A major report released March 11 recommending an overhaul of U.S. cyberspace policy calls for reforming how the federal government is organized to tackle cyber issues, from Congress to the Department of Homeland Security.
The Cyberspace Solarium Commission’s final report, which includes 75 policy recommendations formed by a group of 14 government and nongovernment cyber experts, suggests changing current U.S. strategy in cyberspace to one of “layered deterrence.” Restructuring the government is a critical piece of that effort.
“Structure is policy,” said Sen. Angus King, I-Maine, and a co-chair of the commission, which was mandated by the fiscal 2019 defense policy bill.
Underpinning the effort is a recommendation that the executive branch release a new National Cyber Strategy focused on the concept of layered deterrence: a three-pronged approach guiding the entirety of the report. Any effective strategy, the commissioners wrote, “will require a coordinated effort across … the federal government, state and local governments, and the private sector.”
The report also suggests the creation of a Senate-confirmed National Cyber Director to be housed in a new Office of the National Cyber Director at the White House. The director would oversee the integration of cybersecurity policy across the federal government rather than manage daily operations of agencies. The coordinator would also be the president’s adviser on cybersecurity and emerging technologies and a member of the National Security Council.
U.S. officials acknowledge that their current deterrence strategy isn't working. With several nation-state presenting threats to the 2020 election, how should deterrence policy change?
Of course, the remaining question on executive branch reforms is whether the White House is receptive to it. In the week’s leading up to the report launch, commissioners said that they thought the report would be successful because of the executive branch’s participation, which led to recommendations that were actionable, not aspirational. But asked at the report’s launch event on Capitol Hill March 11, the commissioners expressed it was unclear what the reaction of the White House would be.
“Whether the White House will welcome this proposal, I don’t know,” said Rep. Mike Gallagher, R-Wisc., and commission co-chair.
He added, “We will have to make a case on the merits to [National Security Adviser] Robert O’Brien … But we hope to be able to win them over to our view of the world.”
Revamping the oversight functions on cybersecurity issues in Congress was also a priority for the commission, which recommended that Congress consolidate cybersecurity oversight committees into two permanent select committees on cybersecurity in both chambers. The new committees would have jurisdiction over the “broad integration of systemic cybersecurity strategy and policy both within government and between the government and the private sector.”
Currently, most, if not all, committees in Congress have jurisdiction over cybersecurity-related issues. Asking powerful members of Congress to relinquish some of their committee power is a big ask. Rep. Jim Langevin, D-R.I., said that Congress needed to create the committees in order to tackle cyber issues with “greater agility.”
“Things move far too slowly and oversight and coordination is just too diffuse,” Langevin said. “We need something that is more comprehensive and substantive.”
The report recommends that Congress reestablish the Office of Technology Assessment, which was dissolved in 1995, to advise the legislative branch on tech-relate issues.
“The scientific and technology challenges facing policymakers are only becoming more complex, and Congress would benefit from the agility, depth, breadth and objectivity of insight and analysis provided by an office focused on technology,” commissioners wrote.
This is the story of how, in two short years, a new cybersecurity strategy has forced the national security community to rethink cyber operations and how "persistent engagment" will work.
The commissioners called on Congress and the executive branch do establish and implement policies focused on recruiting, developing and retaining cyber talent in federal jobs. The government, the report recommends, should also improve “cyber-oriented education” by developing K-12 classroom resources for learning and training, as well as expanding several other student outreach programs.
The report makes several recommendations to improve the federal government’s coordination with the private sector. That effort largely increases authorities for the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security because of its “unique position” to collaborate with the private sector.
The report suggests creating a new assistant secretary of state position at the State Department to lead international outreach and work on establishing norms in cyberspace through a new office called the “Bureau of Cyberspace Security and Emerging Technologies.”
Other reforms include creating a “cyber state of distress” declaration that would unlock funds from a “Cyber Response and Recovery Fund” for state and local governments. It also recommends creating “Bureau of Cyber Statistics” within the Department of Commerce, similar to the Bureau of Labor Statistics, to track frequency and severity of cyberattacks on U.S. government and the “broader marketplace” to improve policymaking.
The current lack of the bureau “limits the ability of the government to evaluate the effectiveness of its cybersecurity programs and prevents private enterprises and insurance providers from being able to adequately price, model, and understand cyber risk,” the report says.
Members of Congress on the commission hinted that they want to get several recommendations implemented through the next annual defense policy bill.