“The problem is more urgent than it’s ever been, and people are getting that,” said Sen. Angus King (I-Maine), co-chairman of the Cyberspace Solarium Commission, which is modeled after an Eisenhower-era project to devise a strategic response to Soviet expansionism. “There’s a heightened level of understanding of the danger.”
The idea is to have a report with the impact of the 9/11 Commission — the independent, bipartisan panel established after the Sept. 11, 2001, attacks — before a “cyber 9/11” happens, said Rep. Mike Gallagher (R-Wis.), the other co-chairman.
One key proposal is to create a national cyber-director in the White House. That official, a Senate-confirmed position, would report to the president and have dozens of staff members and a budget — unlike past “cyber czars” who had a title, but no formal authority or independent budget.
Another proposal is to establish a permanent select committee on cybersecurity modeled after the congressional intelligence committees, which grew out of the Church Committee hearings in the 1970s to curb intelligence agency abuses.
Each idea is likely to meet some opposition from members of Congress or the White House. Lawmakers on existing oversight committees, such as Homeland Security and Armed Services, might balk at losing some of their jurisdiction. The national security adviser probably would oppose such a proposal, fearing that it could undermine his authority and influence, according to a commission official, speaking on the condition of anonymity to be candid.
But it is important to lay down a marker, King and Gallagher said. Moreover, four commission members who support the proposals serve on key committees. King sits on the Senate Armed Services and Intelligence panels; Sen. Ben Sasse (R-Neb.) also sits on the Intelligence Committee; and Gallagher and Rep. Jim Langevin (D-R.I.) serve on their chamber’s Armed Services panel. Langevin is also on the House Homeland Security Committee.
“I just believe deeply that having someone who gets up every morning whose job it is to think about this, organize it, knows what’s going on all over the federal government, is what’s going to make things change,’’ King said of the proposal to create a national cyber-director. The position would be analogous to the U.S. trade representative, an official with clout, he said.
A major cyberattack causing death and destruction has been routinely predicted for more than 20 years, yet has never occurred. At the same time, the United States and Western allies have been victims of numerous incursions that, while often brazen, fall short of acts of war.
Such assaults include North Korea hacking Sony Pictures, releasing embarrassing internal emails and effectively destroying the company’s computers; Russia hacking Democratic Party emails and dumping them online to sow confusion in the 2016 presidential election; and China stealing massive amounts of intellectual property from U.S. companies.
An effective strategy should take into account the true nature of the threat and the reasons a particular adversary conducts a cyberattack, said James A. Lewis, senior vice president at the Center for Strategic and International Studies.
“Understanding why a disastrous cyberattack has never happened and how our opponents think is essential for developing an effective response,” said Lewis, who co-authored a 2008 cybersecurity report for the incoming Obama administration.
Former White House cybersecurity coordinator Michael Daniel called the report “well-constructed, coherent and thorough” and said that although many of the ideas are not new, that “doesn’t mean they are not the right way to go about it.”
Daniel, who left office in January 2017 and helped refine the commission’s recommendations, supports the proposals for a cyber-director position and a new oversight committee, which would consolidate duties now shared by a range of panels. “Unlike the executive branch,” he noted, Congress “has not done much reorganizing to deal with cyber” challenges.
Another recommendation that could have significant impact is to bolster the State Department’s role in cybersecurity by elevating the top cyber position there, creating an assistant secretary in charge of a new Bureau of Cyberspace Security and Emerging Technologies. That would give the United States more leverage in its effort to, as the commission report states, “develop and reinforce international norms” in cyberspace.
Other notable proposals include investing more resources in the Homeland Security Department’s Cybersecurity and Infrastructure Agency; creating a certification authority to serve as an “Underwriters’ Laboratory” that would indicate that a product has met security standards; and requiring publicly traded companies to demonstrate to the Securities and Exchange Commission that they have conducted cyber risk assessments that include penetration-testing.
The executive branch is required to submit a response within 60 days of the report’s submission to Congress, which will take place at a hearing at the end of March.