What to expect from the Cybersecurity Solarium Commission report

A bipartisan congressional committee is urging the federal government to enact a sweeping set of cybersecurity upgrades in order to modernize American defenses on issues ranging from 5G security to stopping intellectual property theft and mitigating ransomware attacks.

The Cybersecurity Solarium Commission on Wednesday released 75 recommendations that call for changes in the way that Congress and the Trump administration oversee crucial security issues that, if unaddressed, may jeopardize U.S. national and economic security.

It remains to be seen whether some of the proposals will become a reality. In an interview with CyberScoop, Sen. Angus King, I-Maine, a co-chair of the commission, would not preview what elements of the proposal would appear in forthcoming legislation, but said between 40-50 percent of them could be seen in the 2021 National Defense Authorization Act.

King says there is urgency to taking action on each of the 75 recommendations.

“We want this to be the 9/11 Commission Report without the 9/11,” King told CyberScoop. “We are trying to urge and foment change without a catastrophic event.”

5G concerns

For Cyber Command, the commission recommends reexamining the cyber mission force, the 6,200-person unit that carries out the Department of Defense’s offensive and defensive cyber missions. The recommendation comes due to concerns about the risks of 5G networks, inherently more software-defined than other wireless networks, King said.

“I see a break point at 5G … The target surface doubles — autonomous vehicles, Internet of Things, so many more places to hack,” King told CyberScoop. “I suspect that [Cyber Command is] going to find they’re in need of some additional staff.”

King said the commission’s recommendation is in part about deepening the command’s efforts to counter adversaries beyond the election security space — something President Donald Trump’s then-national security adviser John Bolton suggested the command was working on last year.

On election threats, the commission is recommending that the Election Assistance Commission be fully funded and gain a fifth member with cybersecurity expertise who could break any divides among the four members, King told CyberScoop. The commission is also proposing establishing a digital literacy program to fight disinformation online.

Deepened cybersecurity oversight

The taskforce is proposing other plans — such as bringing back a derivative of the cybersecurity coordinator, a role Bolton eliminated years ago — which may not be met with immediate action. This time, however, the commission wants the cybersecurity point person in the White House, the so-called “National Cyber Director,” to be Senate-confirmed.

For now, King admitted the commission does not have buy-in from the Oval Office on the role. King will be making the commission’s case for the new role with Trump’s national security adviser, Robert O’Brien, King said.

The White House did not immediately return request for comment.

Oversight of cybersecurity issues has been hampered in the halls of Congress as well, as it’s scattered among multiple committees, the commission found, so it is recommending the creation of both a House Permanent Select and Senate Select Committee on Cybersecurity. But the new committees may not have broad appeal because they naturally will pull from some existing committees’ work.

“That’s going to be a tough one because you’re talking about committees voluntarily relinquishing some measure of jurisdiction,” King told CyberScoop. “We tried to mitigate that somewhat by suggesting … having chair and ranking member of at least one or two of the major committees on the new committee.”

The commission is also recommending the new committees have a limited role, for instance, by not having purview over the laws governing cyber-operations run by the military or the intelligence community, more commonly known as Titles 10 and 50.

As far as new roles go, the commission is also recommending elevating the State Department’s cybersecurity portfolio to include an Assistant Secretary of State role, so that State can better push conversations on norms of acceptable behavior in cyberspace, a conversation the U.S. has been losing ground on recently at the United Nations.

Trust in the private sector and supply chains

The commission also wants the private sector and government to work on building a “cooperative, trusting relationship,” King said.

The commission is urging Congress to pass a law that would make “final goods assemblers of software, hardware, and firmware” liable for damages in some cases where they’ve failed to patch against known vulnerabilities. King clarified the commission does not want to hold these organizations accountable for vulnerabilities they don’t know about.

The commission is also suggesting the creation of a cloud certification program, a continuity-of-the-economy plan in case of cybersecurity crises, more labeling of information and communications technology products, and more threat hunting in the defense industrial base.

More broadly, “Congress should direct the U.S. government to develop and implement an industrial base strategy for information and communications technology to ensure trusted supply chains,” the commission recommends.

“Part of what we’re trying to do is communicate the importance of the supply chain and the vulnerability of the defense industrial base on a supply chain basis,” King said.

And although King is concerned the danger of using Huawei in the U.S. or in allied countries “is just overwhelming,” he told CyberScoop the industrial base strategy proposal is not intended to just point the finger at Beijing or Huawei.

“This should not be viewed as ‘America wants to make money and favor its businesses over Chinese businesses.’ It’s about national security,” King said.

You can read the full report below.

[documentcloud url=”http://www.documentcloud.org/documents/6808022-CSC-Final-Report.html” responsive=true]