WASHINGTON – A commission created by Congress to develop a more strategic approach to defending against cyber attacks turned off the lights on Tuesday, ending two and a half years of work on policy recommendations, legislation and warnings about malware , ransomware and other threats.
When the Cyberspace Solarium Commission released its first recommendations in March 2020, after a year of research and writing, its members vowed that the panel would operate differently from other Blue Ribbon exercises in Washington. Senator Angus King, independent from Maine and co-chair of the commission, said the recommendations would not end up dusty on a shelf like those developed by many other well-meaning panels.
The name of the commission was based on the Solarium Project of the Eisenhower administration, which developed new policies for the Cold War. Influential members of the House and Senate armed services committees led the commission, allowing its cybersecurity recommendations to be presented as legislation included in one of the few bills passed each year: the Annual law on the authorization of national defense.
“This is an example of what I think is genius – and I can say this because it was not my idea – instead of just releasing a report with recommendations, we gave congressional committees legislation fully written and completed, ”King said.
Congress initially set the end of the commission at the end of 2020, but extended its work for another year. Meanwhile, King said, about half of the panel’s recommendations have been implemented, most through legislation, but some through executive branch actions.
The commission closed with notable successes, such as the creation of a national cyber director at the White House and measures to strengthen the powers of the Cybersecurity and Infrastructure Security Agency, as well as provisions of the Defense Bill. of this year, including revision requirements response plans and more drills and drills for government officials.
Some key initiatives remain unfinished, with details of legislation to be drafted or arguments over Congress’ competence to be unraveled.
“We are clear that there are still great things to be done that have not been done,” said Rep. Mike Gallagher, Republican of Wisconsin and another co-chair of the committee.
The committee developed a proposed bill that would have identified systemically important infrastructure. Companies – like Colonial Pipeline, which was hit in May by a ransomware attack – that play a crucial role in the economy would benefit from special assistance to improve their cybersecurity. In return, however, they would have additional security requirements and share additional information with the government.
Further hearings with the House Homeland Security Committee will be needed before this legislation moves forward, as lawmakers grapple with the details of liability protection and how to oversee the security of cloud providers. computing and other industries.
Mr Gallagher, who over the past two years has become a rising star among members of his party focused on legislation, said he wanted additional measures to be taken that would have required companies and institutions operating infrastructure critics to report trespassing or attacks to the federal government.
“We believe Congress should authorize the Department of Homeland Security to establish requirements for critical infrastructure entities to report cyber incidents to the federal government,” Gallagher said. “But we couldn’t cross the finish line.”
The committee also developed proposals for a “joint collaborative environment” on cyber threats that would increase information sharing between private companies and government. While government officials say they’ve taken steps in this direction, private companies say there are still too many barriers to information sharing – and committee members agree.
Right now, Gallagher said, the federal government lacks the infrastructure to share data between agencies and with private companies. The mindset must also change, he said.
“It’s about how to change the culture of the intelligence community, so that it is proactively willing to share things with the private sector instead of just accumulating information or demanding information,” Mr Gallagher said.
What to know about ransomware attacks
Some of the legislative proposals, such as the creation of a national cyber director, were the subject of fierce debate, but the panel largely avoided partisan battles.
“I have devoted more time and energy to this project than anything I have done in the Senate. And I didn’t want to waste that time and that energy, ”said Mr. King, who caucus with the Democrats.
Mr Gallagher and Mr King said they hoped their remaining major legislation could be passed by Congress next year.
As the commission comes to an end, lawmakers and other members will continue to work with a new nonprofit group, said Mark Montgomery, executive director of the commission.
The nonprofit will continue to seek these initiatives, and members and their staff will push for action from Congress, he said. It will also be a resource for researchers and academics examining policy issues and solutions, hosting the commission’s report and articles on various topics.
Previous efforts to improve approaches to cybersecurity have run out of steam. But Mr Montgomery said the nonprofit may be able to maintain its momentum, at least for a while, by maintaining the commission’s annual assessment reports.
The nonprofit, Montgomery said, will also keep a variation of the commission’s name with a new website that will be up and running in the new year.
“I went and bought cybersolarium.org for $ 12,” Mr. Montgomery said. “So we’re going to have to switch from solarium.gov to cybersolarium.org. But it was $ 12 that I was willing to spend.