The Cyberspace Solarium Commission, a federally backed, lawmaker-led effort to develop cybersecurity policies shut down Tuesday night, having finished the term originally agreed to in the 2019 National Defense Authorization Act. The commission was prolific. Around 40 measures it suggested were codified into law, including creating the national cyber director position.
“If we were a centerfielder for the Washington Nationals, we’d be asking for about a $50 million a year contract based on our batting average,” said co-chairman Sen. Angus King, I-Maine, speaking with reporters to commemorate the end of what he and co-chairman Rep. Mike Gallagher, R-Wis., are now calling “Cyber Solarium 1.0.”
Leadership from the commission announced Tuesday that it would convert the commission and much of its staff into a Cyber Solarium non-profit to continue pursuing recommendations they were unable to previously pass into law.
During the Wednesday chat, Mark Montgomery, the executive director of the Cyberspace Solarium, said that all current commissioners would continue on to the new organization. Chris Inglis, who had started as a commissioner, left earlier this year to become national cyber director. The non-profit, nicknamed Cyber Solarium 2.0, was set up with King and Gallagher continuing as chairmen and Montgomery continuing as executive director.
Gallagher said believed that the success of the commission over the last two years, and it’s establishing or further establishing the lawmakers involved as “cyber guys,” will allow the solarium to continue to be effective, even if it is no longer technically a government project.
“There’s no question it’s not going to be the same as as 1.0,” he said. “You know, it’s going to be housed in a think tank, but I think because we’ve gotten the ball rolling with our colleagues…because we’re not starting from scratch. I’m still fairly confident that we’re going to be able to make progress next year.”
“Now, that being said, this year was harder than the year before. We’ve gotten all the easy things done. All the low-hanging fruit has been picked. So only the very difficult issues remain,” Gallagher said.
A lot of the high-profile issues backed by the solarium remain on the table. The commission still hopes to establish a designation and new resources for the most critical of critical infrastructure, SICI (Systemically Important Critical Infrastructure, pronounced “sticky”). A bureau of cyber statistics that would create sorely missing official data to use in policy discussions was another priority that did not cross the finish line.
Most prominently of all, a cyber incident reporting bill long assumed to be part of this year’s National Defense Authorization Act fell apart at the last minute. The law would have required businesses to notify the federal government after certain breaches. Lawmakers blamed Minority Leader Mitch McConnell for holding up the amendment that would have delivered incident reporting, with CyberScoop reporting that it been at the behest of Sen. Rick Scott, R-Fla., over the scope of which groups would be required to participate.
During the call with reporters, Gallagher said that the issues concerning scope boiled down to the participation of small and medium-sized businesses, and that he and King believed that issues were on their way to being sorted out, expecting a stand-alone bill early next year.
Incident reporting was one of the first cyber policies embraced widely on a bipartisan level this year by lawmakers as a potential response to the December 2020, Solarwinds espionage campaigns. While Mandiant had announced discovering a breach in its own network, kicking off a massive federal and private remediation effort, it had been under no obligation to do so. The company could have kept quiet, thereby allowing the espionage to continue indefinitely. As early as February, lawmakers including Sens. Mark Warner, D-Va., Marco Rubio, R-Fla., and Susan Collins, R-Maine, along with Reps. Jim Langivin, D-R.I., and Michael McCaul, R-Texas, where touting incident response as the solution.
Gallagher said on the call that the slow pace to obtain remaining priorities had less to do with ideology and more to due with bureaucracy. Cybersecurity authorities are split across dozens of different House and Senate committees, each which need to sign off on final versions of legislation.
“I didn’t see a substantive pushback on the merits. It was more just, you know, how do you work your way through all the different committees that have to sign off before the clock runs out,” he said of incident reporting not being ready for this years defense authorization.
Getting the sign-offs is a slow process that ultimately could be solved by creating stand-alone cybersecurity committees, with a stand-alone cyber spending package that require old committees to give up power they are unlikely to yield. While cyber select committees, like the current intelligence committees, were one of the solarium recommendations, King is openly pessimistic of the chances they might ever be created.
“it would be nice if we could have a cyber package every year, but frankly, this is national defense and having to ride as part of the National Defense Authorization Act to me, doesn’t I don’t find that a troubling process,” said King.
However the process evolves, King and Gallagher are happy with the progress they have made during the 1.0 years.
“I think there’s a tendency with committees like this to sort of conceive of the final report as the end point of the commission’s work,” said Gallagher. “We sort of thought of it as the midpoint, or maybe even the starting point to actually then turn those concepts into reality. And I think a lot of why we were able to get so many recommendations done was a result of that.”