During a videoconference on May 13, the Cyberspace Solarium Commission made its case to Congress that the U.S. should adopt a strategy of layered cyber deterrence, a three-pronged plan to reduce the frequency of and the damage wrought by cyberattacks targeting America. The commission’s proposal follows 11 months of intense internal deliberation. During that time, the task force worked to answer the question Congress established it to address: What strategic approach should the federal government take to defending the United States in cyberspace?
On March 11, the commission unveiled its vision in an exhaustive report detailing the concept of layered cyber deterrence. The commission’s members—two senators, two representatives, four executive branch officials and six private experts—packed the report with scores of policy recommendations, including 57 legislative proposals, which delineate exactly how to execute the novel cyber strategy.
The report’s recommendations are designed to be turned into bills, ushered swiftly through Congress, and implemented. To that end, the commission transmitted its legislative proposals directly to the relevant House and Senate committees, some of which have begun the work of incorporating the commission’s ideas into legislation.
But more than two months passed between the release of the commission’s report and the first time the task force got to discuss its proposals in public testimony before lawmakers.
Of course, Congress has had no shortage of issues vying for its attention—chief among them the question of how to provide relief to the country during the coronavirus pandemic. But as lawmakers left the Capitol in late March to adhere to social-distancing guidelines and work from home, they largely failed to adopt new processes to allow their chambers to conduct votes and other proceedings remotely. This has meant that crucial hearings, such as those on the Cyberspace Solarium Commission, have had to wait. Most—including a hearing the Senate Armed Services Committee planned to hold on March 25 on the commission’s report—have yet to be rescheduled.
In a virtual roundtable on May 13, however, the Senate Homeland Security and Governmental Affairs Committee heard testimony on the task force’s findings from the commission’s co-chairs, Sen. Angus King and Rep. Mike Gallagher, and two of its commissioners, Suzanne Spaulding and Tom Fanning. In their joint opening remarks, the witnesses argued that the U.S. should embrace and Congress should enact the strategy of layered cyber deterrence.
That strategy comprises three layers, each of which the commission outlines in detail in its report. The first layer aims to deter cyberattacks by “shaping behavior” in cyberspace. It calls on the U.S., its allies and its partners to model, promote and enforce norms of responsible cyber conduct—decreasing the incidence of major attacks and smaller-scale intrusions through multilateral diplomacy, sanctions, indictments and, when possible, international extradition.
The second layer, the report notes, requires the U.S. to “deny benefits” to adversaries by securing “critical networks,” such as government servers, regional electrical grids, election software, and the systems that undergird the financial services and telecommunications industries. Making these networks less penetrable and ensuring they can recover quickly from cyberattacks, the commission argues, will minimize the havoc that hackers can wreak on the U.S.
The third and final layer of the proposed cyber strategy calls on the government to “impose costs” on American adversaries by maintaining “the capability, capacity, and credibility needed to retaliate against actors who target America in and through cyberspace.” The White House must be prepared, in other words, to direct the National Security Agency and Cyber Command to strike back forcefully if necessary.
Taken together, the strategy’s three layers aim to reduce the “probability and impact of cyberattacks of significant consequence,” the report states. That is the goal of a layered cyber deterrence strategy.
But while the layers of the strategy are distinct, each shares a foundational need. In order to shape behavior, deny benefits, and impose costs in cyberspace, the report argues, Congress must “reform how the U.S. government is organized.” Current “government structures and jurisdictional boundaries,” the report continues, “fracture cyber policymaking processes, limit opportunities for government action, and impede cyber operations.”
To enhance the speed and efficiency with which the federal government tackles issues related to cybersecurity, the commission makes several structural recommendations. First, it suggests that Congress create an Office of the National Cyber Director, which would be led by a Senate-confirmed national cyber director and reside within the Executive Office of the President, much like the Office of the U.S. Trade Representative. In the report’s words, the national cyber director would serve as “the President’s principal adviser for cybersecurity-related issues” and “lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector.” Second, the report proposes that Congress create House permanent select and Senate select committees on cybersecurity “to provide integrated oversight of the cybersecurity efforts dispersed across the federal government.” And third, the report urges Congress to give the Cybersecurity and Infrastructure Security Agency (CISA) significantly more resources and additional authorities as the agency works to ensure critical networks can recover quickly from cyberattacks and serves as the “central coordinating element to support and integrate federal, state and local, and private-sector cybersecurity efforts.”
The commission argues, however, that reforming the structure of the U.S. government is but a first step in the right direction. Throughout its report and Wednesday’s testimony, the commission stressed repeatedly that the federal government and the private sector must work hand in hand to enhance America’s cybersecurity. As the report notes, the private sector owns the majority of America’s critical infrastructure. A destructive attack on privately owned networks would disrupt both Americans’ daily lives and the proper functioning of the economy. To prepare for that eventuality, the commission urged the federal government and the private sector to jointly develop a “Continuity of the Economy” plan.
The commission also urged Congress to establish a “Joint Collaborative Environment,” an information-sharing platform that would allow the federal government and the private sector to pool their knowledge of cyber threats. As the commission explained in its report, this “cloud-based” platform would make “the federal government’s unclassified and classified cyber threat information, malware forensics, and network data from monitoring programs … commonly available for query and analysis—to the greatest extent possible.” That platform would contain a similarly massive trove of information and insight from the private sector. The hope, the commission wrote, is that such a program “would make real the promise of a ‘whole-of-government’ and public-private approach to cybersecurity.”
From the outset of the hearing, senators expressed interest in incorporating some of the commission’s legislative proposals into the fiscal year 2021 National Defense Authorization Act (NDAA).
Sen. Ron Johnson, the committee chairman, began by highlighting a bill he and Sen. Maggie Hassan introduced, the Cybersecurity Vulnerability Identification and Notification Act, which the commission has urged Congress to pass. That act would give CISA the authority to issue administrative subpoenas to internet service providers, compelling those providers to disclose to the agency the identity of the owner of a particular online system or device on which the agency has detected vulnerabilities.
Suzanne Spaulding—a witness at the roundtable and the former head of the Department of Homeland Security directorate that became CISA—explained that endowing CISA with the ability to issue administrative subpoenas would fill an important gap in the agency’s current authorities. While the agency “has the tools to scan the Internet for known vulnerabilities” in public-facing systems, she explained, it often cannot “identify … who owns that system so that we can reach out to them and warn them.” The entities that have that information, she added, are the internet service providers. Giving CISA the authority to subpoena service providers would thus enable the agency to determine exactly who owns a vulnerable system and to notify the owner, who then could eliminate the vulnerability.
In his opening statement, Johnson said he also hoped to incorporate a bill establishing the Office of the National Cyber Director into the 2021 NDAA. While other senators voiced support for creating that office, Sen. James Lankford worried that the office would serve the same function as CISA. “Congress has a really bad habit,” Lankford suggested, of creating new bureaucracy to solve problems that existing government agencies can address.
Rep. Gallagher, one of the commission’s co-chairs, sought to distinguish between the role CISA plays and the function the commission hopes the national cyber director will serve. Whereas CISA exists to defend critical infrastructure and government networks from cyberattacks and intrusion, Gallagher said, the national cyber director will serve “a more coordinating function—making sure that CISA … is working well with NSA [the National Security Agency], with CYBERCOM [Cyber Command].” Part of the advantage of a national cyber director, Gallagher continued, would be that individual’s “proximity to the president,” which “would hopefully enhance their ability … to do long-term planning as CISA” hunts for vulnerabilities and protects critical infrastructure “on a day-to-day basis.”
Seeking to further clarify the differences between CISA and the national cyber director, Spaulding added that CISA serves a defensive function and oversees cybersecurity only across the civilian government agencies. The national cyber director, by contrast, would “bring together the defensive and the offensive planning to make sure that those things are coordinated.” That individual, she summarized, would manage the “whole-of-government” strategy, including the “Title 50, … intelligence, and Title 10 [Defense Department] authorities.”
Though Spaulding and Gallagher made a spirited case for the post of national cyber director, Lankford remained hesitant. Turning his attention next to the commission’s proposal that the House and the Senate establish new cybersecurity committees, the senator repeated his doubts about the wisdom of creating additional government bodies where existing ones might suffice. While Lankford conceded that jurisdiction in Congress over issues related to cybersecurity is scattered across numerous committees in each chamber—indeed, he joked that the current overall congressional committee structure seemed to have arisen “more accidental[ly] than by design”—the senator wondered whether it would be easier simply to strip jurisdiction of cyber-related issues from all congressional committees and place them in a single, already-existing committee in each chamber, rather than create new cyber panels.
Sen. King maintained that establishing select cybersecurity committees is the better option. “The analogy,” King told Lankford, “is to the intelligence committees, because they didn’t exist before the late 70s. And there was a realization after the Church Committee that there was a real need to have one committee with special expertise in a fairly technical area …. I think this is a moment, like the 70s, where there’s a specialized area that’s incredibly important to the future of the country.” This requires new committees.
King added that the commission discussed the possibility of drawing the membership for the new cybersecurity committees from the leadership of existing committees that deal with cyber policy, such as the House and Senate Armed Services, Intelligence and Homeland Security panels. The senator also suggested that creating select committees could break the congressional gridlock currently preventing lawmakers from passing sorely needed cybersecurity legislation. “I don’t want to go home after a cyberattack,” King said, and admit that “there were a couple of bills” that might have prevented the incident, “but there were four different committees that had jurisdiction” and Congress could not get anything done.
Still, King recognized that the effort to establish new committees will face stiff resistance. “I realize that jurisdiction is life around here,” he stated. Johnson wondered whether the proposal would gain any ground at all. In 2018, the senator noted, the Senate Homeland Security Committee passed a bill to establish a legislative commission to study how to streamline congressional oversight of the Department of Homeland Security. Although estimates vary, some experts believe that responsibility for oversight of that agency is dispersed across as many as 92 congressional committees and subcommittees. But the 2018 bill failed to pass. “We couldn’t even get that simple commission established into law,” Johnson lamented.
If lawmakers rejected a bill that sought only to study how to streamline congressional oversight, it seems unlikely that they will support either the commission’s proposal to create new cybersecurity committees or Lankford’s proposal to strip jurisdiction over cyber policy from all committees and vest that authority in a single, already-existing panel in each chamber.
Though committee members and commissioners spent much of the roundtable debating the federal government’s structure and the steps it can take to protect itself in cyberspace, Hassan sought to redirect the roundtable’s attention to the question of how state and local governments should defend themselves against cyberattacks. Indeed, the senator went as far as to criticize the commission for being “relatively quiet” on the issue of how the federal government should aid its state and local counterparts. King rejected that criticism, pointing Hassan to the task force’s recommendation that Congress pass a law creating a federal declaration called a “Cyber State of Distress.” As the commission explains in its report, that declaration would give state, local, tribal and territorial governments—as well as the private sector—access to federal funds and resources to help them prepare for, beat back or recover from a cyberattack that exceeds their ability to respond.
King qualified, however, that the commission does not want to “relieve the states of their own obligations to protect their own networks.” Accordingly, the commission advocated in its report for the establishment of a National Cybersecurity Assistance Fund. That fund—which would be administered by the Federal Emergency Management Agency and directed by CISA—would give state, local, tribal and territorial governments access to grants “for projects and programs aimed at systematically increasing” the security and resilience of their networks, the report said. But to ensure state and local governments invest in these cybersecurity programs, too, the federal grants would require states to commit “matching funds,” King said.
The “matching funds” arrangement, the commission’s report illuminates, would require a local government to gradually increase the amount of money it spends on cybersecurity until the funds it invests are equal to the amount of federal grant money it receives under the National Cybersecurity Assistance Fund. Cybersecurity must be “a shared responsibility,” King concluded.
The commission also issued recommendations to enhance the security of state, local, tribal and territorial election systems. In its report, the commission argued that Congress should appropriate a steady stream of grant money to “ensure that states implement voter-verifiable and paper-based voting systems, as well as post-election audits.” And the task force suggested that Congress make changes to the Election Assistance Commission, the federal agency that certifies voting systems and supports state and local governments’ administration of elections. Most notably, the commission urged Congress to amend the Help America Vote Act to add a fifth commissioner to the Election Assistance Commission. That commissioner would vote “exclusively on issues of or relating to cybersecurity” and provide the “technical expertise [needed] to enact urgent reforms to protect the integrity of voting systems,” the report stated.
To increase cybersecurity protections for smaller entities such as local governments, businesses and individuals, the commission also urged Congress to create a National Cybersecurity Certification and Labeling Authority, which would evaluate and rate the security of particular information and communications technologies. Spaudling argued that the authority’s ratings would increase entities’ and individual consumers’ understanding of the safety of the devices they buy and use, and encourage them to embrace products they know to be more secure.
In an exchange with Sen. Kyrsten Sinema, Spaulding suggested that the case for a National Cybersecurity Certification and Labeling Authority has grown only stronger during the coronavirus pandemic. As social-distancing guidelines force many Americans to work from home, Spaulding stated, “everyone is using their home routers and Wi-Fi networks to interact.” This technology, including the webcams used for videoconferences and meetings, is known to be vulnerable to cyberattacks and intrusion. The proposed labeling authority would help Americans evaluate their devices “from a cybersecurity perspective,” Spaulding said, and empower businesses to choose the safest equipment and platforms for their work.
As the private sector increasingly stores its data in cloud-based services, King added in an exchange with Sen. Jacky Rosen, a certification and labeling authority could also develop a “security standard so that companies and governments … can have some knowledge, some assurance, that they’re dealing with a secure service.”
Though the committee engaged thoroughly with the commission’s policy recommendations, it dwelled little on the strategy the commission articulated in its final report. No lawmaker explicitly embraced the concept of layered cyber deterrence. No senator questioned the premise of the strategy, that deterring cyberattacks is possible, despite Gallagher’s mentioning that the commission engaged with experts who believe it is not. And no committee member addressed the first recommendation that appears in the executive summary of the commission’s report, which suggests that the executive branch “issue an updated National Cyber Strategy that reflects the strategic approach of layered cyber deterrence.”
So while senators vowed to work with their colleagues to pass a number of the commission’s recommendations into law, even as soon as in the 2021 NDAA, the roundtable ended with a great deal of uncertainty about the status of America’s cyber strategy. It remained unclear, on the whole, whether senators would embrace the strategic approach they created the commission to develop, or whether they would enact discrete policy responses to address growing cybersecurity problems without adopting or sufficiently considering the commission’s guiding framework.