A little more than a year removed from its role in advancing some of the most significant cybersecurity legislation ever enacted, the Cyberspace Solarium Commission is transforming into version 2.0 of itself.
With some of its key recommendations now law — such as the creation of the Office of the National Cyber Director in the White House — the remnant of the congressionally created panel is turning its attention to tracking how those ideas are implemented, while studying some of the issues it didn’t get to fully examine before releasing its final report.
Those areas of study include protecting the water, maritime transport and health care sectors, as well as strengthening the federal and private sector workforce and ensuring plans to avert disruptions to the economy caused by cyberattacks.
Now housed within the Foundation for Defense of Democracies (FDD) think tank, the commission’s 2.0 work should take another two years, said Executive Director Mark Montgomery.
“If there’s a lot that we can tell needs to be studied and done, maybe they need a new commission,” he said. “But I think we’re going to spend two years to try to push through on implementation. In hindsight, you need longer to track implementation.”
It’s the final stretch for a panel that, Montgomery estimates, got between 50 and 65 of its 82 recommendations adopted, implemented or at least actively positioned for more consideration. Much of that happened in the fiscal 2021 version of the annual defense policy bill, including creation of the national cyber director.
What’s changed, what hasn’t
The remaining, pared-down staff will still have regular meetings, as the commission did. Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis., are continuing to serve as co-chairs. After initially being government-funded, CSC 2.0 now raises its own money. Montgomery said he wasn’t worried about donors influencing the agenda because it’s already set.
Montgomery said it wouldn’t be “appropriate” for CSC 2.0 to continue lobbying Congress to enact the remaining unfulfilled recommendations, but staffers will work to provide support for those ideas, such as draft legislation that lawmakers could use.
The first goal going forward, said Samantha Ravich, a CSC 2.0 adviser, is “making sure that the recommendations that did become law are actually operationalized, that they’re not just law on paper.” Another adviser, Frank Cilluffo, calls it “taking the nouns and translating those into verbs.” (Ravich works on a range of cyber issues at FDD, and Cilluffo heads up a cyber institute at Auburn University. Both were members of the Commission.)
The second goal is diving deeper into areas where the commission only scratched the surface before, then looking to make further recommendations, Montgomery said.
- The water sector, widely seen as one of worst industry sectors when it comes to protecting itself from cyberattacks, is vital to so many other sectors, Montgomery said. A bank that spends billions on cybersecurity still relies on electricity, which in turn relies on water for cooling at its plants. “In critical infrastructure, you’re only as strong as your weakest link,” he said.
- Maritime transport is a key part of the supply chain that’s already suffering disruptions. “If we think things are bad now at Long Beach and Charleston, have a cybersecurity attack come on top of the delays,” Montgomery said.
- Montgomery said the Biden administration has proven slow to advance the “continuity of the economy planning” requirement in the fiscal 2021 defense bill, something he said should be in the hands of the Department of Homeland Security instead of the White House’s National Security Council, which has fewer personnel to work on the issue.
- Recommendations dating back to Montgomery’s time at the NSC in 1999, he said, are still recirculating as a solution to the cybersecurity workforce gap, which is growing faster than jobs are being filled. “This is an area where the federal government has absolutely tripped itself up,” he said. It’s done better on policy and technology. “The people issue is still bedeviling us.”
- A lawsuit last year blamed a ransomware attack for the death of a baby, alleging that the hospital’s struggles with the hackers led to poor care. It demonstrates the need for need to bolster safety within the health care sector, Montgomery said, rather than just focus on patient privacy under the Health Insurance Portability and Accountability Act (HIPAA). The Health and Human Services Department “has really concentrated on HIPAA over the last decade, and they really need to concentrate their sector risk management responsibilities in all these areas in the cybersecurity area,” he said.
While those are the five areas of focus, they each could offer opportunities to dive into a series of related topics, said adviser and former commissioner Suzanne Spaulding, who’s also a senior adviser for homeland security at the Center for Strategic and International Studies (CSIS).
“The water issue is going to get us deeper into industrial control systems and operational technology issues,” she said, referring to a blanket term for systems that automate industrial processes and the hardware that monitors them. “It’s also going to get us into the whole issue of systemic risk and how we think about that, and what the cyber ecosystem does around that, and cyber insurance. And so there’s all kinds of issues embedded in these five.”
Good and bad models
James Lewis, a CSIS cyber expert who wasn’t affiliated with the commission, said CSC 2.0 seems to be following in the footsteps of the National Security Commission on Artificial Intelligence and its metamorphosis.
“That seems to be the model now: You have a commission, you turn yourself into a think tank,” he sad.
That’s a better way to go, Lewis said, than what the Sept. 11 Commission did — sticking around to make sure all of its recommendations were enacted.
“Every single recommendation does not need to be pursued,” he said, as it can dilute what a commission is capable of in its second life.