Solarium commissioners focus on cyber director, better attribution
Negotiations between the House and Senate on a $740 billion defense authorization bill will determine which recommendations from the Cyberspace Solarium Commission make it into law.
The Cyberspace Solarium Commission has successfully lobbied the House to include nearly two dozen of its recommendations in the latest defense authorization bill. They're now working to convince the Senate to adopt ideas like a new White House Cyber Director while also pushing the federal government and its allies to produce quicker attribution and joint sanctions for malicious cyberattacks.
During a House Armed Services Subcommittee on Intelligence and Emerging Threats hearing, ranking member Rep. Elise Stefanik (R-N.Y.) said at least 22 of the more than 50 legislative proposals from the report were included in the final version of the National Defense Authorization Act passed by the House.
Those provisions must still survive a conference with the Senate and a potential veto from the White House, which has already stated its opposition to numerous provisions in the House and Senate versions.
In his opening statement, Subcommittee Chairman Rep. Jim Langevin (D-R.I.) outlined goals beyond this year's legislative accomplishments, saying he hopes the report acts as "a blueprint for legislative and executive actions that force the country to break apart the institutional stovepipes" around cybersecurity policy in Congress and the executive branch.
That includes a provision to establish a new White House Cyber Director who would be responsible for breaking down those barriers and coordinating cyber policy across government. The position was included in the House NDAA but the Senate version would only mandate an independent assessment of the position. Proponents made it clear they intend to continue their advocacy during the conference process.
"The reality is right now we have enormously capable people throughout the federal government, but there's no central point of oversight, there's no central point of coordination, there's no central point of defining strategy," said Sen. Angus King (I-Maine) co-chair of the commission during testimony.
While many in the cyber policy community have embraced the idea, likening it to a restoration of the now-defunct White House Cybersecurity Coordinator position eliminated in 2018, there are some detractors.
Phillip Retinger, president and CEO of the Global Cyber Alliance and former Deputy Under Secretary for the National Protection and Programs Directorate at DHS, has argued that far from clarifying roles and responsibilities around cyber policy, the position as written in the House NDAA would not have any explicit authority around offensive cyber operations carried out by the military and its focus on defensive issues would step on another one of the commission's priorities: further empowering NPPD's successor, the Cybersecurity and Infrastructure Security Agency.
In a piece for Lawfare this month, Retinger wrote that "creating a new Office of the National Cyber Director within the Executive Office of the President would do little to elevate CISA. In fact, it would likely have the opposite effect: reducing the influence of CISA as the new national cyber director works to clear some bureaucratic space by asserting authority and throwing some elbows."
On the other end of the spectrum, Rep. Don Bacon (R-Neb.) expressed concern during the hearing that if the director position did have authority over offensive and intelligence aspects of U.S. cyber policy, it might muddy up current the chain of command to authorize offensive operations between U.S. Cyber Command, the Secretary of Defense and the President. King said such concerns are why the legislation makes clear that the position was designed for planning and coordination.
"We want this person to be accountable for the coordination, but [they] would not have an operational role," King said.
One area where commissioners and lawmakers said they want to see the U.S. and allies get more aggressive is attributing major cyberattacks back to specific groups and their patron countries. One recommendation from the report is strengthening the Cyber Threat Intelligence Integration Center within the Office of the Director of National Intelligence to provide "analysis and coordination necessary for rapid and accurate attribution."
The Department of Justice and Special Counsel Robert Mueller's investigation have issued indictments containing detailed accusations and evidence linking a series of intrusions and influence campaigns during the 2016 election to the Russian government, while the White House and other U.S. agencies have worked to publicize evidence linking China, Iran and North Korea to other high profile attacks.
Earlier this month, the U.K.'s National Cyber Security Centre attributed a widespread espionage campaign targeting Western research organizations that are working on a COVID-19 vaccine to a hacking group with ties to Russian intelligence. Those findings, endorsed by agencies in the U.S. and Canada, also wound up linking a number of malware tools used by the group. The same day of the hearing, the European Union imposed economic and travel sanctions on six individuals and three organizations from China, Russia and North Korea for carrying out the WannaCry, NotPetya and CloudHopper cyber campaigns.
Many of the individuals and entities had previously been identified by U.S. and Western governments, causing Langevin to question whether more could be done to "shorten the timeline between incident and response" when it comes to attribution.
"The WannaCry and NotPetya malware, for instance, were both released in the first half of 2017, and we have known the culprits were the North Koreans and the Russians, respectively, for almost as long," said Langevin in a separate statement sent to FCW before the hearing. "Like-minded nations that believe that cyberspace is not the 'Wild West' must work together to take swift and decisive action in the face of continued belligerence from countries seeking to benefit from 'gray zone' conflict in cyberspace. I urge the Council to publicly commit to working to reduce the time between incident and response."
This article first appeared on FCW, a Defense Systems partner site.