Update To Pending Legislation In U.S. Congress, Part VI

An AI resolution was introduced in Congress to shape the national strategy, and a committee of jurisdiction looks at a national commission on AI’s recommendations.

Last week, we looked at the artificial intelligence (AI) legislation that could move during the balance of the Congressional year, but two recent developments should also be noted. I neglected to explain the introduction of a resolution “[e]xpressing the sense of Congress with respect to the principles that should guide the national artificial intelligence strategy of the United States.” Of course, this is not legislation and would have no legal force this Administration or future Administrations would need to heed. Rather, this effort is intended to serve as guide for future legislation and future administrative action.

Representatives Will Hurd (R-TX) and Robin Kelly (D-IL) introduced this resolution that was cosponsored by Representatives Steve Chabot (R-OH), Gerald Connolly (D-VA), Marc Veasey (D-TX), Seth Moulton (D-MA), Michael Cloud (R-TX), and Jim Baird (R-IN).

Hurd and Kelly have been working with the Bipartisan Policy Center, a Washington, D.C. think tank founded by four former Senate Majority Leaders to produce policy consensus of the sort that used to happen in Congress. They worked together on four white papers on AI:

The resolution states “[i]t is the sense of Congress that the following principles should guide the national artificial intelligence strategy of the United States:

(1) Global leadership.

(2) A prepared workforce.

(3) National security.

(4) Effective research and development.

(5) Ethics, reduced bias, fairness, and privacy.”

By way of contrast, the February 2019 Executive Order (EO) 13859 on Maintaining American Leadership in Artificial Intelligence stated “[i]t is the policy of the United States Government to sustain and enhance the scientific, technological, and economic leadership position of the United States in AI R&D and deployment through a coordinated Federal Government strategy, the American AI Initiative (Initiative), guided by five principles:

(a) The United States must drive technological breakthroughs in AI across the Federal Government, industry, and academia in order to promote scientific discovery, economic competitiveness, and national security.

(b) The United States must drive development of appropriate technical standards and reduce barriers to the safe testing and deployment of AI technologies in order to enable the creation of new AI-related industries and the adoption of AI by today’s industries.

(c) The United States must train current and future generations of American workers with the skills to develop and apply AI technologies to prepare them for today’s economy and jobs of the future.

(d) The United States must foster public trust and confidence in AI technologies and protect civil liberties, privacy, and American values in their application in order to fully realize the potential of AI technologies for the American people.

(e) The United States must promote an international environment that supports American AI research and innovation and opens markets for American AI industries, while protecting our technological advantage in AI and protecting our critical AI technologies from acquisition by strategic competitors and adversarial nations.

While the Trump Administration’s materials on the EO have mentioned civil liberties and privacy, they have largely not examined the potential effects of AI with respect to bias and fairness. Democrats have generally been keener to investigate potential problems with the algorithms underlying AI and similar technologies perpetuating racial and ethnic biases in western society. For example, facial recognition technology misidentifies African Americans, Latinos, and Asian Americans at much higher rates than American men of European descent. The Hurd/Kelly resolution would seem to focus more on these issues than the Trump Administration’s public materials on its AI efforts.

The two efforts would seem fairly close on the role the U.S. would ideally play in international development of AI. The nation would lead the development and implementation of AI under both plans with the additional gloss that the Trump Administration is more transparent in its notion that leading the world in AI will help ensure continued American military and commercial dominance in technology. Both are motivated, in significant part, by concerns that the People’s Republic of China (PRC), may continue on its current technological trajectory, surpass the U.S. in AI, and then be poised to lead the world according to its values in this field. It is possible the AI effort in the U.S. will be informed as much by competition as were various fields in the mid-20th Century by the Cold War with the Russians.

Otherwise, both are focused on workforce development, both in order to foster the types of education and training needed for people to work in AI and to help people in industries revolutionized or disrupted by AI. Likewise, both are concerned with maximizing R&D funding and efforts.

Last week, the House Armed Services Committee’s Intelligence and Emerging Threats and Capabilities Subcommittee conducted a virtual hearing titled “Interim Review of the National Security Commission on Artificial Intelligence Effort and Recommendations” with these witnesses:

  • Dr. Eric Schmidt , Chairman, National Security Commission on Artificial Intelligence 
  • HON Robert Work, Vice Chairman, National Security Commission on Artificial Intelligence, HON Mignon Clyburn, Commissioner, National Security Commission on Artificial Intelligence 
  • Dr. José-Marie Griffiths, Commissioner, National Security Commission on Artificial Intelligence

Chair James Langevin (D-RI) stated:

  • Our intent for this commission was to ensure a bipartisan whole-of-government effort focused on solving national security issues, and we appreciate the leadership and hard work of our witnesses in supporting the commission’s efforts in that spirit.
  • [T]his Commission is working through the difficult issues requiring national investments in research and software development and new approaches on how to apply AI appropriately for national security missions; attract and hold onto the best talent; protect and build upon our technical advantages; best partner with our allies on AI; stay ahead of the threat posed by this technology in the hands of adversaries; and implement ethical requirements for responsible American-built AI.
  • Indeed, last year the Defense Innovation Board, which was also chaired until recently by Dr. Schmidt, helped the Department begin the necessary discussions on ethics in AI.
  • I applaud the Commission for being forward leaning by not only releasing an initial and annual report as required in law, but also releasing quarterly recommendations. Ranking Member [Elise] Stefanik (R-NY) and I, along with Chair Adam Smith (D-WA) and Ranking Member Mac Thornberry (R-TX), were pleased to support a package of provisions in this year’s House version of the FY 2021 National Defense Authorization Act (NDAA) (the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395)) based on the Commission’s first quarter’s recommendations. The House version carried 11 provisions, with the majority deriving from the Commission’s call to Strengthen the AI Workforce. We are pleased that both Commissioner Griffiths and Commissioner Clyburn are with us today to testify on the need for action on AI talent. 
  • On that note, we must implement policies that promote a sound economic, political, and strategic environment on U.S. soil where global collaboration, discovery, and innovation can all thrive. The open dialogue and debate resident in academia and the research community can be anathema to the requirement for secrecy in the Department of Defense.
  • But we must recognize – and embrace – how our free society provides the competitive advantage that lets us innovate faster than our great power competitors. Our free society enables a dynamic innovation ecosystem, and federally funded open basic research focused on discovery has allowed American universities to develop an innovation base that has effectively functioned as a talent acquisition program for the U.S. economy. And that talent is required today as much as ever to solve our most pressing national security challenges.
  • Indeed, great power competition is also a race for talent. We are looking forward to hearing about your efforts, the observations and recommendations you’ve already developed, and your plan to continue until you submit the Commission’s final report in the spring.

Ranking Member Elise Stefanik (R-NY) noted she introduced a bill in March 2018 to establish a national commission on AI and cosponsored the 11 amendments to H.R.6395 that added the Commission’s first quarter recommendations to the House’s FY 2021 NDAA. She asserted this represents a remarkable achievement that speaks to the quality of the recommendations made to policymakers. Stefanik said in her remarks before the Commission she spoke about the need for AI to be transformative and stressed that if AI does not fundamentally change the way the U.S. operates, adapt the collective defense, change workforce policy, change priorities and shift resources, then the U.S. is failing to embrace the technology to its fullest. She expressed pleasure that many of the initial recommendations address these issues.

Stefanik claimed the last several weeks have provided glimpses at the power of AI. She said the Defense Advanced Research Projects Agency’s (DARPA) AlphaDogFight demonstration that pitted an experienced fighter pilot against an algorithm developed by a minoty woman owned small business from Maryland. Stefanik noted AI decisively won, and Secretary of Defense Mark Esper characterized the victory as the “tectonic impact of machine learning on the future of warfighting.” Stefanik said a hypervelocity weapon shot down a cruise missile with the help of an advanced battle management system powered by powerful data analytics and AI capabilities. She said the head of Northern Command remarked afterwards “I am not skeptic after watching today.”

Stefanik stated that the policy governing AI is equally as important as technical demonstrations, specifically the development of standards, ethical principles, accountability, and the appropriate level of human oversight. She asserted all of these will be critical to ensuring Americans trust the use of AI. Stefanik contended that the Commission’s work is crucial in ensuring an enduring partnership of the military, academia, and the private sector built on trust, democratic ideals, and mutual values.

In their joint testimony, the four Commissioners stated:

We are encouraged to see several NSCAI recommendations reflected in the House and Senate versions of this year’s NDAA, and would like to take this opportunity to comment on the importance of legislative action in five key areas. We believe it is crucial for these recommendations to reach the President’s desk and become law.

1. Expanding AI Research and Development

Both the House and Senate bills feature encouraging actions on federal government investment in AI research and development, public-private coordination, and establishment of technical standards. The Commission shares these priorities.

We want to emphasize the importance of creating a National AI Research Resource. There is a growing divide in AI research between “haves” in the private sector and “have nots” in academia. Much of today’s AI research depends on access to resource-intensive computation and large, curated data sets. These are held primarily in companies. We fear that this growing gap will degrade research and training at our universities.

2. DOD Organizational Reforms

We have made a number of proposals to ensure the Department of Defense (DOD) is well positioned to excel in the AI era. In particular, we want to emphasize the need for a senior-level Steering Committee on Emerging Technology. This top-down approach would help the Department overcome some of the bureaucratic challenges that are impeding AI adoption. It would also focus concept and capability development on emerging threats, and guide defense investments to ensure strategic advantage against near-peer competitors.

Importantly, we believe this Steering Committee must include the Intelligence Community (IC). A central goal of our recommendation is to create a leadership mechanism that bridges DOD and the IC. This would better integrate intelligence analysis related to emerging technologies with defense capability development. And it would help ensure that DOD and the IC have a shared vision of national security needs and coherent, complementary investment strategies.

3. Microelectronics

We believe the United States needs a national strategy for microelectronics. Recent advances in AI have depended heavily on advances in available computing power. To preserve U.S. global leadership in AI, we need to preserve leadership in the underlying microelectronics.

In our initial reports, the Commission has put forward specific recommendations to lay the groundwork for long-term access to resilient, trusted, and assured microelectronics. We propose a portfolio-based approach to take advantage of American strengths and ensure the United States stays ahead of competitors in this field.

4. Ethical and Responsible Use

Determining how to use AI responsibly is central to the Commission’s work. We recently published a detailed “paradigm” of issues and practices that government agencies should consider in developing and fielding AI. We believe these proposals can help DOD and the IC to operationalize their AI ethics principles.

Within the government, it is important to develop an understanding of these principles and practices, and an awareness of the risks and limitations associated with AI systems. That is why we recommend that DOD, the IC, Department of Homeland Security (DHS), and Federal Bureau of Investigation (FBI) should conduct self-assessments. These should focus on several issues:

  • Whether the department/agency has access to adequate in-house expertise––including ethical, legal, and technical expertise––to assist in the development and fielding of responsible AI systems;
  • Whether current procurement processes sufficiently encourage or require such expertise to be utilized in acquiring commercial AI systems; and,
  • Whether organizations have the ability and resources to consult outside experts when in-house expertise is insufficient.

5. Workforce Reforms

Much of the Commission’s early work has focused on building an AI-ready national security workforce. This includes recruiting experts and developers, training end users, identifying talented individuals, and promoting education. If the government cannot improve its recruitment and hiring, or raise the level of AI knowledge in its workforce, we will struggle to achieve any significant AI progress.

In particular, we support several provisions in the current versions of the NDAA. These include:

  • Training courses in AI and related topics for human resources practitioners, to improve the government’s recruitment of AI talent.
  • The creation of unclassified workspaces. This would allow organizations to hire and utilize new employees more quickly, while their security clearances are in process.
  • A pilot program for the use of electronic portfolios to evaluate applicants for certain technical positions. Because AI and software development are sometimes self-taught fields, experts do not always have resumes that effectively convey their knowledge. The pilot program would pair HR professionals with subject matter experts to better assess candidates’ previous work as a tangible demonstration of his or her capabilities.
  • A program to track and reward the completion of certified AI training and courses. This would help agencies identify and capitalize on AI talent within the ranks.
  • A mechanism for hiring university faculty with relevant expertise to serve as part-time researchers in government laboratories. The government would benefit from access to more outside experts. We believe this mechanism should apply not only to DOD but also to DHS, Department of Commerce, DOE, and the IC.
  • Expanding the use of public-private talent exchange programs in DOD. We recommend expanding both the number of participants in general and the number of exchanges with AI-focused companies in particular. We also recommend creating an office to manage civilian talent exchanges and hold their billets.
  • An addition to the Armed Services Vocational Aptitude Battery Test to include testing for computational thinking. This would provide the military with a systematic way to identify potential AI talent.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Owen Beard on Unsplash

House Hearing On CSC Recommendations

On the same day another committee was considering amendments to the FY 2021 NDAA, a committee looked at recommendations to change US cyber policy

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

One of the committees with jurisdiction over a number of the recommendations made by the Cyberspace Solarium Commission (CSC) held a virtual hearing to examine some of the panel’s policy and statutory suggestions to improve the cybersecurity of the United States. The hearing was chaired by one of the CSC members and all four witnesses were on the CSC. Those facts taken together with the timing of the hearing (i.e. right before the House is set to amendments embodying the CSC recommendations to the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395)) suggested the audience is House Democratic leadership, Senate Republican leadership, the Senate Armed Services Committee, and other stakeholders.

The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, & Innovation Subcommittee held a virtual hearing on 17 July titled “Cyberspace Solarium Commission Recommendations” with the following witnesses:

  • Senator Angus King (I-ME), Co-Chair, Cyberspace Solarium Commission
  • Representative Michael Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
  • Hon. Suzanne Spaulding, Commissioner, Cyberspace Solarium Commission
  • Ms. Samantha Ravich, Ph.D., Commissioner, Cyberspace Solarium Commission

Consequently, given the subcommittee’s jurisdiction over the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), and the latter’s responsibility for helping non-defense civilian agencies secure their networks and systems, the subcommittee spent a fair amount of time discussing how to improve both entities.

Representative James Langevin (D-RI) chaired the hearing even though Representative Cedric Richmond (D-LA) is chair of the subcommittee. As mentioned, Langevin served on the CSC and has offered a number of amendments to be debated when the House considers the FY 2021 NDAA this week. In his opening statement, Langevin asserted

  • The realities of 2020 make clear that a comprehensive, whole-of-nation approach to cybersecurity is a necessity, but we do not yet have one. We lack a clear leader in the White House whose mission it is to focus on cybersecurity. We lack clear understanding of roles and responsibilities, both within government and between government and the private sector. We lack clear metrics to measure our progress.
  • The Cyberspace Solarium Commission report cannot fix all the challenges we have in cyberspace. But it does chart a bold course, and it does not shy away from the tradeoffs we will need to make to decisively improve our cybersecurity posture. The report makes clear that everyone – from government to private sector companies to Congress itself –needs to make meaningful changes.
  • We need to expect more from government: closer coordination across agencies, stronger collaboration with critical infrastructure, and, critically, a greater emphasis on planning. And we need to strengthen government agencies – in particular CISA – to do so.
  • We also need to expect more from the private sector. We need companies to truly accept the risks they take in cyberspace by accepting the consequences of failing to protect their data and networks.
  • We also need technology companies – what the report calls “cybersecurity enablers” – to do more to make the secure choice the default choice. Too often, we see a rush to be first to market, not secure to market. Too often, we see entities like ISPs not protecting their small and medium sized customers because they don’t believe it’s their job.
  • Most importantly, where the public and private intersect, at the nexus of critical infrastructure that this committee is charged with protecting, we need to ensure the private sector is doing its part to protect itself while acknowledging that they can’t go it alone.

Ranking Member John Katko (R-NY)

  • The recommendations I am most interested in hearing about today are, strengthening the Cybersecurity and Infrastructure Security Agency (CISA) and its workforce, evaluating CISA’s facilities needs, strengthening the CISA Director position and making the Assistant Directors career, the National Cyber Director, authorizing CISA to threat hunt on the .gov domain, securing email, developing a strategy to secure email, and modernizing the digital infrastructure of state and local governments and small and mid-sized businesses.
  • As Ranking Member on the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee, my top priority among the Commission’s recommendations is strengthening and clarifying the CISA’s authority and vastly increasing its funding to allow it to carry out its role as the Nation’s risk manager coordinating the protection of critical infrastructure and federal agencies and departments from cyber threats.  I introduced this recommendation as a bill, which requires CISA to assess what additional resources are necessary to fulfill its mission.  This assessment should examine CISA’s workforce composition and future demands and report to Congress on the findings.
  • Under the bill, CISA would also evaluate its current facilities and future needs including accommodating integration of personnel, critical infrastructure partners, and other department and agency personnel and make recommendations to the General Services Administration (GSA).  GSA must evaluate CISA’s recommendations and report to Congress within 30 days on how best to accommodate CISA’s mission and goals with commensurate facilities.  The facilities evaluation dovetails with the Commission’s recommendation for an integrated cyber center within CISA.
  • I reintroduced my bill elevating and strengthening the CISA Director position to reflect the significance of the role, making the position the equivalent of an Assistant Secretary or military service secretary.  My bill limits the term of the CISA Director to 2, 5-year terms, which ensures the agency has stable leadership. It also depoliticizes the Assistant Director positions by making them a career.
  • A related legislative proposal that I am working with colleagues to pass, clarifies CISA’s authority to conduct continuous threat hunting across the .gov domain.  This will increase CISA’s ability to protect federal networks and allow CISA to provide relevant threat information to critical infrastructure.
  • Finally, the recommendation to establish a National Cyber Director within the White House is another legislative proposal I am cosponsoring.  This Presidentially-nominated and Senate-confirmed National Cyber Director would be the principle cybersecurity advisor of the President, tasked with developing, counseling the President on, and supervising the implementation of a National Cyber Strategy. This leadership will bring focus to our Nation’s cybersecurity as a top strategic priority.

Committee Chair Bennie Thompson (D-MS) explained

  • Although there are many well-intentioned, capable people working hard to advance sound cybersecurity policy throughout the executive branch, the lack of consistent leadership from the White House has stunted progress. Over two years ago, for example, the White House green-lighted the elimination of its Cyber Security Coordinator. The result is a lack of effective coordination among Federal agencies who compete for cybersecurity authorities, responsibilities, and associated budgets – and Federal agencies approaching Congress with conflicting priorities. The time has come for that to stop.
  • Toward that end, I appreciate and support the Commission’s recommendation that Congress establish a National Cyber Director. I understand Congressman Langevin has authored legislation to implement that recommendation and has also submitted it as an amendment to the NDAA. I fully support both efforts.
  • I similarly appreciate the Commission’s recommendations regarding strengthening the Cybersecurity and Infrastructure Security Agency and more clearly defining the roles and responsibilities of CISA and sector risk management agencies. Right-sizing CISA’s budget and equipping it with the authorities necessary to carry out its mission to secure Federal networks, while also supporting critical infrastructure, has been a bipartisan priority of Committee Members.
  • I am particularly interested in hearing Ms. Spaulding’s thoughts on these recommendations given her perspective as the former Under Secretary of the National Protection and Programs Directorate.
  • Additionally, I am interested in discussing Commission recommendations related to implementing a “carrot and stick” approach to encourage private sector collaboration with the Federal government’s cybersecurity and defense efforts, particularly the proposed codification of “systemically important critical infrastructure.”
  • Finally, I would be remiss if I did not address the Commission’s observation that Congress’ fractured jurisdiction over cybersecurity frustrates efforts to achieve a comprehensive, cohesive approach to cybersecurity. I agree. And while I disagree with the Commission’s recommendation on that point, rest assured that I am working to address the underlying problem.

In a joint statement, CSC Members

  • Ultimately, the Commission developed a strategic approach of “layered cyber deterrence” with the objectives of actively shaping behavior in cyberspace, denying benefits to adversaries who exploit this domain, and imposing real costs against those who target America’s economic and democratic institutions in and through cyberspace. Our critical infrastructure–the systems, assets, and entities that underpin our national security, economic security, and public health and safety—are increasingly threatened by malicious cyber actors. Effective critical infrastructure security and resilience requires reducing the consequences of disruption, minimizing vulnerability, and disrupting adversary operations that seek to hold our assets at risk. We believe the future of the U.S. economy and our national security requires both the executive branch and Congress work in tandem to prioritize and grant the following recommendations.
    • First and foremost, the Commission found that the federal government lacks consistent and institutionalized leadership, as well as a cohesive, clear strategic vision on cybersecurity. As a result, we recommend that Congress establish a National Cyber Director in the Executive Office of the President to centralize and coordinate the cybersecurity mission at the national level. The National Cyber Director would work with federal departments and agencies to bring coherence in the development of cybersecurity policy and strategy and in its execution. The position would provide clear leadership in the White House and signal cybersecurity as an enduring priority in U.S. national security strategy.
    • Second, the government must continue to improve the resourcing, authorities, and organization of the Cybersecurity and Infrastructure Security Agency (CISA) in its role as the primary federal agency responsible for critical infrastructure protection, security, and resilience. We recommend empowering CISA with tools to strengthen public-private partnership. Of particular value would be the authorities needed to aid in responding to attempted attacks on critical infrastructure from a variety of actors ranging from nation-states to criminals. Currently, the U.S. government’s authorities are limited exclusively to certain criminal contexts, where evidence of a compromise exists, and do not address instances in which critical infrastructure systems are vulnerable to a cyberattack. To address this gap, Congress should grant CISA subpoena authority in support of their threat and asset response activities, while ensuring appropriate liability protections for cooperating private-sector network owners.
    • Third, elements of the U.S. government and the private sector often lack the tools necessary for successful collaboration to counter and mitigate a malicious nation-state cyber campaign. To address this shortcoming, the executive branch should establish a Joint Cyber Planning Office under CISA to coordinate cybersecurity planning and readiness across the federal government and between the public and private sectors for significant cyber incidents and malicious cyber campaigns. Within a similar vein, Congress should also direct the U.S. government to plan and execute a national-level cyber table-top exercise on a biennial basis that involves senior leaders from the executive branch, Congress, state governments, and the private sector, as well as international partners, to build muscle memory for key decision makers and develop new solutions and strengthen our collective defense.
    • Fourth, the United States must take immediate steps to ensure our critical infrastructure sectors can withstand and quickly respond to and recover from a significant cyber incident. Resilience against such attacks is critical in reducing benefits that our adversaries can expect from their operations–whether disruption, intellectual property theft, or espionage. Congress should direct the executive branch to develop a Continuity of the Economy Plan. This plan should include the federal government, SLTT entities and private stakeholders who can collectively identify the resources and authorities needed to rapidly restart our economy after a major disruption. In addition, the Commission recommends establishing a Cyber State of Distress tied to a Cyber Response and Recovery Fund , giving the government greater flexibility to scale up and augment its own capacity to aid the private sector when a significant cyber incident occurs. These changes will ensure the infrastructure that supports our most critical national functions can continue to operate amidst disruption or crisis.
    • Fifth, the Commission recommends two relevant initiatives to reshape the cyber ecosystem toward greater security for all Americans. The first, the creation of a National Cybersecurity Certification and Labeling Authority, would help create standards and transparency that will allow consumers of technology products and services to use the power of their purses over time to demand more security and less vulnerability in the technologies they buy. Furthermore, Congress should appropriate funds to the Department of Homeland Security (DHS), in partnership with the Department of Energy, Office of the Director of National Intelligence (ODNI), and the Department of Defense (DoD), to competitively select, designate, and fund up to three Critical Technology Security Centers in order to centralize efforts directed towards evaluating and testing security of devices and technologies that underpin our networks and critical infrastructure.
    • Sixth, the U.S. Intelligence Community is not currently resourced or aligned to adequately support the private sector in cyber defense and security. While the intelligence community is formidable in informing security operations in instances when the U.S. government is the defender, its policies and procedures are not aligned to intelligence collection on behalf of private entities, which constitutes around 85% of our critical infrastructure. To that end, Congress should direct the executive branch to conduct a six-month comprehensive review of intelligence policies, procedures, and resources to identify and address key limitations in order to improve the intelligence community’s ability to provide intelligence support to the private sector.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by ThisIsEngineering from Pexels

National Cyber Director Hearing

The primary committee of jurisdiction over a bill to create a White House Cyber Director held a hearing on the ramifications of creating just such a position.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 14 July, the House Oversight and Reform Committee held a virtual hearing to discuss the recently introduced “National Cyber Director Act” (H.R.7331) that would implement one of the Cyberspace Solarium Commission’s (CSC) most significant recommendations. Representative James Langevin (D-RI), who served on the CSC, introduced the bill a few weeks ago when it appeared clear that neither Armed Services Committee will include the CSC’s recommendation that a position be established inside the Executive Office of the President of a National Cyber Director to coordinate much of the United States’ cyber policy that would need to be confirmed by the Senate. Langevin and a number of others submitted an amendment to the House Rules Committee for consideration of the “William M. (Mac) Thornberry National Defense Authorization Act (NDAA) for Fiscal Year 2021” (H.R.6395) that would add H.R.7331 to the House’s FY 2021 NDAA. It is possible this amendment is made in order and will be debated on the House floor when the chamber turns to H.R.6395, which could happen as soon as next week.

The holding of this hearing is likely part of an effort to convince House Democratic Leadership and the House Rules and Armed Services Committees of the support for H.R.7331 so that it can be debated during consideration of the FY 2021 NDAA. The chair of the House Oversight and Reform Committee cosponsored Langevin’s amendment as did a number of Republicans, demonstrating its bipartisan nature. Also, having held a hearing at which a number of witnesses endorsed the idea will lend further weight to it being allowed to be offered to the annual Department of Defense policy package.

The Senate’s NDAA does not include language establishing a National Cyber Director position. Rather, the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) would require “the  Secretary  of  Defense,  in  coordination  with  the Secretary  of  Homeland  Security,  shall  seek  to  enter  into  an  agreement  with  an  independent  organization  with  relevant expertise in cyber policy and governmental organization  to  conduct  and  complete  an  assessment  of  the  feasibility and advisability of establishing a National Cyber Director.” It is possible that CSC co-chair Senator Angus King (I-ME) succeeds in getting this recommendation included in the Senate’s FY 2021 NDAA when the body continues with debate next week.

Chair Carolyn Maloney (D-NY) stated

Cyberattacks are a critical, complex, prevalent, and growing threat to the nation’s safety and economic security, touching nearly every aspect of our lives. This assessment was upheld by recent findings from the U.S. Cyberspace Solarium Commission, which was established by the 2019 National Defense Authorization Act to review the state of our cybersecurity posture and develop bipartisan solutions for defending America against cyberthreats.  This commission of Congressional, Executive Branch, and private sector cybersecurity leaders sounded the alarm that, in addition to millions of intrusions that disrupt operations in America on a daily basis, we remain vulnerable to catastrophic attacks on critical infrastructure and economic systems that could cause widespread damage and death.

Maloney noted “[a] number of the commission’s recommendations fall within the legislative jurisdiction of this Committee…[and] [t]his includes one that has sparked a high level of interest on both sides of the aisle—the recommendation for a centralized cybersecurity position at the White House to develop and streamline the federal government’s strategy, coordination, and response to cyberthreats.” She said that “[t]his role was first formalized during the George W. Bush Administration, and then elevated and expanded during the Obama Administration…[b]ut in 2018, then-National Security Adviser John Bolton eliminated the role, reportedly to cut “another layer of bureaucracy.”

Maloney said that “we will review H.R. 7331, which would implement the Commission’s recommendation to establish a National Cyber Director in the Executive Office of the President.” She said that “[t]his new position would restore that cyber coordination and planning function at the White House…[and] [i]n addition, for the first time, it would be backed with resources and statutory authority to lead strategic planning efforts, review cybersecurity budgets, and coordinate national incident response.” Maloney stated “[a] challenge as complex and pervasive as cybersecurity requires that our government be strategic, organized, and ready…[and] Democrats and Republicans agree we need a National Cyber Director to ensure we are fully prepared for, and coordinated in, our response to cyberattacks as our nation fights this silent war.” She explained “[o]ur mission today is to gain a detailed understanding of the threats we face, and to thoroughly examine H.R. 7331 as the vehicle for preparing our country against those threats.”

Ranking Member James Comer (R-KY) said the federal cyber domain is dispersed with varying jurisdictions and expertise among agencies organized to fight cyber-crime, defend national security, and support the private sector’s critical cyber infrastructure. He noted the increasingly reliance in the US on technology and growing inter-connected nature of the American economy. Comer said foreign actors, terrorist groups, domestic agitators, and criminal enterprises all have a vested interest in exploiting US networks. Comer said the remote operations of the pandemic have created new cyber vulnerabilities that malicious actors are taking advantage of. He added the same threats face private sector and state, local, tribal, and territorial governments. Comer stressed that fostering relationships across the private sector and state and local partners, vital cyber threat information can be shared that helps secure critical infrastructure.

Comer noted the witnesses have vast experience in combatting cyber threats from nations like the People’s Republic of China (PRC) that has historically hacked into agencies like the Federal Deposit Insurance Corporation, stolen intellectual property, and paid professors and researchers for research and development information. He stated he would welcome the opportunity to work with Democrats to hold the PRC accountable for these bad acts as well as their deceptive tactics over the course of the COVID-19 pandemic. Comer said the present hearing would, instead, examine a proposal to create a National Cyber Director. He stressed that Members have a duty to be good stewards of taxpayer dollars and not create more bureaucracy. Comer commended the Trump’s Administration’s performance in fending off threats to medical and health facilities and to teleworkers during the pandemic.

Comer asked whether it is truly necessary to establish a new position to coordinate cybersecurity, and, if so, would this official actually have the authority necessary to execute her responsibilities. Moreover, will other stakeholders fall in line and work in harmony, he asked. Comer said it is already he case the multiple federal agencies have cybersecurity jurisdiction and wondered whether another official would help the US government’s cyber posture. He expressed his concern that the bill may create a duplicative, bureaucratic layer of government that will hinder future responses to cyber-attacks.

Representatives and CSC Members James Langevin (D-RI) and Mike Gallagher (R-WI) claimed

First and foremost, the Executive Branch must establish a National Cyber Director to centralize and coordinate the cybersecurity mission at the national level. The National Cyber Director would work among Federal departments and agencies to bring coherence in both in the development of cybersecurity policy and strategy and in its execution. The position would provide clear leadership in the White House and signal cybersecurity is an enduring priority in U.S. national security strategy.

Langevin and Gallagher stated “[l]ooking at the history and the current structure of the Executive Branch, four clear institutional challenges emerge:

  • First, the Federal government lacks consistent, institutionalized leadership in the White House on cybersecurity strategy and policy.
  • Second, due to the absence of a consistent advocate, cybersecurity is inconsistently prioritized in the context of national security.
  • Third, the United States lacks a coordinated, cohesive, and clear strategic vision for cyber.
  • Fourth, the lack of centralized Executive Branch leadership complicates and prevents effective congressional oversight. In the March 2020 Commission report, the Commission recognized the need for a single individual at the highest level in the Federal government to take on these responsibilities.

Langevin and Gallagher explained

On the issue of whether to recommend the creation of new Executive Branch structures, or strengthen the existing structures, the Commission explored several different options. These models included the creation of a new cabinet department for cyber led by a Secretary, an independent agency for cyber led by a Director reporting to an existing cabinet department, an equivalent to a Homeland Security Advisor for cyber within the National Security Council, or a new office within the White House Executive Office of the President (EOP) led by a Director. Ultimately, the Commission decided that the Federal government would be better served by strengthening existing department and agency efforts in cybersecurity, including strengthening CISA and Sector-Specific Agencies, rather than the creation of a new department. While the creation of a new cabinet department or independent agency would give the position gravitas, the Commission recognized the protracted development of a new department would prevent, or even eliminate, much-needed near-term progress.

Cyber Threat Alliance President and Chief Executive Officer Michael Daniel claimed “we have reached the point where making more than incremental progress will prove difficult unless we address at least four impediments:

  • First, cybersecurity’s cross-cutting nature does not fit with the US government’s bureaucratic structure, making the issue difficult to deal with during policy development. 
  • Second, agencies are not incentivized to sustain the degree of coordination required for effective cybersecurity over the long term. 
  • Third, a lack of central coordination hinders effective incident response actions. 
  • Fourth, cybersecurity’s complexity and unusual nature make it tough for the President and other senior leaders to tackle without access to expertise. 

Daniel stated “[a]ddressing these impediments would be challenging under normal circumstances, but this Administration has chosen to take a step backward by eliminating the cybersecurity coordinator position at the White House, which makes it even harder.” He said that “[c]learly, no single policy action will solve these problems…[and] [t]hey are too complicated for a one-shot solution.” Daniel said “[t]hat said, creating a position like a National Cyber Director along the lines the Cyberspace Solarium Commission recommends or that Representative Langevin has proposed is a necessary part of the solution.”

Daniel asserted

  • Cybersecurity is a strategic, national level problem that defies easy categorization.  Cyberspace and the Internet are permanent features of our society, economy, public safety, and national security.  We will not “solve” our cybersecurity problems; cyber threats are now a permanent feature in society and international relations.  Instead, we will manage and mitigate the threat.  Thus, we need a strategic level leader focused on this problem with a government-wide perspective.  Moreover, we will need a national cyber director for the long-term. 
  • The EOP is the only part of the executive branch with a sufficiently broad scope to look across all the different aspects of cybersecurity.  It is the only part of the executive branch that can overcome the “you’re not the boss of me” effect and incentivize agencies to engage in regular, sustained, and intense coordination. It is the logical place to organize a cyber crisis response because it can serve as a neutral, inter-agency hub and activate resources across the entire Federal government. Finally, it is the primary organization for direct Presidential advisors.

Daniel said that “[a]s Congress debates this issue, I would urge it to consider certain parameters in crafting the position: The NCD Office should be big enough to run effective processes, but not so big that it tries to be operational.” He claimed “[i]f we want the office to succeed, then it cannot be so small that the staff do not have time to do anything right…[and] [o]n the other hand, it should not be so large that its staff are tempted to try to run operations directly.” Daniel stated that “[t]he NCD Office should integrate tightly with OMB’s budget process and NSC’s policy process, otherwise it will be irrelevant.”

Daniel stated

  • The NCD Office should have insight into and a policy oversight role for all Federal government cyber functions, including military, intelligence, or law enforcement activities; this insight must extend to offensive cyber operations. We cannot exclude those activities from the NCD’s purview and expect the position to succeed. For the record, I strongly support the independence of indictment and prosecutorial decisions from the White House, but that separation does not mean the NCD should not understand what law enforcement operations are occurring or influence our strategic level policy toward cybercrime. If the NCD only has oversight and coordination roles for network defense activities and working with the private sector, then the position would largely duplicate the CISA director, which we do not need.
  • NCD staff should not participate in policy execution. Law enforcement agencies investigates and prosecutes crime, intelligence agencies collect information, the military conducts offensive cyber operations, and the sector specific agencies work with their industries. Policy execution should remain the domain of the departments and agencies.
  • The office will need a clear relationship with the Federal Chief Information Security Officer (CISO). This existing office has worked hard to improve the security of Federal networks. The NCD’s office will need to work closely with the Federal CISO to ensure that Federal agencies are following the general guidance and advice the government gives the private sector. We must walk our talk.

Tenable Chairman and CEO Amit Yoran stated

Beyond the authorities already included in H.R. 7331, I recommend additional authorities for the National Cyber Director that would improve the nation’s cybersecurity risk management for both the public and private sectors. These additional authorities include developing a national encryption policy, managing the Vulnerabilities Equities Process (VEP), coordinating with regulatory entities, driving cybersecurity workforce development, and leading all international cybersecurity efforts, to include the development of international cyber strategies and international engagement.

Yoran added that

The Cyberspace Solarium Report also included recommendations on how to further strengthen the Cybersecurity Infrastructure Security Agency (CISA) in order to ensure the national resilience of critical infrastructure, promote a more secure cyber ecosystem and serve as the central civilian authority to support federal, state, local and private sector cybersecurity efforts. CISA has established information sharing capabilities across the government, provides technical assistance to cybersecurity operators in the public and private sectors, and engages stakeholders both inside and outside the federal government. However, CISA’s role has clear limitations:

  • CISA’s convening power is not widely understood or consistently recognized.
  • CISA does not have jurisdiction over law enforcement, the Department of Defense or federal intelligence agencies, which are all critical pieces of a unified approach to U.S. cyber defense, nor are these organizations required to collaborate and share their activities with CISA.
  • CISA does not have the budget or the analytic capacity to assess, plan for and lead a unified effort to mitigate national systemic cyber risk.

Yoran said that “[t]he creation of the National Cybersecurity Director role should be done in conjunction with efforts to empower and appropriately resource CISA as a critical player to improve the nation’s cybersecurity.” He contended “[t]o strengthen CISA, Congress should elevate the Director position as recommended by the Cyberspace Solarium Commission and provide additional funding and program support that will enable the organization to enhance current operations.” Yoran stated that “[a]n expanded budget would also allow CISA to increase funding for the Continuous Diagnostics and Mitigation (CDM) program in order to meet surge capacity to protect .gov networks, support state and local cybersecurity networks and systems, and expand other programs that support the private sector, including many of the public-private operations that comprise the U.S. critical infrastructure.”

George Mason University’s National Security Institute Founder & Executive Director Jamil Jaffer stated

  • Given the general agreement that such [cyber] coordination is advisable, and indeed, necessary, one needs wonder why the Commission’s approach might be controversial.  The first and most obvious issue that would likely trouble any White House—regardless of political party and relationship with Congress—is the idea of having yet another Senate-confirmed appointee in the White House Office. 
  • The challenge, of course, with a National Cyber Director, particularly as it relates to a position in the White House Office and as described in H.R. 7331, is that this individual would have responsibilities that are generally understood by Presidents to be squarely in their control, namely matters related to the execution of the President’s textual Commander-in-Chief responsibilities. And while Congress may certainly argue that it has a number of textual commitments in this area also, like the declaration of war authority and the provisioning of the armed forces, the reality is that Presidents have long taken the view that matters of national security decisionmaking, particularly in the White House, are firmly committed to their discretion.  Thus, it is likely that any President, regardless of party or relationship with Congress, would be strongly opposed to Senate-confirmation of such an individual and, if such confirmation was ultimately required, it may actually undermine rather than buttress the individual position’s influence and role within the White House.
  • Moreover, making such a position Senate-confirmed essentially seeks to elevate it to an Assistant to the President role, namely a principal officer inside the White House Office. The challenge with doing so, of course, is that the vast majority of issues such an individual would deal with likely also fall squarely within the ambit of the existing responsibilities of the Assistant to the President for National Security (i.e., the National Security Advisor). 
  • The legislation clearly envisions the former approach—that is, direct advice to the President—which could very well create its own set of coordination and integration challenges within the White House and with the interagency. This challenge is enhanced, in particular, when it comes to areas of clear overlap between existing White House officials like the National Security Advisor (e.g., in the case of offensive and defensive cyber operations), as well as the Director of OMB (e.g., in the case of budgetary authority). Where the situation becomes even more problematic, however, is where the NCD’s assigned authorities appear to directly conflict with the authorities of another cabinet-level official. 
  • Finally, the size of the office likewise presents its own challenges.  While it is true that the USTR has an office of over 200 individuals and OMB has nearly 500, even at 75 authorized individuals, when one adds in the authority for other outside experts, consultants, and other government agency personnel in support, this number is likely to be viewed as too high for the mission.  This is particularly the case given that such an office would be roughly1/3 the size of the entire National Security Council staff, which itself is currently seen as fairly bloated (even after the Trump-directed staff reductions in 2019)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Hearing On National Cyber Director Act To Be Held This Week

Members of a Congressional cybersecurity commission introduce legislation to establish a statutory cyber position in the White House after neither NDAA has this policy change.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

This week, the House Oversight and Reform Committee is holding a hearing to examine the “National Cyber Director Act” (H.R.7331), a bill to implement one of the Cyberspace Solarium Commission’s key recommendations.

When it became clear that neither FY 2021 National Defense Authorization Act (NDAA) would include a CSC to create a statutory position in the White House to coordinate United States’ (US) cyber policy, some CSC members and other key stakeholders introduced a bill to effectuate the recommendation that the US needs a National Cyber Director. This new position would be along the lines of a position created during the Obama Administration (i.e. White House Cybersecurity Coordinator) that was eliminated by former National Security Advisor John Bolton in 2018. However, this position would have a statutory basis and authority, which would institutionalize the position in this and future Administrations.

The bill was sponsored by CSC Member Representative James Langevin (D-RI) and cosponsored by CSC co-chair Representative Mike Gallagher (R-WI), House Oversight and Reform Committee Chairwoman Carolyn Maloney (D-NY), the Homeland Security Committee’s Cybersecurity, Infrastructure and Innovation Subcommittee Ranking Member John Katko (R-NY), and Representatives C. A. Dutch Ruppersberger (D-MD) and Will Hurd (R-TX). Langevin has been advocating for this concept for a decade, beginning with the introduction of “Executive Cyberspace Authorities Act of 2010” (H.R.5247) that would have created a National Cyberspace Office inside the Executive Office of the President.

In terms of strategy for enactment, the sponsors could try to offer the bill as an amendment to either NDAA during floor consideration, but, depending on the procedural approach to consideration in either chamber, they may not be able to actually get a vote. Moreover, the chairs and ranking members of the Armed Services Committees who typically manage the bills on the floor may successfully argue this is an idea that is premature and should be studied. This sort of argument is often persuasive since these Members are usually respected for their expertise. Alternatively, the sponsors may try to pass the bill as a standalone measure.

The “National Cyber Director Act” (H.R.7331) would establish an Office National Cyber Director (NCD) in the Executive Office of the President (EOP) headed by a Senate-confirmed NCD, much like some of the other offices in the EOP like the Office of Management and Budget and the Office of Science and Technology Policy. Immediately beneath the NCD would be two new officials: Deputy National Cyber Director for Strategy, Capabilities, and Budget and Deputy National Cyber Director for Plans and Operations whose responsibilities are presumably spelled out in their titles for the bill does not explain on their portfolios. The NCD would be added to the statute establishing the National Security Council (NSC), and would be specifically named as an adviser the President may or may not invite to participate in NSC meetings and deliberations.

In terms of duties, the NCD would serve “as the principal advisor to the President on cybersecurity strategy and policy” “[s]ubject to the authority, direction, and control of the President.” This new official would coordinate the drafting and implementation of the United States’ National Cyber Strategy in consultation with existing stakeholders like OMB, the Department of Homeland Security, Department of Defense, and others. The NCD would also be empowered to review agency budget submissions and be required to certify they are aligned with the National Cyber Strategy. The new Director would also be added to the stakeholders that address information security across federal agencies. The NCD would “lead joint interagency planning for the Federal Government’s integrated response to cyberattacks and cyber campaigns of significant consequence,” which would be defensive operations. It appears the NCD would not be the lead US official for offensive cyber-attacks, which appears to be the province of the head of Cyber Command, currently General Paul Nakasone.  However, there are provisions that seem to suggest the National Cyber Director could be added to the inter-agency process of determining whether and when the US will launch cyber-attacks. However, the CSC envisioned the NCD not interfering with the current process for offensive operations: “The NCD will coordinate interagency efforts to defend against adversary cyber operations against domestic U.S. interests; this will not impinge on DoD responsibility for Title 10 activities, Office of the Director of National Intelligence (ODNI) responsibility for Title 50 activities, or the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) responsibility for counterintelligence activities, but the NCD would be kept fully apprised of those activities.”

The Senate’s “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) would require “the  Secretary  of  Defense,  in  coordination  with  the Secretary  of  Homeland  Security,  shall  seek  to  enter  into  an  agreement  with  an  independent  organization  with  relevant expertise in cyber policy and governmental organization  to  conduct  and  complete  an  assessment  of  the  feasibility and advisability of establishing a National Cyber Director.” The text of the House’s NDAA released thus far does not address the CSC’s recommendation for the establishment of an NCD.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by cristianrodri17 from Pixabay

NDAA Markup Finishes In House

The House’s NDAA was moved out of committee and it would alter a range of technology programs and initiatives at the Pentagon. The bill may be considered by the full House later this month.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The House Armed Services Committee marked up and reported out the “National Defense Authorization Act for Fiscal Year 2021” (NDAA) (H.R.6395), three weeks after the Senate Armed Services Committee did the same with its NDAA. The two packages authorize very similar top-line funding for the Department of Defense (DOD) and non-DOD defense programs (most of which are the Department of Energy’s nuclear weapons programs) that largely meets the Trump Administration’s overall funding request of roughly $731 billion, including $69 billion for Overseas Contingency Operations (OCO). And, the annual authorization package is full of technology provisions that affect the DOD, related agencies, private sector contractors, and other nations. The House may take up H.R.6395 this month, which will likely result in more changes being made to the package.

Chair Adam Smith (D-WA) released his Mark (i.e. the full text of his proposed FY 2021 NDAA that served as the base text for the markup). This bill also added sections that were not included in the subcommittee marks, and with respect to cyber-policy, the Chair’s Mark added two provisions:

  • Section 1622—Cyberspace Solarium Commission
    • This section would modify section 1652 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115–232) to update the Cyberspace Solarium Commission’s membership. Additionally, this section would permit the organization to extend further for the purposes of providing regular updates to the legislative and executive branches on the implementation of the Commission’s findings. 
  • Section 1624—Responsibility for the Sector Risk Management Agency Function of the Department of Defense
    • This section would assign full responsibility for certification, coordination, harmonization, and deconfliction of the various efforts, initiatives, and programs that the Department of Defense manages in the furtherance of its responsibilities as the Sector-Specific Agency (SSA) for the Defense Industrial Base to the Principal Cyber Advisor. Presently, the Department is the only SSA that has not unified its various physical and cybersecurity efforts under one organization. For the purposes of carrying out its SSA mission, the Principal Cyber Advisor will be tasked with the management of all functions associated with SSAs under Presidential Policy Directive-21.

The Chair’s Mark has a number of cybersecurity provisions in the Committee Report:

  • [T]he committee directs the Under Secretary of Defense for Acquisition and Sustainment to submit a report to the congressional defense committees by January 15, 2021, regarding the Cybersecurity Maturity Model Certification (CMMC) program.
  • Consistent with draft regulation issued in November 2019, and the anticipated August 2020 regulation related to this statute, the committee directs the Secretary of Defense, in coordination with the Secretary of Commerce, to provide a briefing to the House Committee on Armed Services not later than December 1, 2020, on the implementation status of the full requirements in section 889 of the FY 2019 NDAA that effectively bans Huawei, ZTE, Hytera, Hikvision, or Dahua systems or equipment from DOD and federal government systems and networks.

Intelligence and Emerging Threats and Capabilities Subcommittee’s Mark contains the following Committee Report language:

  • [T]he committee directs the Secretary of Defense, in coordination with the Department of Defense Chief Information Officer, to provide a report to the House Committee on Armed Services not later than March 31, 2021, on the status of the Department’s implementation of the [21st Century Integrated Digital Experience Act (IDEA) (P.L. 115-336)] across the defense enterprise.
  • The committee directs the Chief Information Officer of the Department of Defense, in coordination with chief information officers of the military services, to provide a briefing to the House Committee on Armed Services, not later than September 1, 2021, on the processes in place for asset discovery and management of hardware and software products.
  • [T]he committee directs the Comptroller General of the United States to provide a report to the House Committee on Armed Services by September 1, 2021, to examine the issue of internet architecture security.

The Committee adopted hundreds of amendments during its hours long markup, some of which pertained to defense technology issues. The Committee wrote this summary of selected provisions adopted in this package in the jurisdiction of the Intelligence & Emerging Threats and Capabilities Subcommittee offered by a range of Members:

  • Amends Sec. 1286 of the FY 2019 NDAA by adding to the requirements a publication deadline and public release of a list of Chinese and Russian academic institutions with a history of improper technology transfer and other malign behavior.
  • Directs the Secretary of Defense to provide a briefing to the House Committee on Armed Services, not later than 1 December 2020, on the information environment segmentation methodology framework.
  • Requires a GAO study of DOD’s Cyber vulnerability assessment efforts.
  • Requires DOD to submit a report to Congress on DOD components cyber hygiene practices and directs the GAO to review that report and brief the Committees on its findings.
  • To provide a briefing to HASC on improving the cybersecurity of disadvantaged small businesses in the defense industrial base.
  • National Security Commission on Artificial Intelligence (NSCAI) recommendations including
    • “a  steering  committee  on  emerging  technology  and  national  security  threats;”
    • “the  Secretary  of  Defense  shall  develop  and  implement  a  program  to  provide  covered  human  resources  personnel  with  training  in  the  fields  of  software  development,  data  science,  and  artificial  intelligence,  as  such  fields  related  to  the  duties  of  such  personnel;”
    • “a  pilot  program  under which applicants for technical positions within the Department  of  Defense  will  be  evaluated,  in  part,  based  on  electronic  portfolios  of  the  applicant’s  work;”
  • Briefing on use of Artificial Intelligence to analyze beneficial ownership of defense contractors
  • Establishes a National Artificial Intelligence Initiative
  • GAO Study and Report on Electronic Continuity of Operations on the Department of Defense
  • Package of recommendations on artificial intelligence (AI) and emerging technologies from the National Security Commission on Artificial Intelligence (NSCAI), including:
    • a program under which qualified professors and students may be employed on a part-time or term basis in an organization of the Defense science and technology enterprise for the purpose of conducting a research project
    • an advisory panel on microelectronics leadership and competitiveness
    • the Joint Artificial Intelligence Center…shall conduct an assessment to determine whether the Department of Defense has the ability to ensure that any artificial intelligence technology acquired by the Department is ethically and responsibly developed.
  • Amending report language on “Ties between Russia and China” to include assessment on defense cooperation and coordination between Russia and China
  • Requires a report on the applicability of using automated technologies related to computer aided manufacturing software and similar manufacturing technologies to address repair part obsolesce issues and part obsolesce issues and parts shortages across the organic industrial base.
  • To require a plan on spectrum information technology modernization and a program to identify and mitigate vulnerabilities in the military’s telecommunications infrastructure
  • The DOD lacks a similar comprehensive understanding of the Internet-connected assets and attack surface across the DOD enterprise. Amends existing DRL to require a briefing on the current and planned capabilities and concept of operations for Internet operations management.

The Committee also offered summaries of the following provisions adopted across three amendments:

  • Chair’s Mark En Bloc #1
    • Report on Supply Chain Security Cooperation with Taiwan
    • Directs the United States-China Economic and Security Review Commission to brief the committee on any plans, opportunities, and/or challenges the Commission has for sharing its expertise and cooperation with similar organizations among U.S. partners and allies
    • Encourages the Secretary of Defense to take into account the security risks, including threats to operational and information security, of 5G and 6G telecommunications networks in all future overseas stationing decisions
  • Chair’s Mark En Bloc #2
    • Cyber Threat Information Collaboration Environment (JCE)
    • Establishment of the Integrated Cyber Center
    • Cybersecurity Threat Hunting and Sensing, Discovery, and Mitigation
    • The  DOD “shall  establish  a  threat  intelligence  program  to  share  with  and  obtain  from  the  defense  industrial  base  information  and  intelligence  on  threats  to  national  security” that would include cybersecurity incident reporting for defense contractors
    • Requires a study and recommendations from NIST on China’s influence in international standards setting bodies for emerging tech.
    • Requirement to Buy Certain Satellite Component from National Technology and Industrial Base
    • Sense of Congress on the intent and implementation of the Section 889 of the FY19 National Defense Authorization Act pertaining to the prohibition on certain telecommunications and video surveillance services or equipment
    • Extends and modernizes required reporting by the Department of Defense on Chinese Communist Party military companies operating in the United States
  • Chair’s Mark En Bloc #3
    • DRL requiring a briefing from USD(A&S) on how DOD and the CMMC-AB plan to mitigate potential organizational conflicts of interest [between] contractors and third-party assessment organizations performing CMMC certifications
    • To provide assistance to small manufacturers in the defense industrial supply chain with improving cybersecurity
    • GAO Report on GSA e-commerce Portal Data Usage and Competition

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Congressional Cybersecurity Commission Releases Annex To Final Report

A Congressional cyber panel is adding four recommendations to its comprehensive March report.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 2 June, the Cyberspace Solarium Commission (CSC) released an annex to its final report. The CSC was created by the National Defense Authorization Act for Fiscal Year 2019 (P.L. 115-232) to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” In mid-March, the CSC released its final report and made a range of recommendations, some of which were paired with legislative language the CSC has still not yet made available. However, Members of Congress who served on the CSC are working with the Armed Services Committees to get some of this language added to the FY 2021 National Defense Authorization Act (NDAA). See this issue of the Technology Policy Update for more detail on the CSC’s final report.

Per its grant of statutory authority, the CSC is set to terminate 120 days after the release of its final report, which will be next month. Nonetheless, the CSC has been holding a series of webinars to elucidate or explain various components of the final report, and the Commission began to consider cybersecurity through the lens of the current pandemic for parallels and practical effects. Consequently, the CSC added four new recommendations and renewed its call that recommendations in its final report related to the pandemic – in the view of the Commission – receive renewed attention and ideally action by Congress and the Executive Branch.

The CSC again called for the types of resources and reforms most policymakers have either not shown an appetite for or believe are a few bridges too far. Even though the CSC stated its intention to a “9/11 Commission without the 9/11 event,” it is unlikely such sweeping policy changes will be made in the absence of a crisis or event that fundamentally changes this status quo. Nevertheless, the CSC’s new recommendations are targeted and modest, one of which call for funneling more funds through an existing grant program to bolster private sector/non-profit efforts and another for a government agency to exercise previously granted authority. What’s more, the CSC could add the new recommendations to those shared in the form of legislative language with the Armed Services Committees in the hopes they are included in this year’s NDAA. Given that CSC co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) serve on their chambers’ Armed Services Committees as do the other two Members of Congress on the CSC, Senator Ben Sasse (R-NE) and Representative James Langevin (D-RI), the chances of some of the recommendations making it into statute are higher than they may be otherwise.

In its “White Paper #1: Cybersecurity Lessons from the Pandemic,” the CSC asserted:

The COVID-19 pandemic illustrates the challenge of ensuring resilience and continuity in a connected world. Many of the effects of this new breed of crisis can be significantly ameliorated through advance preparations that yield resilience, coherence, and focus as it spreads rapidly through the entire system, stressing everything from emergency services and supply chains to basic human needs and mental health. e pandemic produces cascading effects and high levels of uncertainty. It has undermined normal policymaking processes and, in the absence of the requisite preparedness, has forced decision makers to craft hasty and ad hoc emergency responses. Unless a new approach is devised, crises like COVID-19 will continue to challenge the modern American way of life each time they emerge. This annex collects observations from the pandemic as they relate to the security of cyberspace, in terms of both the cybersecurity challenges it creates and what it can teach the United States about how to prepare for a major cyber disruption. These insights and the accompanying recommendations, some of which are new and some of which appear in the original March 2020 report, are now more urgent than ever.

The CSC conceded that “[t]he lessons the country is learning from the ongoing pandemic are not perfectly analogous to a significant cyberattack, but they offer many illuminating parallels.

  • First, both the pandemic and a significant cyberattack can be global in nature, requiring that nations simultaneously look inward to manage a crisis and work across borders to contain its spread.
  • Second, both the COVID-19 pandemic and a significant cyberattack require a whole-of-nation response effort and are likely to challenge existing incident management doctrine and coordination mechanisms.
  • Third, when no immediate therapies or vaccines are available, testing and treatments emerge slowly; such circumstances place a premium on building systems that are agile, are resilient, and enable coordination across the government and private sector, much as is necessary in the cyber realm.
  • Finally, and perhaps most importantly, prevention is far cheaper and preestablished relationships far more effective than a strategy based solely on detection and response.

The CSC continued:

The COVID-19 pandemic is a call to action to ensure that the United States is better prepared to withstand shocks and crises of all varieties, especially those like cyber events that we can reasonably predict will occur, even if we do not know when. We, as a nation, must internalize the lessons learned from this emergency and move forward to strengthen U.S. national preparedness.  This means building structures in government now to ensure strategic leadership and coordination through a cyber crisis. It means driving down the vulnerability of the nation’s networks and technologies. And finally, it means investing in rigorously building greater resiliency in the government, in critical infrastructure, and in our citizenry. In the past several years, experts have sounded the alarm, ranking cyberattacks as one of the most likely causes of a crisis. As the COVID-19 crisis has unfolded, the United States has experienced a wake-up call, prompting a national conversation about disaster prevention, crisis preparedness, and incident response. While COVID-19 is the root cause of today’s crisis, a significant cyberattack could be the cause of the next. If that proves to be the case, history will surely note that the time to prepare was now.

The CSC offered these four new recommendations:

  • Pass an Internet of Things Security Law: With a significant portion of the workforce working from home during the COVID-19 disruption, household internet of things (IoT) devices, particularly household routers, have become vulnerable but important pieces of our national cyber ecosystem and our adversary’s attack surface. To ensure that the manufacturers of IoT devices build basic security measures into the products they sell, Congress should pass an IoT security law. The law should focus on known challenges, like insecurity in Wi-Fi routers, and mandate that these devices have reasonable security measures, such as those outlined under the National Institute of Standards and Technology’s “Recommendations for IoT Device Manufacturers.” But it should be only modestly prescriptive, relying more heavily on outcome-based standards, because security standards change with technology over time. Nonetheless, the law should stress enduring standards both for authentication, such as requiring unique default passwords that a user must change to their own authentication mechanism upon first use, and for patching, such as ensuring that a device is capable of receiving a remote update. Congress should consider explicitly tasking the Federal Trade Commission with enforcement of the law on the basis of existing authorities under Section 5 of the Federal Trade Commission Act.
    • In a footnote, the CSC asserted “[t]he proposed Internet of Things (IoT) Cybersecurity Improvement Act of 2019 provides a viable model for a federal law that mandates that connected devices procured by the federal government have reasonable security measures in place, but should be expanded to cover all devices sold or offered for sale in the United States.
    • The initial draft of the “Internet of Things Cybersecurity Improvement Act of 2019” (H.R. 1668/S. 734) was a revised, unified version of two similar bills from the 115th Congress of the same title: the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” (S. 1691) and the “Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018” (H.R. 7283). However, during the process of consideration in both chambers, differences emerged that as of yet have not been reconciled. However, it is possible that a final version of this bill gets folded into the FY 2021 NDAA or is passed as standalone legislation in the waning days of this Congress.
    • However, the FTC already uses its Section 5 authorities to bring actions against IoT manufacturers. For example, last month, the agency announced a settlement with Tapplock regarding “allegations that it deceived consumers by falsely claiming that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.”
  • Support Nonprofits that Assist Law Enforcement’s Cybercrime and Victim Support Efforts: Cyber-specific nonprofit organizations regularly collaborate with law enforcement in writing cybercrime reports, carrying out enforcement operations, and providing victim support services. As the COVID-19 pandemic has proven, trusted nonprofit organizations serve as critical law enforcement partners that can quickly mobilize to help identify and dismantle major online schemes. Such nonprofits have the expertise and flexibility to help and reinforce law enforcement efforts to disrupt cybercrime and assist victims. However, they often face financial challenges. Therefore, the Commission recommends that Congress provide grants through the Department of Justice’s Office of Justice Programs to help fund these essential efforts.
    • The portion of the Department of Justice’s Office of Justice Programs that makes grants was provided $1.892 billion in FY 2020, with large chunks being earmarked for state and local law enforcement agencies like the Edward Byrne Memorial Justice Assistance Grant program. Therefore, there would likely need to be additional funding provided for this program if there will be additional eligible recipients and additional purposes.
  • Establish the Social Media Data and Threat Analysis Center: Because major social media platforms are owned by private companies, developing a robust public-private partnership is essential to effectively combat disinformation. To this end, the Commission supports the provision in the FY2020 National Defense Authorization Act that authorizes the Office of the Director of National Intelligence to establish and fund a Social Media Data and Threat Analysis Center (DTAC), which would take the form of an independent, nonprofit organization intended to encourage public-private cooperation to detect and counter foreign influence operations against the United States. The center would serve as a public-private facilitator, developing information-sharing procedures and establishing—jointly with social media—the threat indicators that the center will be able to access and analyze. In addition, the DTAC would be tasked with informing the public about the criteria and standards for analyzing, investigating, and determining threats from malign influence operations. Finally, in order to strengthen a collective understanding of the threats, the center would host a searchable archive of aggregated information related to foreign influence and disinformation operations.
    • This is, obviously, not really a new recommendation, but rather a call for already granted authority to be used. The Director of National Intelligence was provided discretionary authority to establish the DTAC in P.L. 116-92 and has not chosen to do so yet. There are a number of existing entities that may qualify as the Atlantic Council’s Digital Forensics Research Lab or the Alliance for Securing Democracy. However, the issue may be resources in that the DNI was not provided any additional funding to stand up the DTAC.
  • Increase Nongovernmental Capacity to Identify and Counter Foreign Disinformation and Influence Campaigns: Congress should fund the Department of Justice to provide grants, in consultation with the Department of Homeland Security and the National Science Foundation, to nonprofit centers seeking to identify, expose, and explain malign foreign influence campaigns to the American public while putting those campaigns in context to avoid amplifying them. Such malign foreign influence campaigns can include covert foreign state and non-state propaganda, disinformation, or other inauthentic activity across online platforms, social networks, or other communities. These centers should analyze and monitor foreign influence operations, identify trends, put those trends into context, and create a robust, credible source of information for the American public. To ensure success, these centers should be well-resourced and coordinated with ongoing government efforts and international partners’ efforts.
    • It is not clear whether this program would be conducted through an existing DOJ program or a new one would be created. As with the DOJ’s Office of Justice Programs, funding may be an issue, and while the Armed Services Committees may be able to fold this into the FY 2021 (notwithstanding jurisdictional issues considering the DOJ is part of the Judiciary Committees’ purviews), but the Appropriations Committees would ultimately decide whether this would be funded.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Congressionally Created Panel Releases Cyberspace Recommendations and Legislative Proposals

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 here.

The Cyberspace Solarium Commission (CSC) released its final report and made a range of recommendations, some of which were paired with legislative language the CSC has not yet made available. The CSC was created by the National Defense Authorization Act for Fiscal Year 2019 (P.L. 115-232) to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) served as co-chairs for the CSC, which also included Representative James Langevin (D-RI), Senator Ben Sasse (R-NE), the Federal Bureau of Investigation Director Christopher Wray, Deputy Secretary of Defense David L. Norquist, and others.

The co-chairs explained

We didn’t solve everything in this report. We didn’t even agree on everything. There are areas, such as balancing maximum encryption versus mandatory lawful access to devices, where the best we could do was provide a common statement of principles. Yet every single Commissioner was willing to make compromises in the course of our work because we were all united by the recognition that the status quo is not getting the job done. The status quo is inviting attacks on America every second of every day. The status quo is a slow surrender of American power and responsibility. We all want that to stop. So please do us, and your fellow Americans, a favor. Read this report and then demand that your government and the private sector act with speed and agility to secure our cyber future.

Nonetheless, they offered some “big ideas to get the conversation started:

  • First, deterrence is possible in cyberspace. Today most cyber actors feel undeterred, if not emboldened, to target our personal data and public infrastructure. In other words, through our inability or unwillingness to identify and punish our cyber adversaries, we are signaling that interfering in American elections or stealing billions in U.S. intellectual property is acceptable. e federal government and the private sector must defend themselves and strike back with speed and agility. This is difficult because the government is not optimized to be quick or agile, but we simply must be faster than our adversaries in order to prevent them from destroying our networks and, by extension, our way of life. Our strategy of layered cyber deterrence is designed with this goal in mind. It combines enhanced resilience with enhanced attribution capabilities and a clearer signaling strategy with collective action by our partners and allies. It is a simple framework laying out how we evolve into a hard target, a good ally, and a bad enemy.
  • Second, deterrence relies on a resilient economy. During the Cold War, our best minds were tasked with developing Continuity of Government plans to ensure that the government could survive and the nation recover after a nuclear strike. We need similar planning today to ensure that we can reconstitute in the aftermath of a national-level cyberattack. We also need to ensure that our economy continues to run. We recommend that the government institute a Continuity of the Economy plan to ensure that we can rapidly restore critical functions across corporations and industry sectors, and get the economy back up and running after a catastrophic cyberattack. Such a plan is a fundamental pillar of deterrence—a way to tell our adversaries that we, as a society, will survive to defeat them with speed and agility if they launch a major cyberattack against us.
  • Third, deterrence requires government reform. We need to elevate and empower existing cyber agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA), and create new focal points for coordinating cybersecurity in the executive branch and Congress. To that end, we recommend the creation of a National Cyber Director with oversight from new congressional Cybersecurity Committees, but our goal is not to create more bureaucracy with new and duplicative roles and organizations. Rather, we propose giving existing organizations the tools they need to act with speed and agility to defend our networks and impose costs on our adversaries. The key is CISA, which we have tried to empower as the lead agency for federal cybersecurity and the private sector’s preferred partner. We want working at CISA to become so appealing to young professionals interested in national service that it competes with the NSA, the FBI, Google, and Facebook for top- level talent (and wins).
  • Fourth, deterrence will require private-sector entities to step up and strengthen their security posture. Most of our critical infrastructure is owned by the private sector. at is why we make certain recommendations, such as establishing a cloud security certification or modernizing corporate accountability reporting requirements. We do not want to saddle the private sector with onerous and counterproductive regulations, nor do we want to force companies to hand over their data to the federal government. We are not the Chinese Communist Party, and indeed our best path to beating our adversaries is to stay free and innovative. But we need C-suite executives to take cyber seriously since they are on the front lines. With support from the federal government, private-sector entities must be able to act with speed and agility to stop cyberattackers from breaking out in their networks and the larger array of networks on which the nation relies.
  • Fifth, election security must become a priority. The American people still do not have the assurance that our election systems are secure from foreign manipulation. If we don’t get election security right, deterrence will fail and future generations will look back with longing and regret on the once powerful American Republic and wonder how we screwed the whole thing up. We believe we need to continue appropriations to fund election infrastructure modernization at the state and local levels. At the same time, states and localities need to pay their fair share to secure elections, and they can draw on useful resources—such as nonprofits that can act with greater speed and agility across all 50 states—to secure elections from the bottom up rather than waiting for top-down direction and funding. We also need to ensure that regardless of the method of casting a vote, paper or electronic, a paper audit trail exists (and yes, we recognize the irony of a cyber commission recommending a paper trail).

The CSC stated

We didn’t solve everything in this report. We didn’t even agree on everything. There are areas, such as balancing maximum encryption versus mandatory lawful access to devices, where the best we could do was provide a common statement of principles. Yet every single Commissioner was willing to make compromises in the course of our work because we were all united by the recognition that the status quo is not getting the job done. The status quo is inviting attacks on America every second of every day. The status quo is a slow surrender of American power and responsibility. We all want that to stop. So please do us, and your fellow Americans, a favor. Read this report and then demand that your government and the private sector act with speed and agility to secure our cyber future.

The CSC stated that “[a]fter conducting an extensive study including over 300 interviews, a competitive strategy event modeled after the original Project Solarium in the Eisenhower administration, and stress tests by external red teams, the Commission advocates a new strategic approach to cybersecurity: layered cyber deterrence.” The CSC explained that “[t]he desired end state of layered cyber deterrence is a reduced probability and impact of cyberattacks of significant consequence…[and] [t]he strategy outlines three ways to achieve this end state:

1. Shape behavior. The United States must work with allies and partners to promote responsible behavior in cyberspace.

2. Deny benefits. The United States must deny benefits to adversaries who have long exploited cyberspace to their advantage, to American disadvantage, and at little cost to themselves. This new approach requires securing critical networks in collaboration with the private sector to promote national resilience and increase the security of the cyber ecosystem.

3. Impose costs. The United States must maintain the capability, capacity, and credibility needed to retaliate against actors who target America in and through cyberspace.”

The CSC made a host of recommendations generally but also linked some of the recommendations to legislative proposals drafted by CSC staff. However, these drafts have not yet been released even though the CSC claims “[l]egislative proposals are available online at www.solarium.gov. Nonetheless, the CSC made clear it does not necessarily support these proposals:

  • PILLAR 1: REFORM THE U.S. GOVERNMENT’S STRUCTURE AND ORGANIZATION FOR CYBERSPACE
    • Recommendation 1.2: Create House Permanent Select and Senate Select Committees on Cybersecurity
    • Recommendation 1.3: Establish a National Cyber Director
    • Recommendation 1.4.1: Codify and Strengthen the Cyber Threat Intelligence Integration Center
    • Recommendation 1.5: Diversify and Strengthen the Federal Cyberspace Workforce
  • PILLAR 2: STRENGTHEN NORMS AND NON-MILITARY INSTRUMENTS OF POWER
    • Recommendation 2.1: Create a Cyber Bureau and Assistant Secretary at the U.S. Department of State
    • Recommendation 2.1.4: Improve International Tools for Law Enforcement Activities in Cyberspace [Provide MLAT Subpoena Authority and Increase FBI Cyber ALATs]
    • Recommendation 2.1.5: Leverage Sanctions and Trade Enforcement Actions [Codify Executive Order 13848]
  • PILLAR 3: PROMOTE NATIONAL RESILIENCE
    • Recommendation 3.1: Codify Sector-specific Agencies into Law as “Sector Risk Management Agencies” and Strengthen Their Ability to Manage Critical Infrastructure Risk
    • Recommendation 3.1.1: Establish a Five-Year National Risk Management Cycle Culminating in a Critical Infrastructure Resilience Strategy
    • Recommendation 3.1.2: Establish a National Cybersecurity Assistance Fund to Ensure Consistent and Timely Funding for Initiatives  at Underpin National Resilience
    • Recommendation 3.2: Develop and Maintain Continuity of the Economy Planning
    • Recommendation 3.3: Codify a “Cyber State of Distress” Tied to a “Cyber Response and Recovery Fund”
    • Recommendation 3.3.2: Clarify Liability for Federally Directed Mitigation, Response, and Recovery Efforts
    • Recommendation 3.3.5: Establish a Biennial National Cyber Tabletop Exercise
    • Recommendation 3.3.6: Clarify the Cyber Capabilities and Strengthen the Interoperability of the National Guard
    • Recommendation 3.4: Improve the Structure and Enhance Funding of the Election Assistance Commission
    • Recommendation 3.4.1: Modernize Campaign Regulations to Promote Cybersecurity
    • Recommendation 3.5: Build Societal Resilience to Cyber-Enabled Information Operations [Educational and Awareness Grant Programs]
    • Recommendation 3.5.1: Reform Online Political Advertising to Defend against Foreign Influence in Elections
  • PILLAR 4: RESHAPE THE CYBER ECOSYSTEM TOWARD GREATER SECURITY
    • Recommendation 4.1: Establish and Fund a National Cybersecurity Certification and Labeling Authority
    • Recommendation 4.1.1: Create or Designate Critical Technology Security Centers
    • Recommendation 4.2: Establish Liability for Final Goods Assemblers
    • Recommendation 4.3: Establish a Bureau of Cyber Statistics
    • Recommendation 4.4: Resource a Federally Funded Research and Development Center to Develop Cybersecurity Insurance Certifications
    • Recommendation 4.4.4: Amend the Sarbanes-Oxley Act to Include Cybersecurity Reporting Requirements
    • Recommendation 4.5: Develop a Cloud Security Certification
    • Recommendation 4.5.1: Incentivize the Uptake of Secure Cloud Services for Small and Medium-Sized Businesses and State, Local, Tribal, and Territorial Governments
    • Recommendation 4.5.2: Develop a Strategy to Secure Foundational Internet Protocols and Email
    • Recommendation 4.5.3: Strengthen the U.S. Government’s Ability to Take Down Botnets
    • Recommendation 4.6: Develop and Implement an Information and Communications Technology Industrial Base Strategy
    • Recommendation 4.7: Pass a National Data Security and Privacy Protection Law
    • Recommendation 4.7.1: Pass a National Breach Notification Law
  • PILLAR 5: OPERATIONALIZE CYBERSECURITY COLLABORATION WITH THE PRIVATE SECTOR
    • Recommendation 5.1: Codify the Concept of “Systemically Important Critical Infrastructure”
    • Recommendation 5.1.1: Review and Update Intelligence Authorities to Increase Intelligence Support to the Broader Private Sector
    • Recommendation 5.1.2: Strengthen and Codify Processes for Identifying Broader Private-Sector Cybersecurity Intelligence Needs and Priorities
    • Recommendation 5.1.3: Empower Departments and Agencies to Serve Administrative Subpoenas in Support of Threat and Asset Response Activities
    • Recommendation 5.2: Establish and Fund a Joint Collaborative Environment for Sharing and Fusing Threat Information
    • Recommendation 5.2.2: Pass a National Cyber Incident Reporting Law
    • Recommendation 5.2.3: Amend the Pen Register Trap and Trace Statute to Enable Better Identification of Malicious Actors
    • Recommendation 5.3: Strengthen an Integrated Cyber Center within CISA and Promote the Integration of Federal Cyber Centers
    • Recommendation 5.4.1: Institutionalize Department of Defense Participation in Public-Private Cybersecurity Initiatives
  • PILLAR 6: PRESERVE AND EMPLOY THE MILITARY INSTRUMENTS OF POWER
    • Recommendations 6.1 & 6.1.3: Direct the Department of Defense to Conduct a Force Structure Assessment of the Cyber Mission Force / Review the Delegation of Authorities for Cyber Operations
    • Recommendation 6.1.1: Direct the Department of Defense to Create a Major Force Program Funding Category for U.S. Cyber Command
    • Recommendation 6.1.7: Assess the Establishment of a Military Cyber Reserve
    • Recommendation 6.2: Conduct a Cybersecurity Vulnerability Assessment of All Segments of the NC3 and NLCC Systems and Continually Assess Weapon Systems Cyber Vulnerabilities
    • Recommendation 6.2.1: Require Defense Industrial Base Participation in a Threat Intelligence Sharing Program
    • Recommendation 6.2.2: Require  Threat Hunting on Defense Industrial Base Networks
    • Recommendation 6.2.4: Assess and Address the Risk to National Security Systems Posed by Quantum Computing

It is unlikely that Congress will adopt most of these recommendations by turning them into statute, but the Administration will likely pick and choose those it will implement without obtaining new or further authority. However, these recommendations will serve to inform the debate on cyber-related issues going forward.