Congress created a national cyber director to oversee digital security policy. Lawmakers dramatically bolstered DHS’ new Cybersecurity and Infrastructure Security Agency, establishing new programs within the agency, codifying existing activities and authorizing CISA to subpoena data on vulnerable companies from their internet service providers. And DHS gained the power to declare major cyber incidents and tap into a new emergency response fund.
More than two dozen of the 109 proposals have stalled or face major obstacles however, leaving the fate of these recommendations — several of which would have sweeping impacts on government oversight and corporate liability — in doubt.
Still, the commission, which formally dissolved on Tuesday, reshaped the way the government handles cyber issues and provided a blueprint for even more significant transformation in the years ahead. In a recent interview, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), the commission’s co-chairs, discussed their biggest successes, their hardest fights and the proposals that haven’t gotten traction.
This interview has been edited for length and clarity.
Which of your successfully implemented recommendations are you each most proud of?
Gallagher: One, giving CISA the authority to do threat hunting on dot-gov networks was crucial, and it’s something we’re going to be monitoring closely, and it’s part of our overall effort, which was really to elevate and empower CISA to do its job and, ultimately, attract top-level talent.
Additionally, on the military side, we mandated a force structure assessment for the [U.S. Cyber Command] Cyber Mission Force, and I’m eager to see what DoD comes back with on that. When the Cyber Mission Force was stood up, the threat landscape was far less complex than it is today.
And then finally, we passed a law requiring continuity-of-the-economy planning. It’s absolutely critical that we continue to put pressure on the executive branch to do that planning, to prepare now for how we would recover in the event of a major cyberattack. Particularly as tension continues to rise over Taiwan with China, I think that that’s going to be essential.
King: I would add two provisions. One is the creation and nomination and confirmation of the National Cyber Director. I think that’s very important and took a lot of arm-wrestling, first in the Congress and then with two different administrations that were somewhat reluctant in terms of Congress dictating who would be in the Executive Office of the President.
The second one I would point to is kind of a funny one. We accomplished it, I think, by remote control. One of our significant recommendations was the creation in the State Department of a bureau of cyber and technology that would be led by an ambassadorial-level person, the idea being that this problem of cyber is not only our problem, but it’s a worldwide problem, and the solution needs to be multilateral. Well, while we were grinding away on the legislative authorization for that, lo and behold, the State Department did it about a month ago and created just this office with an ambassadorial-level leader. [Editor’s note: The department committed to creating the bureau in consultation with Congress, but those talks remain ongoing.]
Now, we still want to finish our legislation and clarify some of the authorities and responsibilities. But basically, I consider that a win. Clearly, the fact that this was in play in the Congress encouraged the State Department and the administration to go forward.
Which recommendations were the most difficult to get across the finish line?
King: The National Cyber Director we had to work at. There was reluctance in the Trump administration when it was first proposed. There was reluctance during the transition from the Biden administration. There was also some reluctance in Congress. But ultimately, we had a hearing, we convinced members of the House, we convinced [Sen.] Mike Rounds [(R-S.D.), then the chair of the Armed Services cyber subcommittee] in the Senate, and he became one of our strongest advocates.
Gallagher: I agree on the National Cyber Director as well. We faced a lot of resistance, but we ultimately were able to make the case both publicly and privately and make the case to our colleagues in Congress to put it into law, and I think we have the absolute perfect person in the form of Chris Inglis to be the first national cyber director. It’s not “mission accomplished.” There’s obviously a lot we need to do. But that was a big accomplishment and a very difficult one at times.
Many of your stalled recommendations require executive branch action. Now that the commission is wrapping up, how will you keep up the pressure on the Biden administration to implement those proposals?
Gallagher: We will have a Solarium 2.0 project that both intends to preserve the legacy of the commission and also to continue the work to implement the recommendations. At least on the House side, myself and [Solarium commissioner Rep.] Jim Langevin [(D-R.I.)], in next year’s NDAA process, are going to be pushing aggressively to get some of the proposals that fell a little bit short into law, and Angus and I will continue to engage with the White House on those that don’t require legislation but are more the province of executive orders. So though we may be formally disbanding, the 2.0 effort will give us enough of a platform to push, in a very targeted way, the recommendations that still haven’t been implemented.
King: We’ve already decided — and it’s underway — to continue under the auspices of a nonprofit, to continue our work and to continue having staff work and to continue following up. The 10 of us are intending to continue. We’re gluttons for punishment. We had our 50th meeting last Monday, as a matter of fact, and intend to continue.
Now, in answer to your question about the executive branch, I believe the single biggest piece of unfinished business is and was the publication by the president of a clear declaratory cyber deterrent policy. And that hasn’t happened yet. The president had discussions with [Russian President Vladimir] Putin about redlines and what was going to be off-limits, but we believe that that needs to be fleshed out. It needs to be clear and unequivocal that, if this country is attacked in cyberspace, there will be a costly response — costly to the attacker. And so far, in our recent history, that hasn’t been the case.
Can you say more about the “Solarium 2.0” project that’s going to be housed in a nonprofit?
Gallagher: Since our executive director [Mark Montgomery] is now at the Foundation for Defense of Democracies and one of our commissioners, Sam Ravich, is there, I believe that’s going to be primarily where the work gets done.
Roughly 30 of your proposals, including some that have been authorized, still require appropriations. Are you talking to appropriators about including some of that funding in the next spending bill? It seems like those recommendations will languish without imminent funding.
King: Yes, we are and will be continuing to work with the appropriators. By the way, I think one of the successes of the Solarium has been the elevation of this issue. I’ve been in committee meetings over and over where people talk about the Solarium. They say, ‘Well, we probably ought to think about this, because this was part of one of the Solarium’s recommendations,’ or something like that. I think we gained some credibility that will help us in the appropriations process.
Several of your implemented recommendations involve assessments of agencies such as CISA or U.S. Cyber Command. As these organizations grow and mature, what signs of success will you be looking for, and what red flags will you be on alert for?
King: The ultimate measure of success is minimizing and eliminating and ameliorating the impacts of cyberattacks. But in the interim, the building and maintaining of a positive relationship between CISA and the private sector, I think, is one of the most important challenges we have.
Gallagher: One of the biggest successes in recent years that we tried to build on was the devolution of authority down to the operators at Cyber Command to make decisions quickly, to do things quickly. Because in this space, speed is essential. So one thing we’re going to be looking at is to make sure that we don’t go back on that. I think any attempts to insert more people into the decision-making process under NSPM-13 and really slow down what is required to approve cyber offensive operations would be counterproductive.
Which of your unimplemented proposals do you each see as the most urgently needed?
King: We came very close in this [fiscal 2022] defense bill — down to negotiating on Saturday night of [three] weeks ago — but couldn’t quite finish on two important pieces.
One was the establishment at CISA of what we call a Joint Collaborative Environment, which is an infrastructure to facilitate the interaction of the private sector and CISA. This isn’t army versus army and navy versus navy. The grid is the target, or the financial sector. So, a new kind of close, real-time, trusting relationship between the private sector and the federal government — in this case, CISA — I think is incredibly important.
The second piece is related to that, and that’s mandatory incident reporting, where the companies would have to report significant cyber intrusions. If there’s an attack on JPMorgan, we need to know about it so we can warn Wells Fargo or Bank of America and try to track down what the nature of the attack is.
Gallagher: One thing that I think underlies all of this that isn’t going to be solved by specific legislation is just the challenges we have with workforce development. Ultimately, I think our success and failure in cyber is going to come down to just human beings. There’s a huge shortfall in terms of cybersecurity professionals and cybersecurity warriors that we need at the federal level in the public sector right now. We think Congress can do more to ensure that all the departments and agencies have the hiring authorities and pay flexibilities needed to recruit and retain cyber-focused professionals.
We have a lot more work that needs to be done, and hopefully we can get it done in the Solarium 2.0 vehicle.