The Cyberspace Solarium Commission’s Mandate to Fix Congressional Oversight

By Carrie Cordero, David Thaw
Wednesday, March 18, 2020, 8:00 AM

The report of the Cyberspace Solarium Commission is finally out—and it provides a fresh look at congressional oversight on cybersecurity.

Congress established the commission as part of the 2019 John S. McCain National Defense Authorization Act. Co-chaired by Sen. Angus King and Rep. Mike Gallagher, the commission was charged with “develop[ing] a [bipartisan] consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” Its report, which was released March 11, makes more than 75 recommendations for both government and the private sector to improve the nation’s defenses against cyberattack and malign cyber activity. We write to highlight the aspect of the report focused on improving Congress’s role in overseeing the government’s activities to better protect the nation from cyberattack and malign cyber activity.

Earlier this year, we released a briefing paper, Rebooting Congressional Cybersecurity Oversight, as part of an ongoing series of publications by the Center for a New American Security focused on congressional oversight of intelligence. (The first two papers in that series are available here and here.) In our January paper, we made two relatively modest recommendations for prompt action by Congress. First, we recommended that Congress devote immediate energy to bolstering the cybersecurity of the upcoming 2020 presidential election, including further consideration of pending legislation. Second, we recommended the establishment of a short-term, select committee of Congress, in order to better coordinate oversight and inform legislation intended to improve the nation’s cybersecurity posture. Ideally, we observed, this would take the place of a joint select committee. As we observed:

[T]he most prevalent oversight shortcoming is the lack of congressional coordination focused on cybersecurity. Thus, we recommend the establishment of an interim joint select committee to begin work in the 117th Congress, which will commence in January 2021. Ideally, this would take the form of a joint select committee with combined House and Senate membership, and equal numbers from each political party. A select committee could be charged not only with initiating direct inquiries, but also with coordinating the activities of other committees that relate to cybersecurity issues. The committee, in addition to coordinating across both chambers, could be charged with producing specific reports or proposed legislation by a given deadline. We propose that this committee be a true “select” committee—one with a short-term duration to tackle a specific problem, not a “select” committee that becomes a de facto permanent one (like the intelligence committees). Although not a joint committee, the model set by the House Select Committee on the Modernization of Congress appears to be one of bipartisanship and success in staying on task with visible progress toward its mandate. Moreover, the select committee can pick up on the forthcoming recommendations provided by the report of the Cyberspace Solarium Commission to ensure that the baton is not dropped after their work concludes.

The Cyberspace Solarium Commission has recommended, as an alternative, permanent select committees—one in each chamber of Congress, explicitly modeled on the intelligence committees. Though we did not recommend permanent select committees, we are not at all opposed to the idea. We are glad to see the commission tackling the problem of coordinated oversight—a vital issue in cybersecurity.

The Patchwork Mismatch of Cybersecurity Legislation

Coordinated, dedicated congressional oversight is necessary because cybersecurity is a complex, interdisciplinary problem that reaches far beyond technical challenges. It spans many disciplines and industries, yet the legal and institutional frameworks for managing cybersecurity are disparate, lack sophisticated coordination and often split along disciplinary or industrial boundaries. The result is what we term a “patchwork mismatch” of divided risk management strategies and legal authorities attempting to mitigate a complex challenge. This patchwork integrates topics including international affairs, national security and defense, criminal law, economics, psychology, civil liability, data protection, and privacy and usability—among other disciplines.

Elements of the existing cybersecurity legal framework can—at a highly generalized level—be grouped into two categories: (a) authorities directed at the conduct of governmental entities; and (b) authorities directed at the conduct of nongovernmental entities. This distinction is important because the two categories often are conflated in cybersecurity discussions at both the technical and legal levels, and because they address substantially different portions of the cybersecurity picture. Yet understanding the interaction between these categories also is critically important, given that estimates place the vast majority of the U.S. critical infrastructure as wholly within or largely managed by the private sector.

The first category addresses the activities of entities like the Department of Defense, the Department of Homeland Security and the Department of Justice in taking offensive, defensive, coordination, mitigation and investigative actions. These are the agencies most often looked to following a major cybersecurity event, and the agencies that private actors often expect to receive “protection” from—particularly against attacks by foreign-based adversaries. These perceptions and expectations are understandable, given that the three agencies are tasked with similar responsibilities in the physical (or kinetic) world.

Yet the reliance on specific institutions is flawed, because it applies traditional political and institutional boundaries to a domain that is not similarly constrained. The architecture of the public internet is such that it is (nearly) borderless. As a result, the view that cybersecurity problems can be managed by a particular agency (or even agencies) is insufficient, both legally and technologically.

This brings us to the second category of cybersecurity regulatory authorities—those directed at nongovernmental entities. Because the private sector controls or operates such an overwhelming majority of critical infrastructure in the U.S., and because governmental entities cannot defend against cyberattacks and other malign cyber activities alone, the role of the private sector becomes critical in maintaining an adequately secure national information and technology infrastructure. Yet the authorities for regulating and supporting private entities’ cybersecurity efforts at the federal level are disparate at best. They range across financial regulatory agencies, the Department of Health and Human Services, the Federal Trade Commission and other sector-specific regulatory agencies. Furthermore, the authorities granted to Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are insufficient for the agency to meaningfully coordinate cybersecurity efforts across governmental entities such as the Defense Department, the Justice Department and Homeland Security, let alone to coordinate the activities of the private sector and its regulators. Notably, the Cyberspace Solarium Commission made substantial recommendations in its report to strengthen CISA going forward.

This disparate governmental and nongovernmental framework makes crafting legislation hard. And it makes oversight hard, too. Currently, there is no single congressional committee, or even group of committees, with jurisdiction over all the pieces of the cybersecurity puzzle. As our paper notes, in the 115th Congress there were at least 56 different hearings on cybersecurity topics in at least 17 different committees spread across both chambers. The lack of a coordinating function among these committees has limited Congress’s ability to obtain a comprehensive picture of the cybersecurity problem. After all, without any coordination, it’s challenging to craft legislation that takes into account all the moving pieces necessary to develop the comprehensive responses and risk management structures needed to address the myriad vectors through which adversaries can execute attacks.

A Path Forward

Having previously recommended that Congress take on oversight of cybersecurity matters as a comprehensive matter, we were delighted to see the commission come to a similar conclusion: that coordinated, consistent, persistent congressional leadership is required in order to push through legislation and conduct thorough oversight of executive branch cybersecurity activities. Indeed, the commission report states that the current structure “prevents Congress from effectively providing strategic oversight of the executive branch’s cybersecurity efforts or exerting its traditional oversight authority for executive action and policy in cyberspace.”

There is a small gap between what we recommended (a short-term, joint select committee), and what the commission recommended (a permanent select committee in each chamber). We did not recommend permanent select committees because we feared that recommendation would get bogged down in institutional resistance, and the result would be complete inaction. Our goal was to make a pragmatic recommendation that is substantively valuable and politically feasible. Thus, we recommended the temporary committee as an interim solution.

Now, we view our approach as a useful bridge to implementing the commission’s recommendation. Because we expect that there will be entrenched institutional resistance to creating permanent oversight committees, a short-term select committee could serve as a stepping stone to permanent committees. We expect that once a temporary committee demonstrates its value, Congress will see the wisdom of making the change permanent.

With respect to the expected, entrenched resistance to the proposal to create select committees of oversight in Congress, within the legislature, existing committees will likely have concerns on jurisdictional grounds—a generalized complaint that stymies modernization of congressional oversight on most any topic. Foreseeing this response, the commission proposes to scope the jurisdiction in a way that focuses on empowering the new committees to “consider legislation, hold hearings, subpoena witnesses, and consider nominations relevant to improving the United States’ public and private systemic cybersecurity against domestic and foreign risks[.]” The commission purposefully does not propose that the new committees interfere with the oversight conducted by the armed services committees and the intelligence committees. The commission also recommends that, in order to retain expertise, its proposed committees be exempt from term limits.

From the executive branch, there will likely also be generalized objections to more demands from Congress for documents, witnesses and responses to inquiries from yet additional committees. But the proposal to consolidate oversight may lessen the burdens on the executive branch because presumably there will not be as many committees holding hearings and making demands for information about cybersecurity; instead, there will be a designated committee of expertise.

Finally, bipartisanship is an essential component in overseeing a coherent body of cybersecurity law positioned to protect the country from cyberattack and malign cyber activity. The commission itself modeled effective bipartisanship through its proposed allotment of membership from each party, and issuance of one report, without individual or dissenting views. We recommended that our proposed joint committee include equal numbers of members of each party; the commission recommends that its two proposed committees model the intelligence committees’ proportions and distributions.

Whether Congress adopts an interim proposal or goes full steam ahead with permanent select committees, it is imperative that the legislature address the commission’s proposals. It would be a profound shame for Congress to abandon the extensive work provided by the commission without putting the recommendations into practice. The individual members and staffs of the commission co-chairs will have limited ability to drive a broad legislative agenda forward. Modernizing Congress’s own ability to address oversight and legislation for today’s threats, including those in cyberspace, is essential.