Distress tied to a Cyber Response and Recovery Fund , giving the government greater flexibility to scale up and augment its own capacity to aid the private sector when a significant cyber incident occurs. These changes will ensure the infrastructure that supports our most critical national functions can continue to operate amidst disruption or crisis.
- Fifth, the Commission recommends two relevant initiatives to reshape the cyber ecosystem toward greater security for all Americans. The first, the creation of a National Cybersecurity Certification and Labeling Authority, would help create standards and transparency that will allow consumers of technology products and services to use the power of their purses over time to demand more security and less vulnerability in the technologies they buy. Furthermore, Congress should appropriate funds to the Department of Homeland Security (DHS), in partnership with the Department of Energy, Office of the Director of National Intelligence (ODNI), and the Department of Defense (DoD), to competitively select, designate, and fund up to three Critical Technology Security Centers in order to centralize efforts directed towards evaluating and testing security of devices and technologies that underpin our networks and critical infrastructure.
- Sixth, the U.S. Intelligence Community is not currently resourced or aligned to adequately support the private sector in cyber defense and security. While the intelligence community is formidable in informing security operations in instances when the U.S. government is the defender, its policies and procedures are not aligned to intelligence collection on behalf of private entities, which constitutes around 85% of our critical infrastructure. To that end, Congress should direct the executive branch to conduct a six-month comprehensive review of intelligence policies, procedures, and resources to identify and address key limitations in order to improve the intelligence community’s ability to provide intelligence support to the private sector.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.