26 Cyberspace Solarium Commission recommendations likely to become law with NDAA passage

Once passed, the National Defense Authorization Act will create a White House cybersecurity director role, expand CISA's capabilities, and create a K-12 security education assistance program.

Uschools / Damien Geso / Getty Images

This year’s National Defense Authorization Act (NDAA), the annual “must-pass” spending bill that ensures the continued funding of the nation’s military, has a wealth of information security recommendations that come from the bi-partisan, bi-cameral, public-private initiative known as the Cyberspace Solarium Commission (CSC). The CSC was itself established in 2019’s NDAA bill and was asked to come up with a new strategic approach to cybersecurity.

Last spring, the CSC issued a report that offered 82 policy and legislative recommendations to improve cybersecurity. Of those, 26 will likely become law given that both the House and Senate last week passed the bill by overwhelming margins. The veto-proof vote count is needed given that President Donald Trump has repeatedly vowed to veto this year’s NDAA unless it also contains provisions that strip internet companies of legal liability protections granted them in Section 230 of the Communications Decency Act of 1996. Over the weekend, Trump reiterated via Tweet his intention to veto the NDAA.

Solarium co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) expressed their delight in turning substantive cybersecurity recommendations into legislative provisions. “From the first day we embarked on crafting America’s cyberdoctrine, we were determined to create a plan of action, not a report collecting dust on a shelf. It is only because of the hard work and commitment of our commissioners and tireless staff that we were able to create such a robust report earlier this year. It is due to them that we were able to inform national policy on such a remarkable level,” the pair said in a statement.

A new White House “Anthony Fauci” of cybersecurity

The Commission’s top accomplishment in the bill is the reestablishment of cybersecurity leadership in the White House by creating a national cyber director position. Senator Mike Rounds (R-SD) garners much of the credit for this achievement. “The creation of a national cyber director position in this year’s NDAA was the result of years of hard work,” Rounds said in a statement.

“This is a tremendous success for process. You need to give credit to Senator King and Representative Gallagher, Representative [Jim] Langevin [D-RI] and others who were on the Commission for running the Commission the way they did and the staff where they got tremendous input from across the community,” Jonathan Reiber, senior director for cybersecurity strategy and policy at AttackIQ, tells CSO. “But then they wrote the legislation and handed it over to the committees. That, to me, is the fascinating and great success of this. Getting very smart thinking into the Commission’s study and then turning it into draft legislation.”

Regarding the national cyber director position, Reiber says that “if we have learned anything from the coronavirus, it’s that it is very important to have experts in front of the American people and briefing the president and running a process when it comes to a national contingency that crosses multiple sectors of society. The real benefit in having a national cyber director is, imagine this person being like Anthony Fauci who is an expert in the field, who has the respect of their peers in the cabinet and has the authority to speak to the public, and the direct relationship with the president to help the president understand what’s going on.”

Subpoena authority for CISA

Another high-profile CSC recommendation in the NDAA gives administrative subpoena authority to the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) so that it can “identify vulnerable systems and notify public and private system owners.” The goal is to allow CISA to be proactive in reaching out to vulnerable parties to let them know they have a vulnerability before bad actors exploit it. “It’s very good to have CISA personnel now hunt on federal networks,” Reiber says.

Joint cyber planning office in CISA

Another prominent CSC recommendation in the NDAA calls for establishing a joint cyber planning office in CISA that would pull together relevant experts and agencies across the federal government to facilitate comprehensive planning of defensive cybersecurity campaigns. A CSC advisor, Casey Ellis, CTO, founder, and chairman of Bugcrowd, applauds this recommendation. “The DHS efforts and pre-work role in securing the 2020 election across the states illustrate the need for a dedicated planning and project management office on a go-forward basis for similar and other wide-scale defensive efforts,” he tells CSO.

“It’s a big achievement to have a joint cyber planning office that has DoD, NSA, FBI, DOJ and DNI working with the private sector to plan operations,” Reiber says.

Non-traditional cybersecurity support for the DoD

Yet another CSC recommendation attracting attention is the evaluation of non-traditional cybersecurity support to the Department of Defense. “This is a critical need which is foreshadowed by the Hack the Pentagon series of crowdsourced security engagements between the DoD and the broader white-hat hacker community who could be considered, in effect, a ‘cyber reserve,’” Ellis says. “The attack surface and the adversary are both evolving rapidly, and this is as essential from a skillset diversity standpoint as it is for pure headcount availability.”

Other noteworthy recommendations from the Commission in the NDAA include:

Report on the risk to national security posed by quantum computing technologies, which mandates the comprehensive assessment of the threats and risks posed by quantum technologies to national security systems. “Many of the assumptions that cybersecurity is built on rely on Moore's Law and traditional concepts of processing. Quantum will catch a lot of this by surprise, and a holistic threat and risk assessment is important and becoming urgent, given the recent advances in quantum supremacy,” Ellis says.

Improvement relating to the Quadrennial Cyber Posture Review, which directs the DoD to conduct a force structure assessment of the Cyber Mission Force to ensure that the United States has the appropriate force structure and capabilities in light of growing mission requirements and expectations, in both scope and scale. “The DoD conducting a force structure assessment of the Cyber Mission Force is important given the accelerating evolution of technology usage and the offensive capability of US adversaries,” Ellis says.

Cybersecurity Education and Training Assistance Program, which authorizes the Cybersecurity Education and Training Assistance Program at CISA and is a K-12 cybersecurity education initiative. “The K-12 cyber education initiative is incredibly exciting. Educating the generation who will inherit these problems and opportunities and making them more native to security concepts can only be a good thing,” Ellis says.

CSC’s recommendations will prevail in a divided congress

Although the House passed the NDAA on December 2 with a “veto-proof” majority of 335 to 78, as of today, the Senate is still debating the measure. Even though Senate Republicans are far more reluctant to defy Trump, the smart money in Washington predicts that the Senate will also pass the NDAA with a veto-proof majority.

The success of the Solarium Commission in bridging chambers and parties bodes well for the ultimate passage of most if not all of the 26 recommendations even if the NDAA were to fail passage in its current form. “A veto would be a setback, but I imagine the majority of the CSC recommendations would either be re-tabled or pursued via other avenues of execution,” Ellis says.