Frustrated with the lack of a single, governmentwide strategy on curbing large-scale cyber threats, a bipartisan group of lawmakers has launched a public-private partnership aimed at filling some of the gaps left by an amalgam of White House and agency policies.
The Cyberspace Solarium Commission (CSC) launched by Sens. Angus King (I-Maine) and Ben Sasse (R-Neb.), as well as Reps. Jim Langevin (D-N.H.) and Mike Gallagher (R-Wis.), takes its name from a task force convened by President Dwight Eisenhower in 1953 to craft a plan to combat threats from the Soviet Union. The task force held its first meeting at the White House’s sunroom.
The commission will consist of three work groups aimed at crafting a single, unifying cybersecurity strategy. King told reporters he expects the commission will release a final report before the end of December.
“There’s no central leadership, and there’s no policy that our adversaries or our allies, for that matter, can discern about what we’re going to do in a particular situation. And my belief is that until we clarify that, we’re going to keep getting hit,” King said in a conference call Monday.
Four senior agency executives — FBI Director Chris Wray, Acting Deputy Secretary of Defense David Norquist, Acting Deputy Secretary of Homeland Security David Pekoske and Deputy Director of National Intelligence Susan Gordon — will serve as commissioners on the 14-member board.
The private-sector membership also includes several former government executives — such as former undersecretary of DHS’s National Protection and Programs Directorate Suzanne Spaulding, former congressman and undersecretary of the Army Patrick Murphy, and former NSA deputy director Chris Inglis.
The organization will focus its work on three pillars: “persistent” engagement with adversaries, deterrence, and building international cyber norms and standards — what King compared to a “Geneva Convention of cyber.”
“One of the things I’ve concluded is that we’re a cheap date when it comes to cyber. People can go after us in ways and not really expect much in the way of a response,” King said, making reference to the 2015 Office of Personnel Management data breach.
On the notion of deterrence, King said it’s important that the federal government makes its capacity to retaliate known to malicious actors.
“Having a retaliation capability that your adversary doesn’t know about fails the test of deterrence. They’ve got to understand that there’s a price to be paid. There has to be something that will change their calculus, in terms of what they propose to do to this country,” King said.
The commission will take a few weeks before it’s fully staffed, but King said it’s already held its first three meetings.
At least two of the lawmakers on the commission — King and Langevin — have already pushed for setting up a more unified response to cyber threats.
In May 2018, Langevin and Rep. Ted Lieu (D-Calif.) introduced a bill to reestablish a cyber coordinator position in the Executive Office of the President. Rob Joyce previously held that title — along with his current position as the National Security Agency’s senior adviser for cybersecurity strategy— until the White House eliminated the former position in April 2018.
“Whenever I have a witness at a hearing who talks about ‘whole of government,’ mentally I check the box that says ‘none of government,'” King said during Monday’s call. “Nobody’s responsible. This really does have to be whole of government. I think it has to be whole-of-society, because of the important role of the private sector.”
Much like DHS’s National Risk Management Center, the commission will serve as an information sharing platform that King said will deliver a “heightened level of communication and cooperation” between the public and private sectors focused on securing everything from the electrical grid to critical infrastructure.