State Department Touts Its Clean Network Program

A U.S. government agency publicizes a plan light on specifics but heavy on rhetoric to eliminate PRC equipment, services, and apps from U.S. systems.   

The United States (U.S.) Department of State unveiled “[t]he Clean Network program…the Trump Administration’s comprehensive approach to safeguarding the nation’s assets including citizens’ privacy and companies’ most sensitive information from aggressive intrusions by malign actors, such as the Chinese Communist Party.” This new program is an expansion or even a repurposing of a Congressional mandate to remove suspect and unsafe equipment and systems from federal agency networks. Nonetheless, there was scant detail provided on how the Department of State will accomplish its goals to remove technology from the People’s Republic of China (PRC) from U.S. networks and systems. The Department of State’s announcement comes at about the same time the Trump Administration announced executive orders designed to ban TikTok and WeChat, two PRC apps, suggesting the announcement was timed to coincide with the White House’s news.

Clean Networks is an expansion of the Clean Path , a program to address the risks created by having PRC 5G equipment and services on the agency’s networks. In April 2020, Secretary of State Mike Pompeo “announced that the U.S. Department of State will begin requiring a Clean Path for all 5G network traffic entering and exiting U.S. diplomatic facilities.” The Department of State noted:

  • The 5G Clean Path is an end-to-end communication path that does not use any transmission, control, computing, or storage equipment from untrusted IT vendors, such as Huawei and ZTE, which are required to comply with directives of the Chinese Communist Party.
  • The 5G Clean Path embodies the highest standards of security against untrusted, high-risk vendors’ ability to disrupt, manipulate or deny services to private citizens, financial institutions, or critical infrastructure.

In launching the Clean Path for 5G, the Department of State was responding to language in a recent National Defense Authorization Act aimed at removing equipment and systems from the PRC and other nations of concern. However, this language did not require the agency to take these additional steps and is likely acting under a more general grant of authority from Congress to regulate its acquisition and use of technology. However, this program sweeps wider than the Department of State and would normally be coordinated in the White House by an entity like the Office of Management and Budget (OMB). In fact, the Department of State is claiming to be spearheading this effort for the Trump Administration. The Department of State asserted

The Clean Network program is the Trump Administration’s comprehensive approach to safeguarding the nation’s assets including citizens’ privacy and companies’ most sensitive information from aggressive intrusions by malign actors, such as the Chinese Communist Party (CCP).

In a fact sheet, the Department of State explained the “Clean Network Lines of Effort:”

The Clean Network initiative is a comprehensive effort to address the long-term threat to data privacy, security, and human rights posed to the free world from authoritarian malign actors, such as the CCP. The Clean Network is rooted in internationally accepted digital trust standards and is a reflection of our commitment to an open, interoperable, and secure global internet based on shared democratic values and respect for human rights. This effort represents the execution of a multi-year, all-of-government enduring strategy, built on a coalition of trusted partners.

  • 5G Clean Path: To protect the voice and data traversing 5G standalone networks entering and exiting U.S. diplomatic facilities at home and abroad. Announced by Secretary Pompeo on April 29, 2020, the 5G Clean Path is an end-to-end communication path that does not use any transmission, control, computing, or storage equipment from untrusted IT vendors, such as Huawei and ZTE, which are required by Chinese law to comply with directives of the CCP. The 5G Clean Path embodies the highest standards of security against untrusted, high-risk vendors’ ability to disrupt, manipulate or deny services to private citizens, financial institutions, or critical infrastructure. All mobile data traffic entering American diplomatic systems will be subject to new, stringent requirements.
  • Clean Carrier: To ensure untrusted People’s Republic of China (PRC) carriers are not connected with U.S. telecommunications networks. Such companies pose a danger to U.S. national security and should not provide international telecommunications services to and from the United States.
  • Clean Store: To remove untrusted applications from U.S. mobile app stores. PRC apps threaten our privacy, proliferate viruses, censor content, and spread propaganda and disinformation. On August 6, 2020, President Trump signed two Executive Orders to address the threats posed by TikTok and WeChat. TikTok and WeChat capture vast swathes of data from their unsuspecting users and are compelled by Chinese law to turn over this private information to the CCP upon request. The American people’s most sensitive personal and business information must be protected on their mobile phones from exploitation and theft for the CCP’s benefit.
  • Clean Apps: To prevent untrusted PRC smartphone manufacturers from pre-installing—or otherwise making available for download—trusted apps on their apps store. Huawei, an arm of the PRC surveillance state is trading on the innovations and reputations of leading U.S. and foreign companies. These companies should remove their apps from Huawei’s app store to ensure they are not partnering with a human rights abuser.
  • Clean Cloud: To prevent U.S. citizens’ most sensitive personal information and our businesses’ most valuable intellectual property, including COVID-19 vaccine research, from being stored and processed on cloud-based systems built or operated by untrusted vendors, such as Alibaba, Baidu, China Mobile, China Telecom, and Tencent.
  • Clean Cable: To ensure the undersea cables connecting our country to the global internet are not subverted for intelligence gathering by the PRC at hyper scale. We will also work with foreign partners to ensure that undersea cables around the world aren’t built or operated by untrusted vendors.

As noted, the Clean Path program had its genesis in a provision in a recently enacted bill. Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) was drafted to address the threats posed by the presence of Huawei and ZTE equipment and services throughout the systems and supply chains of the federal government and its contractors. The ultimate goal is the complete phaseout, if possible, of these and any other suspect systems that could possibly be compromised or exploited in the future. Consequently, Russian equipment and systems are also targeted. All federal agencies must inventory and then work to remove this equipment and products within the next few years.

As a result, a rulemaking changed the Federal Acquisition Regulations (FAR) to put into effect the Section 889 required ban on Huawei and ZTE products. Specifically the August 2019 interim rule bars federal agencies from buying Huawei, ZTE, and related Chinese “equipment, system[s], or service[s] that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system” unless an exception allows the agency to disregard this general ban. This rule has already taken effect, and it is likely the DOD and other agencies will issue a final rule, which may change the interim rule on the margins but will likely maintain the substance of the prohibition. It bears note that this interim rule is applicable to all contracts going forward and some solicitations offered and contracts signed before August 13, 2019.

In July 2020, federal agencies released an interim rule to implement the second half of the Section 889 government-wide ban on buying or using Huawei, ZTE, and other equipment and systems considered risky or suspect by the U.S. government. This part of the ban extends the prohibition to entities that would contract with US agencies. Therefore, as a general matter, such contractors would need to certify their services, systems, and equipment are free and clear of “covered telecommunication equipment,” which is largely technology developed and manufactured in the People’s Republic of China (PRC) or the Russian Federation. This rule will take effect on 13 August but may possibly affect contracts entered into before that date. And yet, comments are being accepted on this rule until 14 September, which will likely affect the rule on the margins when a final version is issued but not its substance.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Pete Linforth from Pixabay

Trump Administration Issues Second Part of Rule Banning Huawei, ZTE, and Other PRC Entities From Federal Systems

Starting in a month, those contracting with the federal government may not have Huawei or ZTE equipment of systems per a directive of Congress enacted in 2018. Lawmakers were concerned about national security and argued PRC equipment and systems are compromised. The first half of this ban took effect one year ago.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Federal agencies released an interim rule to implement the second half of a government-wide ban on buying or using Huawei, ZTE, and other equipment and systems considered risky or suspect by the United States (US) government. The first half of this ban went into effect late last summer and generally bars US agencies from buying or using so-called “covered telecommunications equipment or services,” and this part of the ban extends the prohibition to entities that would contract with US agencies. Therefore, as a general matter, such contractors would need to certify their services, systems, and equipment are free and clear of “covered telecommunication equipment,” which is largely technology developed and manufactured in the People’s Republic of China (PRC) or the Russian Federation. This rule will take effect on 13 August but may possibly affect contracts entered into before that date. And yet, comments are being accepted on this rule until 14 September, which will likely affect the rule on the margins when a final version is issued but not its substance.

The Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) amended “the Federal Acquisition Regulation (FAR) to implement section 889(a)(1)(B) of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that “prohibits executive agencies from entering into, or extending or renewing, a contract with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” The agencies stated

The statute covers certain telecommunications equipment and services produced or provided by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of those entities) and certain video surveillance products or telecommunications equipment and services produced or provided by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of those entities). The statute is not limited to contracting with entities that use end-products produced by those companies; it also covers the use of any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.

The DOD, GSA, and NASA explained “[t]he 889(a)(1)(A) rule does the following:

  • It amends the FAR to include the 889(a)(1)(A) prohibition, which prohibits agencies from procuring or obtaining equipment or services that use covered telecommunications equipment or services as a substantial or essential component or critical technology. (FAR 52.204-25)
  • It requires every offeror to represent prior to award whether or not it will provide covered telecommunications equipment or services and, if so, to furnish additional information about the covered telecommunications equipment or services. (FAR 52.204-24)
  • It mandates that contractors report (within one business day) any covered telecommunications equipment or services discovered during the course of contract performance. (FAR 52.204-25)

The agencies added

The FAR Council will address the public comments received on both previous interim rules in a subsequent rulemaking. In addition, each agency has the opportunity under 889(a)(1)(A) to issue agency-specific procedures (as they do for any acquisition-related requirement). For example, GSA issued a FAR deviation where GSA categorized risk to eliminate the representations for low and medium risk GSA-funded orders placed under GSA indefinite-delivery contracts.

Section 889 of the FY 2019 NDAA was drafted to address the threats posed by the presence of Huawei and ZTE equipment and services throughout the systems and supply chains of the federal government and its contractors. The ultimate goal is the complete phaseout, if possible, of these and any other suspect systems that could possibly be compromised or exploited in the future. Consequently, Russian equipment and systems are also targeted. All federal agencies must inventory and then work to remove this equipment and products within the next few years, and the DOD has already started the required rulemakings to fulfill this policy goal.

As a result, the DOD and other agencies changed the FAR to put into effect a Congressionally-required ban on Huawei and ZTE products detailed in Section 889 of the FY 2019 NDAA. Specifically the August 2019 interim rule bars federal agencies from buying Huawei, ZTE, and related Chinese “equipment, system[s], or service[s] that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system” unless an exception allows the agency to disregard this general ban. This rule has already taken effect, and it is likely the DOD and other agencies will issue a final rule, which may change the interim rule on the margins but will likely maintain the substance of the prohibition. It bears note that this interim rule is applicable to all contracts going forward and some solicitations offered and contracts signed before August 13, 2019. In December 2019, the DOD, GSA, and NASA changed the original requirement that contractors certify for each procurement they do not have any Huawei or ZTE equipment or services and may make this certification annually instead.

In concert with the August 2019 interim final rule that put in place a ban on buying or using Huawei, ZTE, or other related equipment, the DOD issued a memorandum that “provides DOD-specific procedures associated with the interim FAR rule that implements section 889(a)(l)(A) of the National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232)…[and] [t]hese implementation procedures apply to contracts, task orders, and delivery orders, including basic ordering agreements (BOAs), orders against BOAs, blanket purchase agreements (BPAs), and calls against BPAs.”

Finally, it bears note that Section 889(b) also contains language barring any agency from making a loan or providing a grant to any entity with Huawei or ZTE systems or equipment or to buy Huawei systems or equipment. In June 2019, the Office of Management and Budget (OMB) asked Congress for legislative changes to the grant and loan language, ideally in the FY 2020 NDAA, and to push back the deadline for both of these provisions from August 13, 2020 to August 13, 2022. However, the Armed Services Committees did not include such language in either FY 2020 NDAA, suggesting there is not support in the committees to softening or rolling back the Huawei/ZTE bans.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Alejandro Luengo on Unsplash

Senate Consideration of NDAA Continues

Slowly, the Senate works on its NDAA by adding a number of amendments including a few standalone technology bills. However, an election security bill was stripped out of the FY 2021 Intelligence Authorization before it was added to the NDAA.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Senate continued its consideration of the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) this week before recessing for the 4 July holiday. Work will continue later this month on the massive authorization package that sets annual policy for the Department of Defense (DOD) and related agencies. However, before leaving Washington, DC, the Senate did deal with some of the amendments offered for adoption by adding a number en bloc, some of which pertain to technology policy and funding.

The following amendments were adopted on 2 July 3, 2020 en bloc by unanimous consent:

  • The Department of Homeland of Security “shall produce a report on the state of digital content forgery technology” within one year of enactment and then every five years
  • “[T]he Secretary of Defense, with appropriate representatives of the Armed Forces, shall brief the Committees on Armed Services of the Senate and the House of Representatives on the feasibility and the current status of assigning members of the Armed Forces on active duty to the Joint Artificial Intelligence Center (JAIC) of the Department of Defense.”
  • “the Secretary of Homeland Security shall conduct a comprehensive review of the ability of the Cybersecurity and Infrastructure Security Agency to fulfill–
    • the missions of the Cybersecurity and Infrastructure Security Agency; and
    • the recommendations detailed in the report issued by the Cyberspace Solarium Commission”
  • The “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S.1611) that would require the Department of Commerce to “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things.”
  • “[T]he Secretary of Defense, in coordination with the Director of the National Reconnaissance Office and the Director of the National Geospatial-Intelligence Agency, shall leverage, to the maximum extent practicable, the capabilities of United States industry, including through the use of commercial geospatial-intelligence services and acquisition of commercial satellite imagery.”
  • “[T]he Secretary of Defense is authorized to establish a pilot program to explore the use of consumption-based solutions to address software-intensive warfighting capability” per a re commendation made by the Section 809 Panel.
  • “[T]he Secretary of Defense shall complete a study on the cyberexploitation of the personal  information and accounts of members of the Armed Forces and their families.”
  • A modified version of the “Utilizing Strategic Allied (USA) Telecommunications Act” (S.3189) that “would reassert U.S. and Western leadership by encouraging competition with Huawei that capitalizes on U.S. software advantages, accelerating development of an open-architecture model (known as O-RAN) that would allow for alternative vendors to enter the market for specific network components, rather than having to compete with Huawei end-to-end” according to a press release.

Additionally, a deal was struck to add the “Intelligence Authorization Act for Fiscal Year 2021” (S.3905) to S.4049 but without a bill included in the package as reported out of the Senate Intelligence Committee: the “Foreign Influence Reporting in Elections Act” (FIRE Act) (S.2242). The sponsor of the FIRE Act, Senate Intelligence Committee Ranking Member Mark Warner (D-VA), went to the Senate floor to protest the striking of his bill and to announce his plans to offer it as an amendment and force a vote:

The  committee  voted  14  to  1  to  pass an intel authorization bill that included  the  FIRE  Act,  the  act  that  I  just described, so that if a foreign government interferes or offers you assistance  or  offers  you  dirt,  you  don’t  say  thanks;  you  call  the  FBI.  So  you  can  imagine  my  surprise  and  frustration  when  I  learned  of  a  backroom  deal  to  strip  the  FIRE  Act  out  of  the  Intelligence   Committee’s   legislation   because  of  a  supposed  turf  war  with  another committee. I  am  back  again  today  because  the  security  of  our  elections  cannot  wait.  Let’s  not  hide  behind  process  or  jurisdictional  boundaries.  The  stakes  are  far  too  high  to  continue  the  partisan  blockade  of  election  security  legislation  that  we  have  seen  over  the  last  3  years. If,  behind  closed  doors,  my  Republican  colleagues  want  to  strip  this  legislation  out  of  the  NDAA,  then  I  am  going  to  offer  it  up  as  an  amendment  to  force  an  up-or-down  vote  and  put  every   Member   of   this   body   on   the   record: Are you for election security or are you for allowing foreign entities to interfere  and  offer  assistance  with  no  requirement to report?

Prior to its inclusion in the FY 2021 Intelligence Authorization Act, Warner had asked unanimous consent to take up the FIRE Act multiple times but was met with Republican objections each time. And there are other election security bills Republicans have continued to block, including:

  • The “Duty To Report Act” (S.1247)
  • The “Senate Cybersecurity Protection Act” (S.890)
  • The “Securing America’s Federal Elections Act” (SAFE Act) (H.R.2722)
  • The “Secure Elections Act of 2019” (S.1540)

Yet, the Senate has taken up and passed two election-related bills addressing facets of the cybersecurity challenges. On July 17, the Senate passed the “Defending the Integrity of Voting Systems Act” (S. 1321) by unanimous consent that would “make it a federal crime to hack any voting systems used in a federal election” according to the Senate Judiciary Committee’s website. In June the Senate also passed the “Defending Elections against Trolls from Enemy Regimes (DETER) Act” (S. 1328) that “will make “improper interference in U.S. elections” a violation of U.S. immigration law, and violators would be barred from obtaining a visa to enter the United States. The House has yet to act on these bills.

When the Senate returns to the bill on 20 July, a number of amendments will be pending, including one to establish semiconductor manufacturing grants.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Congressionally Created Panel Releases Cyberspace Recommendations and Legislative Proposals

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 here.

The Cyberspace Solarium Commission (CSC) released its final report and made a range of recommendations, some of which were paired with legislative language the CSC has not yet made available. The CSC was created by the National Defense Authorization Act for Fiscal Year 2019 (P.L. 115-232) to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) served as co-chairs for the CSC, which also included Representative James Langevin (D-RI), Senator Ben Sasse (R-NE), the Federal Bureau of Investigation Director Christopher Wray, Deputy Secretary of Defense David L. Norquist, and others.

The co-chairs explained

We didn’t solve everything in this report. We didn’t even agree on everything. There are areas, such as balancing maximum encryption versus mandatory lawful access to devices, where the best we could do was provide a common statement of principles. Yet every single Commissioner was willing to make compromises in the course of our work because we were all united by the recognition that the status quo is not getting the job done. The status quo is inviting attacks on America every second of every day. The status quo is a slow surrender of American power and responsibility. We all want that to stop. So please do us, and your fellow Americans, a favor. Read this report and then demand that your government and the private sector act with speed and agility to secure our cyber future.

Nonetheless, they offered some “big ideas to get the conversation started:

  • First, deterrence is possible in cyberspace. Today most cyber actors feel undeterred, if not emboldened, to target our personal data and public infrastructure. In other words, through our inability or unwillingness to identify and punish our cyber adversaries, we are signaling that interfering in American elections or stealing billions in U.S. intellectual property is acceptable. e federal government and the private sector must defend themselves and strike back with speed and agility. This is difficult because the government is not optimized to be quick or agile, but we simply must be faster than our adversaries in order to prevent them from destroying our networks and, by extension, our way of life. Our strategy of layered cyber deterrence is designed with this goal in mind. It combines enhanced resilience with enhanced attribution capabilities and a clearer signaling strategy with collective action by our partners and allies. It is a simple framework laying out how we evolve into a hard target, a good ally, and a bad enemy.
  • Second, deterrence relies on a resilient economy. During the Cold War, our best minds were tasked with developing Continuity of Government plans to ensure that the government could survive and the nation recover after a nuclear strike. We need similar planning today to ensure that we can reconstitute in the aftermath of a national-level cyberattack. We also need to ensure that our economy continues to run. We recommend that the government institute a Continuity of the Economy plan to ensure that we can rapidly restore critical functions across corporations and industry sectors, and get the economy back up and running after a catastrophic cyberattack. Such a plan is a fundamental pillar of deterrence—a way to tell our adversaries that we, as a society, will survive to defeat them with speed and agility if they launch a major cyberattack against us.
  • Third, deterrence requires government reform. We need to elevate and empower existing cyber agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA), and create new focal points for coordinating cybersecurity in the executive branch and Congress. To that end, we recommend the creation of a National Cyber Director with oversight from new congressional Cybersecurity Committees, but our goal is not to create more bureaucracy with new and duplicative roles and organizations. Rather, we propose giving existing organizations the tools they need to act with speed and agility to defend our networks and impose costs on our adversaries. The key is CISA, which we have tried to empower as the lead agency for federal cybersecurity and the private sector’s preferred partner. We want working at CISA to become so appealing to young professionals interested in national service that it competes with the NSA, the FBI, Google, and Facebook for top- level talent (and wins).
  • Fourth, deterrence will require private-sector entities to step up and strengthen their security posture. Most of our critical infrastructure is owned by the private sector. at is why we make certain recommendations, such as establishing a cloud security certification or modernizing corporate accountability reporting requirements. We do not want to saddle the private sector with onerous and counterproductive regulations, nor do we want to force companies to hand over their data to the federal government. We are not the Chinese Communist Party, and indeed our best path to beating our adversaries is to stay free and innovative. But we need C-suite executives to take cyber seriously since they are on the front lines. With support from the federal government, private-sector entities must be able to act with speed and agility to stop cyberattackers from breaking out in their networks and the larger array of networks on which the nation relies.
  • Fifth, election security must become a priority. The American people still do not have the assurance that our election systems are secure from foreign manipulation. If we don’t get election security right, deterrence will fail and future generations will look back with longing and regret on the once powerful American Republic and wonder how we screwed the whole thing up. We believe we need to continue appropriations to fund election infrastructure modernization at the state and local levels. At the same time, states and localities need to pay their fair share to secure elections, and they can draw on useful resources—such as nonprofits that can act with greater speed and agility across all 50 states—to secure elections from the bottom up rather than waiting for top-down direction and funding. We also need to ensure that regardless of the method of casting a vote, paper or electronic, a paper audit trail exists (and yes, we recognize the irony of a cyber commission recommending a paper trail).

The CSC stated

We didn’t solve everything in this report. We didn’t even agree on everything. There are areas, such as balancing maximum encryption versus mandatory lawful access to devices, where the best we could do was provide a common statement of principles. Yet every single Commissioner was willing to make compromises in the course of our work because we were all united by the recognition that the status quo is not getting the job done. The status quo is inviting attacks on America every second of every day. The status quo is a slow surrender of American power and responsibility. We all want that to stop. So please do us, and your fellow Americans, a favor. Read this report and then demand that your government and the private sector act with speed and agility to secure our cyber future.

The CSC stated that “[a]fter conducting an extensive study including over 300 interviews, a competitive strategy event modeled after the original Project Solarium in the Eisenhower administration, and stress tests by external red teams, the Commission advocates a new strategic approach to cybersecurity: layered cyber deterrence.” The CSC explained that “[t]he desired end state of layered cyber deterrence is a reduced probability and impact of cyberattacks of significant consequence…[and] [t]he strategy outlines three ways to achieve this end state:

1. Shape behavior. The United States must work with allies and partners to promote responsible behavior in cyberspace.

2. Deny benefits. The United States must deny benefits to adversaries who have long exploited cyberspace to their advantage, to American disadvantage, and at little cost to themselves. This new approach requires securing critical networks in collaboration with the private sector to promote national resilience and increase the security of the cyber ecosystem.

3. Impose costs. The United States must maintain the capability, capacity, and credibility needed to retaliate against actors who target America in and through cyberspace.”

The CSC made a host of recommendations generally but also linked some of the recommendations to legislative proposals drafted by CSC staff. However, these drafts have not yet been released even though the CSC claims “[l]egislative proposals are available online at www.solarium.gov. Nonetheless, the CSC made clear it does not necessarily support these proposals:

  • PILLAR 1: REFORM THE U.S. GOVERNMENT’S STRUCTURE AND ORGANIZATION FOR CYBERSPACE
    • Recommendation 1.2: Create House Permanent Select and Senate Select Committees on Cybersecurity
    • Recommendation 1.3: Establish a National Cyber Director
    • Recommendation 1.4.1: Codify and Strengthen the Cyber Threat Intelligence Integration Center
    • Recommendation 1.5: Diversify and Strengthen the Federal Cyberspace Workforce
  • PILLAR 2: STRENGTHEN NORMS AND NON-MILITARY INSTRUMENTS OF POWER
    • Recommendation 2.1: Create a Cyber Bureau and Assistant Secretary at the U.S. Department of State
    • Recommendation 2.1.4: Improve International Tools for Law Enforcement Activities in Cyberspace [Provide MLAT Subpoena Authority and Increase FBI Cyber ALATs]
    • Recommendation 2.1.5: Leverage Sanctions and Trade Enforcement Actions [Codify Executive Order 13848]
  • PILLAR 3: PROMOTE NATIONAL RESILIENCE
    • Recommendation 3.1: Codify Sector-specific Agencies into Law as “Sector Risk Management Agencies” and Strengthen Their Ability to Manage Critical Infrastructure Risk
    • Recommendation 3.1.1: Establish a Five-Year National Risk Management Cycle Culminating in a Critical Infrastructure Resilience Strategy
    • Recommendation 3.1.2: Establish a National Cybersecurity Assistance Fund to Ensure Consistent and Timely Funding for Initiatives  at Underpin National Resilience
    • Recommendation 3.2: Develop and Maintain Continuity of the Economy Planning
    • Recommendation 3.3: Codify a “Cyber State of Distress” Tied to a “Cyber Response and Recovery Fund”
    • Recommendation 3.3.2: Clarify Liability for Federally Directed Mitigation, Response, and Recovery Efforts
    • Recommendation 3.3.5: Establish a Biennial National Cyber Tabletop Exercise
    • Recommendation 3.3.6: Clarify the Cyber Capabilities and Strengthen the Interoperability of the National Guard
    • Recommendation 3.4: Improve the Structure and Enhance Funding of the Election Assistance Commission
    • Recommendation 3.4.1: Modernize Campaign Regulations to Promote Cybersecurity
    • Recommendation 3.5: Build Societal Resilience to Cyber-Enabled Information Operations [Educational and Awareness Grant Programs]
    • Recommendation 3.5.1: Reform Online Political Advertising to Defend against Foreign Influence in Elections
  • PILLAR 4: RESHAPE THE CYBER ECOSYSTEM TOWARD GREATER SECURITY
    • Recommendation 4.1: Establish and Fund a National Cybersecurity Certification and Labeling Authority
    • Recommendation 4.1.1: Create or Designate Critical Technology Security Centers
    • Recommendation 4.2: Establish Liability for Final Goods Assemblers
    • Recommendation 4.3: Establish a Bureau of Cyber Statistics
    • Recommendation 4.4: Resource a Federally Funded Research and Development Center to Develop Cybersecurity Insurance Certifications
    • Recommendation 4.4.4: Amend the Sarbanes-Oxley Act to Include Cybersecurity Reporting Requirements
    • Recommendation 4.5: Develop a Cloud Security Certification
    • Recommendation 4.5.1: Incentivize the Uptake of Secure Cloud Services for Small and Medium-Sized Businesses and State, Local, Tribal, and Territorial Governments
    • Recommendation 4.5.2: Develop a Strategy to Secure Foundational Internet Protocols and Email
    • Recommendation 4.5.3: Strengthen the U.S. Government’s Ability to Take Down Botnets
    • Recommendation 4.6: Develop and Implement an Information and Communications Technology Industrial Base Strategy
    • Recommendation 4.7: Pass a National Data Security and Privacy Protection Law
    • Recommendation 4.7.1: Pass a National Breach Notification Law
  • PILLAR 5: OPERATIONALIZE CYBERSECURITY COLLABORATION WITH THE PRIVATE SECTOR
    • Recommendation 5.1: Codify the Concept of “Systemically Important Critical Infrastructure”
    • Recommendation 5.1.1: Review and Update Intelligence Authorities to Increase Intelligence Support to the Broader Private Sector
    • Recommendation 5.1.2: Strengthen and Codify Processes for Identifying Broader Private-Sector Cybersecurity Intelligence Needs and Priorities
    • Recommendation 5.1.3: Empower Departments and Agencies to Serve Administrative Subpoenas in Support of Threat and Asset Response Activities
    • Recommendation 5.2: Establish and Fund a Joint Collaborative Environment for Sharing and Fusing Threat Information
    • Recommendation 5.2.2: Pass a National Cyber Incident Reporting Law
    • Recommendation 5.2.3: Amend the Pen Register Trap and Trace Statute to Enable Better Identification of Malicious Actors
    • Recommendation 5.3: Strengthen an Integrated Cyber Center within CISA and Promote the Integration of Federal Cyber Centers
    • Recommendation 5.4.1: Institutionalize Department of Defense Participation in Public-Private Cybersecurity Initiatives
  • PILLAR 6: PRESERVE AND EMPLOY THE MILITARY INSTRUMENTS OF POWER
    • Recommendations 6.1 & 6.1.3: Direct the Department of Defense to Conduct a Force Structure Assessment of the Cyber Mission Force / Review the Delegation of Authorities for Cyber Operations
    • Recommendation 6.1.1: Direct the Department of Defense to Create a Major Force Program Funding Category for U.S. Cyber Command
    • Recommendation 6.1.7: Assess the Establishment of a Military Cyber Reserve
    • Recommendation 6.2: Conduct a Cybersecurity Vulnerability Assessment of All Segments of the NC3 and NLCC Systems and Continually Assess Weapon Systems Cyber Vulnerabilities
    • Recommendation 6.2.1: Require Defense Industrial Base Participation in a Threat Intelligence Sharing Program
    • Recommendation 6.2.2: Require  Threat Hunting on Defense Industrial Base Networks
    • Recommendation 6.2.4: Assess and Address the Risk to National Security Systems Posed by Quantum Computing

It is unlikely that Congress will adopt most of these recommendations by turning them into statute, but the Administration will likely pick and choose those it will implement without obtaining new or further authority. However, these recommendations will serve to inform the debate on cyber-related issues going forward.