- The Cyberspace Solarium Commission (CSC) expired Tuesday after two and a half years of advocating for federal cybersecurity measures and proposing legislation.
- Established in the National Defense Authorization Act (NDAA) for FY2019, it was reauthorized through FY2021 after 26 of its recommendations and 50 cyber provisions were included in the NDAA for this year. It was the first time so many cyber provisions made it into the annual defense bill.
- The CSC will move onto a "Solarium 2.0," a nonprofit organization that will continue to advance cybersecurity issues through Congress while also exploring new territory, such as recovering ransom funds, said Rep. Mike Gallagher, R-Wis. and co-chair of the CSC, during a press call Wednesday. "Because we're not starting from scratch, I'm still fairly confident that we're going to be able to make progress next year."
The CSC was created to advance cybersecurity strategy and legislation. Two of the CSC's greatest accomplishments, via the NDAA, were:
- Establishing the office of the national cyber director, a role filled by a commissioner of the CSC, Chris Inglis
- Providing the Cybersecurity and Infrastructure Security Agency (CISA) with various authorities to better position the agency as the federal lead in private sector collaboration
Despite the commission's overall success, the CSC's "unfinished business" includes establishing a joint collaborative environment, institutionalizing the Cyber Diplomacy Act within the State Department, establishing a bureau of cyber statistics, and codifying critical infrastructure into law.
"The problem is [cyber] crosses so many different committee jurisdictions that it is very hard to get sign-off from various chairman and ranking members," said Gallagher.
The NDAA is a guaranteed piece of legislation, making it an ideal mechanism to pass cyber legislation. But upwards of 80 committees have jurisdiction over cyber. Last year the CSC sought 180 approvals for recommendations to be adopted across House and Senate committees and subcommittees for the recommendations to make it in the NDAA, according to Sen. Angus King, I-Maine and co-chair of the CSC, during the call.
One of the recommendations the commission tried to pass in the FY2022 NDAA was to establish a joint collaborative environment to better facilitate information sharing between the public and private sectors, the CSC's report said. The recommendation faced barriers in the Intelligence Committee.
"Let's say you need four subcommittees to sign off, that's eight, Republicans and Democrats on both sides. And then you've got the full committees, and so you end up with about 10 or 12 sign-offs," said King. However, if the tenth sign-off wants to make a change, the process cycles back to the beginning to seek clearance from the other committees with the new change.
"We're dealing with a subject that everybody has an interest in," King said. "I don't necessarily think that's a bad thing," especially with high-profile cyberattacks of the last year impacting everyday consumers. But the prospect of an eventual NDAA-like bill exclusively for cyber is unlikely, according to King. Because cybersecurity is a component of national security, having it remain a component of the NDAA is not a "troubling process," he said.
One of the CSC's recommendations is to establish House and Senate select cybersecurity committees, which would "provide integrated oversight" of cyber "dispersed across the federal government," the report said. But it's "very difficult to convince sitting committee chairmen and ranking members to give up their authority" over cyber, said Gallagher.
For example, one of the most anticipated — and expected — rules for FY2022 was mandatory incident reporting, but it failed to make it into the NDAA. "We were very, very close" to including incident reporting, which "was pretty clear throughout and one objection was raised at the end about ransomware by one senator, and that really derailed it for the moment," King said.
"It's clearly one of the major pieces of unfinished business," said King, "which we should be able to work through early in the new year."