The Cyberspace Solarium Commission, a group of government and non-government cyber experts, will recommend Congress increase the power of the executive branch in responding to significant cyber events, create a cyber emergency fund and strengthen the federal government’s relationship with the private sector.
While commissioners have refused to offer specific details about their recommendations until the report is released later this month, four commissioners attending a Foundation for the Defense of Democracies event March 5 discussed concepts included in the report.
Rep. Mike Gallagher, R-Wisc. and co-chair of the commission, said the group wants to give the president the authority to declare a “cyber state of distress” which would unlock access for a “cyber response and recovery fund.”
“This new mechanism ... would allow states, local, tribal and territorial governments access to enhanced federal expertise and resources that they currently don’t have right now,” Gallagher said.
The commission will release 75 cyber policy recommendations March 11 to reshape how the federal government approaches cyber issues. The report is expected to cover how cyber jurisdictions are organized inside the federal government to the role of the private sector in cyber deterrence.
While there is also debate about whether the federal government should centralize which agencies have jurisdiction on with cybersecurity said, commissioners indicated that the report will not recommend a standalone cybersecurity agency.
Suzanne Spaulding, a commissioner and former top cyber official at the Department of Homeland Security, said that sector specific agencies should retain their cyber jurisdictions because cyber issues touch every aspect of life in the United States. In order to manage risk and mitigate threats, federal agencies must serve as sector-specific risk management experts.
“You really need deep sector expertise to be able to do that ... your IT specialist can no more tell you about the impact on your business from a significant cyber incident than the electrician can tell you the impact on your business if the power goes out,” Spaulding said. “You need that sector-specific expertise."
Meanwhile, the report aims to lay out an effective deterrence strategy. Commissioners see the private sector as a primary partner and one with sector-specific expertise.
The report will detail the steps the federal government needs to take to strengthen relationships with the private sector to better understand cyber threats. One ongoing challenge is that while the government needs to protect critical infrastructure, such as utilities, they are largely run by private companies.
“So much of what we need to know resides in the private sector," said Samantha Ravich, chairman of FDD’s Center on Cyber and Technology Innovation and a commissioner. “And until this point in time there’s been a disconnect between ... how [the government think[s] about the threat and how they prioritize what needs to be done about it, and how the private sector is battling its way in this battle space with, frankly, not all the tools it needs to be able to protect itself.”
Ravich also said members discussed the role of military cyber reserves. While reservists would work in the private sector in peacetime, calling them up for duty would likely mean the United States was involved in an overseas conflict. But that raised a key question for commissioners.
“Do we want these people, now with the military, to be deployed overseas when we have rolling outages?," Ravich said. “So maybe the best place for them is still working” in the private sector.