[Senate Hearing 116-458]
[From the U.S. Government Publishing Office]
S. Hrg. 116-458
THE FINDINGS AND RECOMMENDATIONS OF THE
CYBERSPACE SOLARIUM COMMISSION
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY
of the
COMMITTEE ON ARMED SERVICES
UNITED STATES SENATE
ONE HUNDRED SIXTEENTH CONGRESS
SECOND SESSION
__________
AUGUST 4, 2020
__________
Printed for the use of the Committee on Armed Services
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via: http:// www.govinfo.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
56-585 PDF WASHINGTON : 2024
COMMITTEE ON ARMED SERVICES
JAMES M. INHOFE, Oklahoma, Chairman
ROGER F. WICKER, Mississippi JACK REED, Rhode Island
DEB FISCHER, Nebraska JEANNE SHAHEEN, New Hampshire
TOM COTTON, Arkansas KIRSTEN E. GILLIBRAND, New York
MIKE ROUNDS, South Dakota RICHARD BLUMENTHAL, Connecticut
JONI ERNST, Iowa MAZIE K. HIRONO, Hawaii
THOM TILLIS, North Carolina TIM KAINE, Virginia
DAN SULLIVAN, Alaska ANGUS S. KING, Jr., Maine
DAVID PERDUE, Georgia MARTIN HEINRICH, New Mexico
KEVIN CRAMER, North Dakota ELIZABETH WARREN, Massachusetts
MARTHA McSALLY, Arizona GARY C. PETERS, Michigan
RICK SCOTT, Florida JOE MANCHIN III, West Virginia
MARSHA BLACKBURN, Tennessee TAMMY DUCKWORTH, Illinois
JOSH HAWLEY, Missouri DOUG JONES, Alabama
John Bonsell, Staff Director
Elizabeth L. King, Minority Staff Director
___________
Subcommittee on Cybersecurity
MIKE ROUNDS, South Dakota, Chairman
ROGER F. WICKER, Mississippi JOE MANCHIN III, West Virginia
DAVID PERDUE, Georgia KIRSTEN E. GILLIBRAND, New York
RICK SCOTT, Florida RICHARD BLUMENTHAL, Connecticut
MARSHA BLACKBURN, Tennessee MARTIN HEINRICH, New Mexico
(ii)
C O N T E N T S
___________
August 4, 2020
Page
The Findings and Recommendations of the Cyberspace Solarium
Commission..................................................... 1
Member Statements
Statement of Senator Mike Rounds................................. 1
Statement of Senator Joe Manchin................................. 3
Witness Statements
King, Senator Angus S., Jr., Co-Chair, Cyberspace
Solarium Commission............................................ 5
Gallagher, Representative Michael J., Co-Chair, Cyberspace
Solarium
Commission..................................................... 23
Inglis, Brigadier General John C., ANG (Ret.), Commissioner, 25
Cyberspace Solarium Commission.
Questions for the Record......................................... 38
(iii)
THE FINDINGS AND RECOMMENDATIONS OF THE
CYBERSPACE SOLARIUM COMMISSION
----------
TUESDAY, AUGUST 4, 2020
United States Senate,
Subcommittee on Cybersecurity
Committee on Armed Services,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:38 p.m. in
room SD-106, Dirksen Senate Office Building, Senator Mike
Rounds (Chairman of the Subcommittee) presiding.
Members present: Senators Rounds, Wicker, Perdue, Scott,
Blackburn, Gillibrand, Blumenthal, King, and Manchin.
OPENING STATEMENT OF SENATOR MIKE ROUNDS
Senator Rounds. Well, good afternoon.
Senator Manchin, our Ranking Member, should be here
shortly. He, unfortunately, had a meeting off the Hill.
Thank you, Senator Blumenthal, for being here. Senator
Perdue, as well. We have a number of our other members who are
joining us virtually today.
Today, the Cybersecurity Subcommittee welcomes, for the
first time, colleagues to present the findings of the
Cyberspace Solarium Commission: our friend Senator King, from
Maine, and Representative Gallagher, from Wisconsin. They are
joined by fellow Commissioner, retired Brigadier General John
C. Inglis, Professor of Cybersecurity Studies at the U.S. Naval
Academy, and former Deputy Director of the National Security
Agency.
Welcome, to all. Thank you for coming to discuss this
important topic at today's hearing.
I would like to extend my congratulations, as well, to Mike
Gallagher and his wife, Anne, on the recent birth of their baby
girl, Grace. Good luck on your greatest adventure yet and all
the amazing moments yet to come associated with it.
I would also like to recognize former Senate Armed Services
Committee (SASC) Policy Director Mark Montgomery, who serves--
or who served as Executive Director of the Commission.
Section 1652 of the Fiscal Year 2019 National Defense
Authorization Act (NDAA) established the Cyberspace Solarium
Commission to study alternative strategies for defending the
United States against malicious cyber activity and advancing
its national interests in cyberspace. Among the strategies to
be evaluated were cyber deterrents, persistent engagement, and
compliance with international norms. The Commission has
produced an impressive report that advocates a combination of
all three: deterrence by denial and rapid attribution,
deliberate shaping of international norms through aggressive
diplomacy, and continued persistent engagement of malicious
cyber adversaries.
The Commission's report also presents a number of reforms,
many in legislative format, for our deliberation. Of particular
importance are the following recommendations: that the
Department of Defense evaluate the size and capacity of the
Cyber Mission Forces; that the Department of Defense takes an
expanded role in exercises and planning relevant to protection
against cyberattacks of significant consequence; that the
Department of Defense and cybersecurity companies hunt on
defense industrial base networks; and that the administration
establish a National Cyber Director.
These recommendations are valuable contributions to the
debate on what policies, programs, and organizational
constructs will best advance the Nation's cybersecurity. I am
proud that we were able to incorporate 11 of these
recommendations into the Committee mark of the NDAA, with
several additional recommendations which were, unfortunately,
outside of our jurisdiction, but were incorporated later on the
floor discussion.
While this hearing comes too late to inform the NDAA mark,
three objects of the Commission's study remain relevant for
this Subcommittee's oversight of the Department's cyberstrategy
and operations, and for the Committee's conferencing of the
NDAA. First and foremost, I want to discuss the motivations
behind the Commission's recommendation and recent annex further
detailing the establishment of a National Cyber Director. How
is the interagency planning an execution process, broken today?
What authorities, especially those relevant to offensive cyber
action, should be available to the Director? How would the
National Cyber Director act to direct or coordinate Department
of Defense action in response to a cybersecurity incident of
significant consequence?
Since its establishment, this Subcommittee has focused on
improving coordination among the many relevant entities within
the Department of Defense to assure synchronized efforts in
implementing and executing their cyberspace missions. I believe
that the Principal Cyber Advisor within the Office of the
Secretary of Defense has been particularly effective at
performing that particular oversight and coordination role, and
advising the Secretary of Defense. This has been accomplished
without the establishment of a large bureaucracy, and without
creation of yet another cyber stovepipe within the DOD.
In this year's NDAA, we included a provision that
strengthened the Principal Cyber Advisor's oversight and
coordination role. I also sponsored a provision in the Fiscal
Year 2020 NDAA that added Principal Cyber Advisors for each
Service Secretary to provide them with this critical
coordination asset. The Principal Cyber Advisors have a
departmental or service role, while the proposal for a National
Cyber Advisor concerns a national role. However, I think there
may be some similarities between the functions of the Principal
Cyber Advisors and the National Cyber Director, as envisioned
by this Commission. I would, therefore, appreciate discussion
on the similarities and differences between the roles of the
DOD Principal Cyber Advisors and the proposed National Cyber
Director.
Second, I hope to better understand the recommendations the
Commission provided regarding the Department of Defense's cyber
targeting. Did the Commission see Cyber Command's current plans
and operations as matching the Commission's recommendations in
cyber deterrence and 6 persistent engagement? Did it find the
Department's aspirations for persistent engagement of
adversaries to be realistic?
Finally, I want to hear how the Department of Defense can
better execute its mission to protect the Nation against
Russian, Chinese, Iranian, and North Korean cyberattacks. What
are the Department's capability shortfalls? What should its
role be in emergency response actions?
Thank you for your diligent efforts in producing this
report, and for agreeing to testify before this Subcommittee.
Senator Manchin, welcome. Senator Blumenthal sat in to
check and make sure things were working the way they were
supposed to. Welcome. Do you have any opening comments,
Senator?
STATEMENT OF SENATOR JOE MANCHIN
Senator Manchin. Well, Senator Rounds and Senator
Blumenthal, thank you very much. I appreciate that.
Thank you, Senator Rounds.
I, too, welcome our witnesses: Senator Angus King, our dear
friend, and Representative Mike Gallagher--I guess Mike's--is
he going to be on--okay--who served as co-chairs of the Cyber
Solarium Commission at--that this Committee established in last
year's NDAA; and the third, retired General Chris Inglis, who
served as one of the Commission members.
Senator King, of course, is a distinguished member of this
Committee. Representative Gallagher, I want to thank him for
his work on this Commission and for your great service in the
House, and Chris Inglis is no stranger to this Committee,
having previously served as the Deputy Director of the National
Security Agency.
Thank you, Chris, for being here, too.
I want to take a moment and speak about the efforts of this
Commission, why it has been successful, and what lessons we can
learn from the future.
A commission of this type is intended not just to educate
Congress, the executive branch, and the public. The intent is
to forge a consensus on what needs to be done to fix the
problems the Commission identifies. However, too often those
recommendations are too vague or difficult for Congress to
legislate on. The Commission spent a lot of time and effort
turning those recommendations into actual draft legislation
text. This was an immensely important decision. If you have to
turn an idea into bill language, you have to really think it
through, and the result has to be compatible with the main
purpose of Congress, which is drafting laws.
To be sure, we have had to modify these recommendations,
sometimes significantly. But, without those legislative drafts,
much of the Commission's work might already be collecting dust
on someone's shelf. Instead, a vast majority of the
Commission's recommendations were included, in one form or
another, in the NDAA bills passed by the House and Senate,
including a significant number of recommendations that crossed
the jurisdictional lines of multiple Committees. This is no
mean feat. Getting approval across multiple Committees for
legislative amendments on the floor of the House and Senate is
extremely hard, something that Senator King and Representative
Gallagher know very well and were able to do it.
One of the main and most influential Commission
recommendations is the creation of a National Cyber Director.
This recommendation is not popular with the administration.
Senator Rounds and I also concluded that the proposal needed a
bit more polishing by the Commission in order to better
understand what this position's role should be. Senator King
and Representative Gallagher took this on, and, in the last
couple of months, have produced a very, very good proposal,
which we will talk about here today. The Commission co-chairs
firmly believe that this position is crucial to integrating the
response of all the departments and agencies who have to be
involved in dealing with major cyberattacks. We must have the
military cyber forces, the intelligence collectors, our law
enforcement officers, and Homeland Security operating as a
team, bringing all their authorities and resources to bear to
counter an attack. I hope the President and his senior advisors
can be persuaded to not just accept this idea, but to embrace
it to improve our national security.
While I am greatly impressed with the Commission's effort,
I do have two concerns I would like to address with our
witnesses today:
First, the recommendation to require reporting of all
critical infrastructure entities to the Department of Homeland
Security. While it's important that we do all that we can to
effectively respond to cyber threats in the timeliest manner,
we must do so without interrupting established cyber threat
reporting. As Ranking Member of the Energy and Natural
Resources Committee, a prime example are critical energy
infrastructure entities. They should still report through their
established chains with the Department of Energy, and that
intelligence should be made available to the eventual National
Cyber Director.
Second, the Commission's report explicitly rejected a model
deterring major cyberattacks on our critical infrastructure by
assuring adversaries who contemplate such actions with an in-
kind response; namely, retaliating against their critical
infrastructure through cyberattacks. The Commission's report
suggests that a retaliatory doctrine of doing to an adversary
what an adversary does to us is immoral, and even inconsistent
with international law. A strategy of deterrence based on
retaliation in-kind, symmetrical against an adversary is the
basis of our nuclear deterrence that has been in place since
the end of World War II. We do not consider this strategy
illegal, immoral, or ineffective. Moreover, the idea that an
adversary would be deterred from hitting our critical
infrastructure by a threat that we would disable their
computers or their cyber forces does not seem very likely to
me. This is even assuming that we will be able to identify and
incapacitate their cyber forces, which, I submit, is an
uncertain and momentary solution.
Before turning to our witnesses for opening statements, I
will close by noting that the Commission has proposed, and this
Committee has endorsed, in the NDAA, an extension of the life
of the Commission. This was done for the 9/11 Commission, and I
think it is a good idea for Senator King and Congressman
Gallagher to be able to observe how the Commission's work is
being implemented, and to revisit issues that could not be
resolved in this year's budget and legislative cycle.
Thank you, Mr. Chairman. I look forward to hearing from our
witnesses.
Senator Rounds. Thank you, Senator Manchin.
I think the best way to approach this, probably, since
you've done a combined opening statement, which is in the
record now--Senator King, would you like to begin, and we'll
have you and then Representative Gallagher, and then finish up
with General Inglis, if that works, in terms of how you would
like to proceed?
STATEMENT OF SENATOR ANGUS S. KING, JR., CO-CHAIR, CYBERSPACE
SOLARIUM COMMISSION
Senator King. Thank you, Mr. Chairman.
There are so many aspects of this, an opening statement
could go on all afternoon. I am going to try very hard not to
make that happen.
Let me just make one point about the pandemic. Among all
the other things we've learned, I think one of the most
important things we've learned is that the unthinkable can
happen. A year ago, we would not have contemplated where we are
now with a disease that we're having to deal with on a
worldwide basis. So it is with a cyberattack. It seems
unthinkable, it seems the stuff of science fiction, and yet it
can and it has happened. In fact, it's happening right at this
very moment.
Our basic purpose in the work that we did on this
Commission--and I will outline how it was--how we proceeded--
was to be the 9/11 Commission, without 9/11. Our whole purpose
is to avoid not only a cyber catastrophe, but a death by a
thousand cyber cuts. That's really what we want to talk about
here today.
The Commission, as you mentioned, Mr. Chairman, was set up
almost 2 years ago in the National Defense Authorization Act,
and our mission was to develop a comprehensive cyber strategy
for the country, and recommend how it should be implemented.
There were 14 members. I think part of the success of the
Commission rests upon how it was structured. There were 14
members: four members of Congress, and then there were four
members from the executive, from the relevant agencies, and six
members from the private sector. We had over 30 meetings. We
had 90 percent attendance at our meetings. We met in this
building, just downstairs, over and over. We had hundreds of
documents, witnesses, and an immense amount of literature
search and review of all of the ideas that could be brought
before us on these subjects.
I am proud to say that the work of this Commission was
entirely nonpartisan. In fact, to this day, other than the four
members of Congress whose--who wear their party labels on their
sleeves, I have no idea of the party affiliation of any of the
other 10 members of the Commission, and I can honestly say
that, in all of those 30 meetings, there was not a single
comment, discussion, question that suggested any partisan
content or any kind of partisan point of view in our
Committee's--in our Commission's discussions. Four-hundred
interviews, we came up with 82 recommendations; 57, as Senator
Manchin mentioned, were turned into actual legislative
language.
What are the basic principles of the report? They can be
summarized in three words: reorganization, resilience, and
response:
Reorganization, I think we're going to talk a lot about
today. How are we organized in order to meet this challenge?
Secondly, resilience. How do we build up our defenses so
that cyberattacks are ineffective, and that that, in itself,
can be a deterrent if our adversaries decide it's simply not
worth it?
The final is response. How do we develop a deterrent
strategy that will actually work, particularly for attacks
below the level of the threshold of use of force? We haven't
had a catastrophic cyberattack, probably because of the
deterrents that we already have in place. The problem is, we're
being attacked in a lower-level way continuously, whether it's
the theft of intellectual property, whether it's the theft of
the OPM records of millions of American citizens, whether it's
the attack on our election in 2016. That's the area where we
remain vulnerable, and we haven't developed a deterrent policy.
What is layered cyber deterrence, which is the fundamental
theory that we put forth? It's to shape behavior, it's to deny
benefits, and it's to impose costs.
I know that we're going to spend a great deal of time in
this hearing talking about the National Cyber Director, but I
do want to address it briefly in these opening remarks.
The mission and the structure of the National Cyber
Director is almost identical of the Principal Cyber Advisor
position that we've created at the Department of Defense. The
difference is a wider scope. Just as we were preparing for the
hearing, I made a quick list of seven or eight or nine Federal
agencies, all of which have cyber responsibility outside of the
Department of Defense. The fundamental purpose and structure of
the National Cyber Director is to provide a person in the
administration with the status and the advisory relationship
with the President to oversee this diverse and dispersed
authority throughout the Federal Government. For the same
reason we created the Cyber Advisor in the Department of
Defense, we need to do it nationwide, and that's the
fundamental purpose. I am sure we'll be able to--we'll go into
much more detail on this.
But, before I complete my statement, I have got two written
records. One is a very strong letter from the U.S. Chamber of
Commerce endorsing the National Cyber Director position. The
second is the testimony recently in the House by former
Representative Mike Rogers, former chair of the Intelligence
Committee, who confesses that he has 180 degrees changed his
position on the idea of a National Cyber Director, from
steadfast opposition to very strong support.
I would like to introduce both of those documents into the
record, with the permission of the Chair.
Senator Rounds. Without objection.
Senator King. Thank you.
[The information referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Senator King. I will end my comments now, and we will be
able to really discuss more of the details, particularly on the
National Cyber Director recommendation, as the hearing
progresses.
Thank you, Mr. Chair.
[The combined statement of Senator King, Representative
Gallagher, and General Inglis follows:]
Joint Prepared Statement by The Honorable Angus King, The Honorable
Mike Gallagher, and Mr. Chris Inglis
introduction--intent of the commission and focus of our effort
Our American way of life depends on a global, interconnected, and
interdependent cyberspace which has created the modern United States'
economy and society. At the same time, cyberspace creates political and
strategic opportunities for malicious actors seeking to undermine our
national security, economy, and political system. For these reasons,
the Cyberspace Solarium Commission was established by the John S.
McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019
to ``develop a consensus on a strategic approach to defending the
United States in cyberspace against cyberattacks of significant
consequences.''
The Commission is composed of fourteen Commissioners, including
four currently serving legislators, four executive branch leaders, and
six recognized experts with backgrounds in industry, academia, and
government service, and this composition is unique to this Commission.
Led by Senator Angus King and Representative Mike Gallagher, the
Commission spent the past thirteen months studying the challenges
facing the United States in cyberspace, developing potential solutions,
and deliberating courses of action to produce a comprehensive report.
Our Commissioners convened nearly every Monday that Congress was in
session for over a year, conducting a total of 30 meetings. The staff
conducted more than 400 engagements with industry; federal, state, and
local governments; academia; non-governmental organizations; and
international partners. The Commission also recruited our nation's
leading cybersecurity professionals and academic minds to rigorously
stress test the findings and red team the different policy options in
an effort to distill the optimal approach to securing the United States
in cyberspace.
The Commission's final report was presented to the public on March
11, 2020, and identified 82 specific recommendations. These bi-partisan
recommendations were then subsequently turned into 54 legislative
proposals that have been shared with the appropriate Committees in the
Senate and the House of Representatives. Our Commissioners have now
testified before Congress five times to impress upon you the urgency of
the cyber threat faced by the United States today.
In addressing the NDAA's tasking, the Commission found that our
critical infrastructure--the systems, assets, and entities that
underpin our national security, economic security, and public health
and safety--are increasingly threatened by malicious cyber actors.
Effective critical infrastructure security and resilience requires
reducing the consequences of disruption, minimizing vulnerability, and
disrupting adversary operations that seek to hold our assets at risk.
Not only does our critical infrastructure provide the foundation for
our economic and societal strength, but without functioning logistics
networks, power generation and distribution, and other critical
functions, our military would be debilitated. In short, resilience is
national defense.
The Commission identified a number of DOD specific proposals, all
of which were taken up by your Committee and edited and improved by
your staff, these include: conducting a force structure assessment of
the Cyber Mission Force; reviewing delegation of DOD authorities to
enable more rapid decision-making to conduct cyber campaigns; requiring
companies within the defense industrial base (DIB) to participate in a
threat intelligence sharing program and mandatory threat hunting on DIB
networks, examining the establishment of a cyber reserve force; and,
clarifying the cyber capabilities and strengthen the interoperability
of the National Guard, all of these have been included in both the
House and the Senate versions of the NDAA. In addition, several
recommendations are only in the Senate version, these include: creating
a major force program funding category for the U.S. Cyber Command,
conducting a cybersecurity vulnerability assessment of all segments of
the nuclear control system and continual assessment of our conventional
weapon systems' cyber vulnerabilities.
While we do not want to lose sight of the responsibility that this
Committee has to focus on military issues, we also recognize that our
national security--particularly with respect to cyberspace--cannot rely
on the Department of Defense as the only stakeholder. To that end, we
urge the Committee to consider the full scope of the 82 recommendations
that the Commission proposed in our full report.
The future of our national security requires both the executive
branch and Congress to work in tandem to prioritize and implement the
key Commission recommendations to build a more effective government
cybersecurity capability. These include establishing a National Cyber
Director in the Executive Office of the President; strengthening the
Cybersecurity and Infrastructure Security Agency (CISA) to lead
interagency coordination and coordination between the Federal
Government and private sector; developing a Continuity of the Economy
Plan to ensure the public and private sectors are prepared to rapidly
restart our economy after a major disruption; recruiting, developing,
and retaining a stronger Federal workforce, planning and executing a
national-level cyber table-top exercise on a biennial basis that
involves senior leaders from the executive branch, Congress, state
governments, and the private sector, as well as international partners;
and fostering public-private collaboration to ensure coherence, agility
and speed in the nation's response to cyber attacks. \1\
---------------------------------------------------------------------------
\1\ The National Cyber Director and strengthening CISA
recommendations are in both the House and Senate Fiscal Year 2021
NDAAs; the CotE and stronger cyber workforce recommendations are only
in the Senate Fiscal Year 2021 NDAA; and the table-top exercise
recommendation is only in the House Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
A second critical line of effort is building a more robust system
for private-public collaboration, this includes recommendations such as
establishing an Integrated Cyber Center within CISA, creating a Joint
Cyber Planning Office (JCPO) to coordinate cybersecurity planning and
readiness across the Federal Government and between the public and
private sectors; establishing and funding a Joint Collaborative
Environment for sharing and fusing threat information; and establishing
authority for CISA to threat hunt on .gov networks. These all also can
work in concert to create a more resilient infrastructure, a
significant improvement from what we have today. \2\
---------------------------------------------------------------------------
\2\ All four of these recommendations: the Integrated Cyber Center,
the JCPO, the Joint Collaborative Environment, and CISA threat hunting
on .gov are only included in the House Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
Throughout the process of developing its recommendations, the
Commission always considered Congress as its ``customer.'' Through the
NDAA, Congress tasked the Commission to investigate cyber threats that
undermine American power and prosperity, to determine an appropriate
strategic approach to protect the nation in cyberspace, and to identify
policy and legislative solutions. As Commissioners, we are here today
to share what the Commission learned, advocate for our recommendations,
and work to assist you in any way we can to solve this serious and
complex challenge.
the challenge
The Commission's final report made clear that while the United
States has, to date, successfully deterred strategic cyberattacks that
rise to the level of an armed attack, below that threshold, there is a
significant set of adversary behavior that the United States has not
prevented. In the past few decades, adversaries have used cyberspace to
attack American power and interests. We must be clear--if adversaries
attack the U.S. in cyberspace, they will pay a price. The more
connected and prosperous our society has become, the more vulnerable we
are to aspiring great power rivals, rogue states, extremists, and
criminals. These attacks on America occur beneath the threshold of
armed conflict and create significant challenges for the private sector
and the public at large.
The American public relies on critical infrastructure, roughly 85
percent of which--according to the Government Accountability Office--is
owned and operated by the private sector. Increasingly, institutions
Americans rely on--from water treatment facilities to hospitals--are
connected and vulnerable. Securing the nation in the 21st Century
requires an interconnected system composed of both public and private
networks that is secure from state and non-state threats. China commits
rampant intellectual property theft to help its businesses close the
technological gap, costing non-Chinese firms over $300 billion per
year. Massive data breaches, including those suffered by Equifax,
Marriott, and the Office of Personnel Management (OPM), enable Chinese
spies to collect data on hundreds of millions of Americans.
Russia targets the integrity and legitimacy of elections in
multiple countries while actively probing critical infrastructure. In
spring 2014, Russian-linked groups launched a campaign to disrupt
Ukrainian elections that included attempts at altering vote tallies,
disrupting election results through distributed-denial-of-service
(DDoS) attacks, and smearing candidates by releasing hacked emails.
They continue to spread hate and disinformation on social media to
polarize free societies. But they have not stopped there. The 2017
NotPetya malware attack spread globally, temporarily shutting down
major international businesses and affecting critical infrastructure.
Russian groups have even been found surveilling nuclear power plants in
the United States. In Ukraine in 2015 and 2016, they demonstrated the
capability and willingness to disrupt power generation and distribution
through a cyber operation.
Iran and North Korea attack United States and allied interests
through cyberspace. Iranian cyber operations have targeted the energy
industry, entertainment sector, and financial institutions.
There are also documented cases of Iranian APTs targeting dams in
the United States with DDoS attacks. North Korea exploits global
connectivity to skirt sanctions and sustain an isolated, corrupt
regime. The 2017 WannaCry ransomware attacks hit over 300,000 computers
in 150 countries, and temporarily disrupted a number of UK hospitals.
According to United Nations estimates, North Korean cyber operations
earn $2 billion in illicit funds for the regime each year.
Beyond nation-states, a new class of criminal thrives in this
environment. Taking advantage of widespread cyber capabilities revealed
by major state intrusions, criminal groups are migrating toward a
``crime-as-a-service'' model in which threat groups purchase and
exchange easily deployable malicious code on the dark web. In 2019,
ransomware incidents grew by over 300 percent compared to 2018 and hit
over 40 U.S. municipalities. More recently, opportunistic hackers have
hijacked hospitals and healthcare systems during the COVID-19 pandemic,
taking advantage of poorly protected systems when they were most
vulnerable.
strategic approach
The strategy put forth by the Commission, layered cyber deterrence,
combines a number of traditional deterrence mechanisms and extends
their use beyond the government to develop a whole-of-nation approach.
It also updates and strengthens our declaratory policy for cyberattacks
both above and below the level of armed attack. The United States must
demonstrate its ability to impose costs while establishing a clear
declaratory policy that signals to rival states the costs and risks
associated with attacking America in cyberspace. Since America relies
on critical infrastructure that is primarily owned and operated by the
private sector, the government cannot defend the nation alone.
Cyber deterrence is not nuclear deterrence. The fact is, no action
will stop every hack. Rather, the goal is to reduce the severity and
frequency of attacks by making it more costly to successfully attack
American interests through cyberspace. Layered cyber deterrence
consists of three layers, each of which are underpinned by broad
reformation of the way the U.S. Government approaches cybersecurity.
The outer layer consists of shaping behavior by leveraging non-military
instruments of power and building partnerships. The second layer
focuses on denying adversaries the benefits of attacks by building
greater resilience in our critical infrastructure, networks, and
systems and reshaping the overall cyber ecosystem towards greater
defensibility and security. The inner layer consists of imposing costs
on adversaries when they do attack us. While each layer adds an
essential dimension to the defense of the nation, they form an
interlocking and mutually reinforcing set of activities that
concurrently increase the difficulty, costs, and ultimately the will of
aggressors who seek to attack our nation in and through cyberspace.
Layered cyber deterrence combines traditional methods of altering
the cost-benefit calculus of adversaries (e.g., denial and cost
imposition) with forms of influence optimized for a connected era, such
as promoting norms that encourage restraint and incentivize responsible
behavior in cyberspace. Strategic discussions all too often prioritize
narrow definitions of deterrence that fail to consider how technology
is changing society. In a connected world, those states that harness
the power of cooperative, networked relationships gain a position of
advantage and inherent leverage. The more connected a state is to
others and the more resilient its infrastructure, the more powerful it
becomes. This power requires secure connections and stable expectations
between leading states about what is and is not acceptable behavior in
cyberspace. It requires shaping adversary behavior not only by imposing
costs but also by changing the ecosystem in which competition occurs.
Core to layered cyber deterrence is public-private collaboration to
efficiently coordinate how the nation responds with speed and agility
to emerging threats, not just on an ad hoc basis, but also in an
institutionalized, practiced way. The Federal Government alone cannot
solve the challenge of adversaries attacking the networks on which
America and its allies and partners rely. It requires collaboration
with state and local authorities, leading business sectors, and
international partners, all within the rule of law. This strategy also
outlines the planning needed to ensure the continuity of the economy
and the ability of the United States to rebound in the aftermath of a
major, nationwide cyberattack of significant consequence. Such planning
adds depth to deterrence by assuring the American people, allies, and
even our adversaries that the United States will have both the will and
capability to respond to any attack on our interests.
specific recommendation for a national cyber director
For the past 20 years, commissions, initiatives, studies, and even
four Presidential Administrations have been challenged to define and
establish an effective national-level mechanism for coordinating cyber
strategy, policy, and operations. It is imperative that the executive
branch have a strong, stable, and expert-led cyber office and leader
within the White House. To fill this gap, the Commission recommended
the creation of a National Cyber Director. Similar to the way in which
the Secretary of Defense's Principal Cyber Advisor (PCA) supports the
DOD, the National Cyber Director would support the President by
formulating, recommending, integrating, and implementing policies and
strategies to improve the nation's ability to operate in cyberspace.
Former House Intelligence Committee Chairman, Mike Rogers,
testified to the House Oversight and Reform Committee that ``this is
not an abstract problem. In April 2015, IT staffers at the Office of
Personnel and Management (OPM) discovered that their systems were
breached by hackers, ultimately linked to China, that extracted
millions of sensitive SF-86 personnel security clearance forms and
millions of fingerprint cards. This is not to say that had the National
Cyber Director been in place that the OPM hack would not have
happened--but it is to say that there would have been a person
responsible for ensuring that the nation's cybersecurity posture was as
strong and robust as possible, and whom Congress could hold accountable
for failings and shortcomings.'' Establishing a National Cyber Director
within the Executive Office of the President would consolidate
accountability for harmonizing the executive branch's policies,
budgets, and responsibilities in cyberspace while implementing
strategic guidance from the President and Congress. \3\
---------------------------------------------------------------------------
\3\ The recommendation for the creation of a National Cyber
Director was introduced as a standalone bill in the House as H.R.7331
and is also included in the House Fiscal Year 2021 NDAA. A provision
for an independent assessment of establishment of a National Cyber
Director is included in the Senate Fiscal Year 2021 NDAA bill.
---------------------------------------------------------------------------
Situated within the Executive Office of the President, the Senate-
confirmed National Cyber Director would be supported by the Office of
the National Cyber Director and fill several important roles:
1. Act as the President's principal advisor on cybersecurity and
associated emerging technology issues and lead development of a
National Cyber Strategy and associated policies;
2. Ensure the implementation of the National Cyber Strategy across
departments and agencies to include the effective integration of
interagency efforts, and providing for the review of designated
department and agency cybersecurity budgets.
3. Oversee and coordinate Federal Government activities to defend
against adversary cyber operations inside the United States, to include
coordination with private sector and state, local, tribal, and
territorial (SLTT) entities;
4. With concurrence from the National Security Advisor or the
National Economic Advisor, convene and coordinate Cabinet-level or
National Security Council (NSC) Principals Committee--level meetings
and associated preparatory meetings.
Recommendation Development
Early in this process, Commissioners identified the need to create
a leadership position but were faced with three key decision points:
(1) how to address the gap in national leadership, coordination, and
consistent prioritization, (2) whether to recommend Senate confirmation
for the coordination and leadership position, and (3) the size,
structure, and scope of authorities.
The Commission explored other options for cybersecurity structure
like the creation of a new cabinet department for cyber, but ultimately
decided to strengthen the existing agency (CISA), rather than the
creating a new department, as the protracted development of a new
department would prevent much-needed near-term progress. Like the DOD's
PCA, it is imperative that the National Cyber Director get appropriate
access to the right leadership, and be institutionalized to be
successful. In contemplating the stature of the position, the
Commission determined that it must sit within the EOP and be Senate
confirmed to not only signal Congress' commitment to cyber issues, but
also afford them a level of political support that bipartisan
endorsement would bring, and ensure effective oversight. Senate-
confirmation of EOP leadership is not without precedent. The heads of
the Office of Management and Budget, the Office of the National Drug
Control Policy, Office of Science and Technology Policy, and the Office
of the United States Trade Representative are all Senate-confirmed. The
Director's focus must be on creating and implementing national
strategy, which further instilled the Commission's conviction that the
National Cyber Director must sit apart from departments and agencies,
both of which focus on the day-to-day responsibilities of their given
mission set. The Office of the PCA at DOD, which the Commission also
looked to for guidance, similarly has an office and staff to support
their efforts to establish and oversee the implementation of DOD
cyberspace policy and strategy.
Recommendation Details
Structure and Size of Office. The National Cyber Director should
oversee and manage the Office of the National Cyber Director, and be
assisted in their duties by two Deputy National Cyber Directors: the
Deputy National Cyber Director for Strategy, Capabilities, and Budget
and the Deputy National Cyber Director for Plans and Operations. To
fulfill the full range of functions and responsibilities envisioned in
the recommendation, the Commission recommends the Office of the
National Cyber Director be staffed with approximately 75 to 100 full-
time employees, \4\ a size similar to that of existing, comparable EOP
organizations. A mix of rotating detailees from other federal
departments of agencies and direct-hire, full-time employees would
comprise those employees.
---------------------------------------------------------------------------
\4\ While the Commission's March 2020 report recommended the Office
of the National Cyber Director to be staffed by 50 persons, follow-up
interviews with various experts consistently and strongly supported
increasing the staff number to 75 to 100.
---------------------------------------------------------------------------
Policy and Strategy Development and Coordination. The National
Cyber Director should be the President's primary advisor on issues
involving cyber, cybersecurity, federal information security, and
associated emerging technologies, and statutorily appointed to the NSC.
Akin to the structure Congress gave the PCA in DOD, the NCD-developed
strategy would establish a clear vision, priorities, and objectives to
advance the cybersecurity posture of the United States. As such, the
National Cyber Director would be responsible for policy and strategy
development relevant to these issues, including the development of a
National Cyber Strategy, in coordination with other appropriate offices
within the Executive Office of the President.
If implemented as envisioned, the National Cyber Director's primary
responsibility for cyber and associated emerging technology-related
policy and strategy development is not expected to limit or constrain
the ability of other White House principals, such as the National
Security Advisor, Homeland Security Advisor, or the National Economic
Advisor, to address similar issues. However, as a statutory member of
the National Security Council and as an Assistant to the President, the
National Cyber Director would likely participate in Principal's
Committee meetings with the President where these issues are under
consideration. Given this reality, the Commission recommends that White
House offices avail themselves of the expertise, participation, and
guidance of the National Cyber Director (and staff) early and
throughout their respective policymaking processes for issues within or
related to the National Cyber Director's remit. This should serve to
reduce uncoordinated, parallel processes that could undermine the
overall aim of a unified, cohesive cyber strategy.
While the policy coordination authorities and responsibilities
outlined above are sufficient to empower the National Cyber Director in
developing a National Cyber Strategy and implementing its relevant
policy changes, they alone would have limited effectiveness in driving
implementation through department and agency budgetary and programmatic
priorities. Congress itself has acknowledged the need for budget
authority for effective execution of programmatic leadership in the
authorities it gave the DOD PCA to advise, advocate for, and identify
shortfalls in DOD budgets with respect to DOD cyber planning.
Additionally, the lack of any oversight authority for performance,
programs, and budget would significantly limit the National Cyber
Director's ability to negotiate compromises among departments and
agencies, forge consensus, and drive the President's agenda, something
the DOD PCA authorizing legislation (Fiscal Year 202014 NDAA as amended
in Fiscal Year 2020 NDAA) addressed by providing the PCA the ability to
provide recommendations on addressing such shortfalls in the Program
Budget Review process. The Commission recommends that the National
Cyber Director be granted, in coordination with the Office of
Management and Budget, similar budget and oversight responsibilities in
the implementation of a National Cyber Strategy, to include an annual
assessment and report to Congress and the President on departments and
agencies' implementation of the strategy and its relevant policies and
programs.
The National Cyber Director should have the authority to act as a
certifier for department and agency budgets. This authority would grant
the National Cyber Director the power to review the annual budget
proposal for each federal department or agency and certify to heads of
these organizations and the Director of the Office of Management and
Budget whether the department or agency proposal is consistent with the
National Cyber Strategy. It is expected that the National Cyber
Director and the relevant examiners in the Office of Management and
Budget would work closely together early and throughout the entire
budgetary process to identify inconsistencies, gaps, and redundancies
in budget and programs and negotiate resolutions with relevant
departments and agencies. Additionally, the Director would have the
authority to review department and agency transfer or reprogramming
requests to the Office of Management and Budget that would increase or
decrease funding for cybersecurity programs, projects, or activities by
more than five percent. This authority would allow the Director to
ensure transfer and reprogramming actions are also consistent with the
National Cyber Strategy.
Defensive Cyber Operations Planning, Coordination, and Execution.
The National Cyber Director should lead the coordination and
integration of U.S. Government defensive cyber activities, such as a
Federal Government response to a significant cyber incident affecting
the U.S. Homeland and ``defensive cyber campaigns,'' or whole-of-
government efforts designed to deter, defend against, mitigate, or
limit the scope of an identified malicious cyber campaign. The National
Cyber Director should act primarily as a convening authority in
planning and coordinating these operations, ensuring that they are
fully integrated, taking full advantage of participating department and
agency authorities and capabilities, and reflecting the President's
priorities, similar to the authority of the DOD PCA. Day-to-day
execution of cybersecurity responsibilities should be carried-out by
appropriate federal departments and agencies, such as CISA, the Federal
Bureau of Investigation (FBI), the Department of Defense (DOD), Sector
Specific Agencies (SSAs), and others as appropriate. The National Cyber
Director is intended to ensure that they are appropriately and
effectively deconflicted, integrated, and mutually-supporting in their
approaches, and receive necessary support in furtherance of broader
government-wide efforts. The DOD PCA, in the authorizing legislation,
was granted the authority to assist in the overall supervision of
Department defensive cyber operations, including activities of
component-level cybersecurity service providers and the integration of
such activities with activities of the Cyber Mission Force. Similar to
DOD's use of the Chairman Joint Chiefs of Staff (CJCS) position to
effect cohesion among the operational COCOM's, the NCD would not serve
as the operational commander but would ensure that tasking to the
individual agencies is mapped to national strategy, coherent across
departments and agencies, mutually supporting, and properly resourced
to ensure success.
While the National Cyber Director plays the lead role in
coordinating the whole-of-government response to a significant cyber
incident, the National Cyber Director should play a supporting role in
instances where the incident evolves into a national emergency with
broader physical consequences. The Department of Homeland Security, and
the Homeland Security Advisor, play leading roles in executing and
coordinating government responses for emergencies and disasters. Where
these emergencies or disasters are a result of a significant cyber
incident, or have caused cyber-or cybersecurity-related consequences of
their own, the National Cyber Director would support and coordinate
with the Department of Homeland Security and the Homeland Security
Advisor within the scope of their authorities and responsibilities.
The Commission recommends that the National Cyber Director be made
aware of cyber-related Title 10 and Title 50 operations at the
discretion of the National Security Advisor. The NCD, like the PCA at
DOD, has a legitimate need for comprehensive situational awareness, and
therefore should be given the same insight into offensive operations.
Given the complexity of cyber operations, and the potential for
retaliation in ways that could affect the Homeland, the National Cyber
Director should be made aware of relevant U.S. operations in order to
plan, coordinate, and balance preparatory defensive efforts with such
offensive operations. Furthermore, it is expected that, as a
constituent member of the National Security Council, the director would
participate in any Principal's Committee meeting where offensive cyber
operations are under consideration and provide perspective as
appropriate.
Coordination with the Private Sector and International Partners.
The National Cyber Director would be the foremost spokesperson for the
U.S. Government for cybersecurity and emerging technology issues. As an
Assistant to the President and the senior-most official in the
government focused on cyber and cybersecurity, the National Cyber
Director would speak with the President's voice and represent the
President's priorities in engagement with the general public, the
private sector, and the international community. The National Cyber
Director is not intended to overstep or interfere with the traditional
roles played by other federal agencies, elements of the Intelligence
Community, and others. In any activity where the National Cyber
Director engages with the private sector, SLTT leaders, foreign
countries, or the general public, it is expected the National Cyber
Director would coordinate and work closely with relevant departments
and agencies.
The National Cyber Director, and their office, would serve as the
principal touchpoint for senior private sector leadership on cyber,
cybersecurity, and related emerging technology issues. The National
Cyber Director, like the PCA Office for DOD, would complement and
coordinate with CISA in developing and building an effective public-
private partnership. The Commission recommends that CISA, and other
agencies as applicable, include and coordinate with the National Cyber
Director in senior-level meetings of sector coordinating councils,
cross-sector coordinating councils, and other meetings of the Critical
Infrastructure Partnership Advisory Council. The National Cyber
Director should also work in conjunction with and complement the Joint
Cyber Planning Office (JCPO) within the Cybersecurity and
Infrastructure Security Agency, charged with drafting and coordinating
plans and playbooks across departments and agencies at the working
level under the guidance, processes, and priorities set by the National
Cyber Director. \5\
---------------------------------------------------------------------------
\5\ The Joint Planning Office (JCPO) recommendation is included in
only the House Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
It is expected that the National Cyber Director would participate
in meetings with international allies and partners on topics of
cybersecurity and emerging technologies to implement the National Cyber
Strategy and advance the President's international priorities. The
Commission recommends that the National Cyber Director be included as a
participant in preparations for and execution of cybersecurity summits
and other international meetings at which cybersecurity or related
emerging technologies are a major topic.
other notable recommendations
CMF Force Structure Assessment: The Commission recommends that
Congress direct the Department of Defense (DOD) to conduct a force
structure assessment of the Cyber Mission Force (CMF) to ensure
appropriate force structure, capabilities, and resources for DOD's
numerous missions in cyberspace. The CMF is the operational arm of U.S.
Cyber Command, and CMF teams defend the nation in cyberspace, provide
support to geographic combatant command, defend the DOD Information
Network, as well as serve analysis and planning functions. A force
structure assessment of the CMF, as well as an assessment of the
resource implications for the various intelligence community agencies
that provide tactical intelligence in their capacity as combat support
agencies, will work to ensure the CMF has sufficient forces,
capabilities, streamlined decision-making processes and appropriately
delegated authorities to achieve its objectives. \6\
---------------------------------------------------------------------------
\6\ The CMF Force Structure Assessment recommendation is included
in both the House and Senate Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
Vulnerability Assessment of Nuclear Control Systems and
conventional weapons programs: A priority of the Commission was
developing recommendations to ensure the United States could continue
to maintain credible deterrence above the level of war using the full
spectrum of DOD response capabilities, and to prevail in crisis and
conflict if deterrence fails. This requires the reliability and
resilience of our weapons systems-that they will work when needed, and
as intended. Our Commission sought to ensure that our adversaries
cannot exploit cyber vulnerabilities to hold our weapon systems, both
conventional and nuclear, at risk and that these capabilities are
resilient to adversary actions in cyberspace both during conflict as
well as below the level of war in day-to-day competition. This is why
the Commission recommends that Congress direct the DOD to conduct a
cybersecurity vulnerability assessment of all segments of the nuclear
control system and continually assess our conventional weapon systems'
cyber vulnerabilities. Recently, the DOD has taken critical steps to
address this issue. As directed by Congress in the Fiscal Year 2016
NDAA, DOD began assessing the cyber vulnerabilities of each major
weapon system. However, barriers to effective cybersecurity remain.
There is no permanent process to periodically assess the cybersecurity
of fielded systems. Additionally, it is also crucial to evaluate how a
cyber intrusion or attack on one system could affect the entire
mission, assessing vulnerabilities at a systemic level. \7\
---------------------------------------------------------------------------
\7\ Vulnerability Assessment of Nuclear Control Systems and
conventional weapon systems recommendations are only included in the
Senate Fiscal Year 21 NDAA.
---------------------------------------------------------------------------
Defense Industrial Base Threat Intelligence Sharing: The Commission
recognized that there are gaps in current efforts to address cyber
vulnerabilities in the defense industrial base (DIB), where adversary
threats continue to cause the loss of national security information and
intellectual property. They also generate the risk that, through cyber
means, U.S. military systems could be rendered ineffective or their
intended uses distorted. This is why one of the critical
recommendations the Commission makes in the report is to require
companies within the DIB to participate in a threat intelligence
sharing program. Today, there is no truly shared and comprehensive
picture of the threat environment facing the DIB, and this
recommendation works to remedy that. \8\
---------------------------------------------------------------------------
\8\ DIB Threat Intelligence Sharing recommendation is included in
both the Senate and House Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
Delegation of DOD Authorities: The Commission also recommends
reviewing the delegation of DOD authorities to ensure they are
sufficiently delegated down to enable more rapid decision-making to
conduct cyber campaigns. In particular, the Commission recommends a
review of the conditions under which information warfare authorities
should be delegated to U.S. Cyber Command. While information is not
explicitly discussed in the 2018 DOD Cyber Strategy, the Commission
recognizes that the strategic employment of information is intertwined
with conducting cyberspace operations to influence adversary decision-
making. \9\
---------------------------------------------------------------------------
\9\ Delegation of DOD Authorities recommendation is included in
both the Senate and House Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
Cyber Reserve Force: A final critical element of supporting defend
forward is the establishment of a ``cyber reserve force'' to provide a
surge capability that the DOD can mobilize in times of crisis or
conflict. The Commission believes this should be a non-traditional
military reserve force, with less restrictive and burdensome
requirements for drilling, grooming, physical fitness, and other
standards. This is meant to address issues of talent management,
particularly retention, within the current active and reserve force.
\10\
---------------------------------------------------------------------------
\10\ The Cyber Reserve Force recommendation is included in both the
Senate and House Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
Threat Hunting: To identify vulnerabilities on networks critical to
national security, the Commission also recommends that there should be
a mechanism for mandatory threat hunting on DIB networks. Actions such
as improving detection and mitigation of adversary cyber threats to the
DIB are critical to providing for the proper functioning and resilience
of key military systems and functions. It is also critical to establish
authority for CISA to threat hunt on .gov networks for the same
reasons. Congress must also establish authority for CISA to threat hunt
on .gov networks. Actions such as improving detection and mitigation of
adversary cyber threats to the DIB and the .gov are critical to
providing for the proper functioning and resilience of key systems and
functions. \11\
---------------------------------------------------------------------------
\11\ The DOD threat hunting recommendation is included in both
House and Senate Fiscal Year 2021 NDAA, the CISA threat Hunting
recommendation is included in only the House Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
Joint Cyber Planning Office and Tabletop Exercises: Elements of the
U.S. Government and the private sector often lack the institutions and
tools necessary for successful collaboration to counter and mitigate
malicious nation-state cyber campaigns. To address this shortcoming,
the executive branch should establish a Joint Cyber Planning Office
under CISA to coordinate cybersecurity planning and readiness across
the Federal Government and between the public and private sectors for
significant cyber incidents and malicious cyber campaigns. In a similar
vein, Congress should direct the U.S. Government to plan and execute a
national-level cyber table-top exercise on a biennial basis that
involves senior leaders from the executive branch, Congress, state
governments, and the private sector, as well as international partners,
to build muscle memory for key decision makers, develop new solutions,
and strengthen our collective defense. \12\
---------------------------------------------------------------------------
\12\ The JCPO and tabletop exercise recommendations are included in
only the House Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
National Guard: Congress should also clarify the cyber capabilities
and strengthen the interoperability of the National Guard. States have
increasingly relied on National Guard units under state Active Duty and
Title 32 of the U.S. Code to prepare for, respond to, and recover from
cybersecurity incidents that overwhelm state and local assets. \13\
---------------------------------------------------------------------------
\13\ The National Guard recommendation is included in both the
Senate and House Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
Strategy to Secure Foundational Internet Protocol and Email: To
help reduce vulnerabilities in government networks and critical
infrastructure, Congress should require the National Telecommunications
and Information Administration and CISA to work with private
stakeholders to develop a strategy to secure foundational internet
protocols. In parallel, CISA should work with private sector partners
to implement a more secure standard for email across all U.S.-based
email providers. \14\
---------------------------------------------------------------------------
\14\ The Strategy to Secure Foundational Internet Protocol and
Email recommendation is included in only the House Fiscal Year 2021
NDAA.
---------------------------------------------------------------------------
Continuity of the Economy Planning: The United States must take
immediate steps to ensure our critical infrastructure sectors can
withstand and quickly respond to and recover from a significant cyber
incident. As a whole, the government should more thoroughly plan for
what we know to be an eventuality, as we currently do for military
planning. Congress should direct the executive branch to develop a
Continuity of the Economy plan. As the COVID-19 pandemic has
demonstrated, the United States does not currently possess sufficient
planning to ensure the continuity of the economy in the face of
disruption. This plan should include the Federal Government; state,
local, territorial, and tribal (SLTT) entities; and private
stakeholders who can collectively identify the resources and
authorities needed to rapidly restart our economy after a major
disruption. \15\
---------------------------------------------------------------------------
\15\ The CotE Planning recommendation is included in only the
Senate Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
Codify Sector Risk Management Agencies and Establish a National
Risk Management Cycle: The Commission recommends that Congress codify
sector-specific agencies in law as ``sector risk management agencies''
to ensure consistency of effort across critical infrastructure sectors
and ensure that these agencies are resourced to meet growing needs. In
conjunction with this codification, the Commission recommends
establishing a four-year cycle of risk identification and assessment
led by DHS, in coordination with sector risk management agencies, that
prompts and supports a National Critical Infrastructure Resilience
Strategy led by the President. \16\
---------------------------------------------------------------------------
\16\ Codifying Sector Risk Management responsibilities is included
in only the House Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
Joint Collaborative Environment and Integrated Cyber Center:
Effectively ensuring U.S. defense in cyberspace also requires creating
a robust public-private collaboration to protect national critical
infrastructure through sharing and fusing threat information, insights,
and other relevant data in a joint collaborative environment. This will
require an effective integrated cyber center within CISA which will
improve integration of the numerous existing federal cybersecurity
centers, sustaining and supporting the National Security Agency
Cybersecurity Directorate's collaboration with and support to other
federal departments and agencies, and facilitate a more robust
relationship between the Intelligence Community and the private sector.
Such an effort would work hand in hand with the Commission's
recommendation to review existing authorities for providing
intelligence support to the private sector and, where appropriate,
codify processes for identifying private sector cyber intelligence
needs and priorities. More generally, it is also critical for Congress
to institutionalize DOD participation in public-private cybersecurity
initiatives following the model of the Pathfinder program. Such
initiatives allow public-private collaboration to move beyond threat
information sharing toward better human-to-human collaboration. \17\
---------------------------------------------------------------------------
\17\ The Integrated Cyber Center within CISA and funding for a
Joint Collaborative Environment recommendations are included in only
the House Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
Assistant Secretary of State: Congress should create an Assistant
Secretary of State in the Department of State, within a new Bureau of
Cyberspace Security and Emerging Technologies, who will lead the U.S.
Government effort to strengthen international norms in cyberspace and
build a coalition of like-minded allies and partners to enforce those
norms. This high-level leadership is required to coordinate efforts to
shape behavior in cyberspace and ensure the future internet reflects
the tenets of freedom, interoperability, security, reliability, and
openness.
Not only do these values best support democracy, but they also
foster the economic environment in which our open and competitive
market thrives. \18\
---------------------------------------------------------------------------
\18\ The Assistant Secretary of State recommendation is not
included in either the House or Senate Fiscal Year 2021 NDAA due to
disagreements over where to place the position, not opposition to the
concept.
---------------------------------------------------------------------------
Cyber Insurance: Insurance could be a means to improve cyber risk
management at scale, but the market for insurance to protect against
cyber risk is immature and therefore failing to deliver on this public
policy potential. To help improve the reliability of cyber insurance
risk management and unlock the market, Congress should fund a Federally
Funded Research and Development Center to serve as the focal point for
the development of training and certification programs for cyber
insurance underwriters and claims adjusters. \19\
---------------------------------------------------------------------------
\19\ The Cyber Insurance FFRDC recommendation is included in only
the House Fiscal Year 2021 NDAA.
---------------------------------------------------------------------------
conclusion
The number of cyberattacks that the United States and its allies
and partners have experienced clearly indicate the vulnerabilities we
face in defending our critical infrastructure. Today, the nation faces
a different challenge in the form of the pandemic, a non-traditional
national security emergency, which has demonstrated the critical need
we face in the cyber domain for both strategic leadership at the White
House, and the need to build resilience in our networks to withstand
and rapidly recover from a significant critical infrastructure attack.
We believe this Committee, in addition to its traditional DOD
oversight responsibilities, should continue to lead in the cyber domain
by supporting national security related NDAA cyber provisions, and work
to incorporate key Cyberspace Solarium Commission recommendations that
strengthen and prepare the nation for cyberattacks, including the
recommendations for the National Cyber Director and Continuity of the
Economy Planning efforts.
The 2019 NDAA charted the U.S. Cyberspace Solarium Commission to
address two fundamental questions: What strategic approach will defend
the United States against cyberattacks of significant consequence? What
policies and legislation are required to implement that strategy? The
Commission has completed its assigned tasks and provided the executive
branch and Congress with a number of legislative and policy proposals.
We now need your leadership to review and enact these key legislative
proposals and empower and resource the government and the private
sector to prepare ahead of the crisis, and to act with speed and
agility to secure our cyber future.
Senator Rounds. Thank you, Senator King.
Representative Michael Gallagher, I believe you'll be
joining us virtually here. Are you ready, sir?
Representative Gallagher. I am. Can you hear me?
[Laughter.]
Senator Rounds. Ah. Just back off a little bit. Hang on a
second. We're going to bring that volume down just a little
bit, here.
All right, let's try that again.
Representative Gallagher. Okay. Hopefully, that's a little
bit better, not too jarring.
Senator Rounds. Much, much better. Thank you.
Welcome.
STATEMENT OF REPRESENTATIVE MICHAEL J. GALLAGHER, CO-CHAIR,
CYBERSPACE SOLARIUM COMMISSION
Representative Gallagher. Thank you, Mr. Chairman. Thank
you for, not only your leadership, but for the kind words about
my baby daughter. We truly do feel blessed, and, to my good
friend, Ranking Member Manchin, thank you, sir, and all the
distinguished Members of the Committee, for allowing us to
testify on behalf of our report.
I have enormous respect for this Committee in the Senate,
because, before I was a member of the House, I was a staffer in
the Senate, which is to say there was a time when I actually
used to wield real power.
[Laughter.]
Representative Gallagher. So, thank you for letting me
return to my roots in the Senate.
As Angus, my--as Senator King laid out, our adversaries'
cyber operations continue to increase in sophistication and
frequency, creating what is really an unacceptable risk to our
national security. Given what we know, the state of our
defenses and our adversaries' intentions, a major disruptive
cyberattack to critical infrastructure at this point is almost
something to be expected. Therefore, I would say we have no
choice but to hope for the best while planning for the worst.
With this in mind, I would like to emphasize at least two
of our critical proposals as we look ahead to the NDAA
conference.
First, I strongly agree with my co-chair, Senator King, on
the importance of establishing a National Cyber Director. The
country needs strategic leadership on cybersecurity, and we all
believe this is the right balance of authority, responsibility,
and necessary prominence. A Senate-confirmed National Cyber
Director within the Executive Office of the President that
wields both budget and policy authority, to coordinate cyber
policy across the Federal Government, in my opinion, and in the
opinion of the Commission, would bring the focus that
cybersecurity desperately needs at the highest levels of the
Federal Government.
Secondly, I would like to highlight the necessity for
continuity-of-the-economy planning. We need resilience and
redundancy in our critical infrastructure, and national
resilience necessitates planning. I would submit that the
pandemic has shown, not only that our economy is vulnerable to
widespread disruption, but to the potential impact that
economic disruption has on Americans. Just as we thought
through the unthinkable in the earliest parts of the Cold War,
so, too, now we need to think through the unthinkable, in terms
of how we would rapidly recover in the wake of a massive
cyberattack so that we have the ability to strike back with
speed and agility against whoever chooses to test us.
I would also say that, to ensure the U.S. Government
reduces vulnerabilities across critical infrastructure,
Congress must address a number of issues that impact multiple
agencies that currently work together to protect our national
security in cyberspace. Just a few of our key recommendations
on that front include: one, the institutionalizing of DOD
participation in public/private cybersecurity initiatives; two,
establishing and funding a joint collaborative environment for
sharing and fusing threat information; three, establishing an
integrated cyber center within the Cybersecurity and
Infrastructure Security Agency (CISA) to host that
collaborative environment and integrate our seven existing
Federal cyber centers; four, creating a joint cyber planning
office; five, conducting a biennial senior-leader cyber
exercise to test our plans, playbooks, and integration efforts;
and finally, and sixth, establishing authority for CISA to do
threat-hunting on all dot-gov networks. All of these provisions
are included in the House version of the NDAA.
Perhaps our most important conclusion, and what I will
close on, and a recommendation from the Commission, is that
failure to act is not an option. While we've made remarkable
progress in the last few years, the status quo is simply not
getting the job done, and the time to act is now.
Thank you again for the opportunity to testify before you
today, and for your commitment to American cybersecurity.
Senator Rounds. Representative Gallagher, thank you very
much for your opening statement.
Now we'll turn to Brigadier General, Retired, John Inglis.
Mr. Inglis, please proceed.
STATEMENT OF BRIGADIER GENERAL JOHN C. INGLIS, ANG (RET.),
COMMISSIONER, CYBERSPACE SOLARIUM COMMISSION
Brigadier General Inglis. Thank you, Chairman Rounds,
Ranking Member Manchin, and all the distinguished Committee
Members, for the privilege of testifying before you today on
the recommendations from the Cyberspace Solarium Commission.
I agree with my fellow commissioners that this last year
has been, for me, an honor and the opportunity of a lifetime to
hear from the expert counsel of a broad array of experts in
cyber technology, policy, and operations across the continuum
of private and public sectors, to include consideration of how
both allies and adversaries approach the challenge of defining
and executing a national cyberstrategy.
I fully back my colleagues here in supporting both the
overall report, to include its 82 recommendations, and to urge
you to, in particular, swiftly pass the provisions that we'll
probably discuss in great detail today, not least of which, the
National Cyber Director. To that extent, I would like to focus
my opening remarks on the National Cyber Director.
This Committee has done much to improve both the Nation's
understanding and the military's preparedness to deal with the
challenges of cyberspace, and yet we must do still more, for
military cyber power is only one of the many instruments of
power that must be applied to achieve our aims in and through
cyberspace. As you well know, cyberspace is inextricably linked
to every other domain of human interest, such that, while
cyber, comprised of both technology and the humans who make use
of it, is an instrument of power in its own right, all other
instruments of power increasingly depend upon a properly
functioning cyberspace for their efficient and effective
operation.
The reverse is also true, namely that the proper
functioning of cyberspace relies upon the effective employment
of a diverse array of authorities, tools, and expertise. These
tools and authorities are not held by one person, one
organization, or one sector, and they do not self-organize into
the coherent whole we require to ensure that cyberspace is
appropriately robust, resilient, and well-defended against the
increasing threats posed by transgressors who often operate
with impunity, holding both cyberspace and, in turn, our
nation's security at risk.
Our adversaries have gone to school on us. They routinely
seize the initiative of choosing the time, the place, the
manner of their transgressions without regard to imagined or
commonly accepted boundaries between the pervasively
interconnected swaths of cyberspace that are, again, operated
by individuals, the private sector, and governments, as a
collective whole. Absent a consistent, proactive, and joined-up
effort on our side that gives a premium to preparation,
integration, and collaboration, we will fall further behind.
To that end, the United States needs a leader to act as the
President's principal advisor on cybersecurity and associated
emergency technology issues, and to coordinate the Federal
Government response. Our experiencing--our experience as a
Nation in preparing for kinetic attacks has richly informed
doctrine and plans on how the military will respond to kinetic
attack, to include the supported and supporting roles that
other instruments of national power would play under various
scenarios. We're not in the same place with respect to
cyberattack, where the military instrument may not be the
singular, or even the supported, instrument of national power,
let alone the need to consider the actions of the private
sector, which typically maintains and operates the front line
of cyberattacks as they maintain and operate over 85 percent of
what we know as cyberspace.
To that end, there is a rough, but useful, analogy to be
drawn between what we're recommending here, in the National
Cyber Director, and the Department of Defense's use of the
Principal Cyber Advisor and/or even the Chairman of the Joint
Chiefs of Staff. Both positions are used to effect cohesion
amongst the operational combatant commanders without usurping
the efficient execution of the operational authority of those
commanders.
While installing another player, the National Cyber
Director, into the coordination of already complex cyber
operations could be a concern, I think it's important to note
how this functions in the Department of Defense. Importantly,
neither the Principal Cyber Advisor or the Chairman of the
Joint Chiefs of Staff serve as operational commanders in their
distinct and separate roles. The Cyber Advisor ensures coherent
planning for cyber capability and doctrine, and the Chairman
ensures the tasking of the individual combatant commanders is
mapped to national strategy, is coherent across COCOMs, and is
mutually supporting and properly resourced. These are useful
force multipliers for forces that are often outnumbered but
never outmatched by our adversaries. National Cyber Director
would fulfill analogous functions across agencies, similar to
the role these two roles that are already well-established and
very useful within the Department of Defense.
Finally, I would simply note that cyberspace exists
inexorably in the presence of adversaries. The contested nature
of cyberspace, where the U.S. is challenged by adversaries who
can and do attack us on every front--in our homes, in our
places of business, and within our critical infrastructure--
names--needs the same essential coherence in national strategy,
defined roles and responsibilities, and in the propensity to
collaborate based on leadership that connects and supports the
various players to a national strategy.
I would simply close by saying, while it remains difficult
to propose or to name the time and place adversary action will
take place in cyberspace, we can be certain that it will take
place. A failure to warn, prepare, and respond will result in
sure and certain costs that we can ill afford in a future where
our dependence on digital infrastructure will only grow. The
time to act is now.
I close my opening remarks, again, with the thanks for
promoting this hearing and an opportunity to discuss these in
greater detail.
Senator Rounds. Thank you very much for your testimony.
I think--let me begin. I do appreciate the work that this
Commission has done. You've not only started out with a whole
series of proposals, but, when we asked you to go back and to
flesh out, in particular, the authorities and responsibilities
of what a Cyber Director would look like, I have really
appreciated the responsiveness to--from the Commission back to
the Committee.
It is our intent to use this information to discuss and to,
basically, provide information during the markup of the
reconciliation between the House and the Senate versions of the
NDAA in conference, and the House Committee has laid out what
their vision is. The concern that we had expressed was one that
we believe that the Principal Cyber Advisors, as laid out
within the Department of Defense, have allowed for technical
knowledge and for professional expertise to be available and
deliverable to our chief executive officers immediately, and
that, with that additional expertise, they could facilitate the
use of cyber activities, offensive and defensively, where
needed.
The concern that we had was that, if, at the national
level, you created a silo, a location where there could be
authority or, for that matter, responsibilities and the ability
to simply have one more stop along the way in deciding before
policy could be executed, that we risk making those cyber
responses more challenging.
Now, the reason why I lay this out for you this is way is,
is that, over the last several years, we have followed what has
happened at the executive branch with, originally, a very well-
intended PPD-20, Presidential Policy Directive Memorandum 20,
which was started in the previous administration. Their intent
was to find consensus, but, before cyber activities would be
rolled out. Unfortunately, in doing so, it became a consensus,
which meant that any one of a number of a different individuals
could stop the movement forward of any cyber activity. That was
changed a couple of years ago with the creation of NSPM-13,
National Security Policy Memorandum 13, in which a clear line
was laid out for the decision-making process on the use of
cyber tools and the availability of cyber for our warfighters.
The reason why I lay this out is, is we were able to, in
coordination with the executive branch, streamline the process,
so we were actually able, as--and I wouldn't discuss this,
except that President Trump did share a little bit about it--
2018 and the fact that we did not have interference in our 2018
election was not by accident, it was because of the clear
capabilities of men and women of Cyber Command. It was because
they could execute appropriate cyber policy in an expeditious
manner.
What I don't want to have happen in--is to have another
layer of bureaucracy get in the way. I think you've done an
excellent job of laying out for this Subcommittee your vision
of what this would look like. But, I think, for the record, I
would ask all of you, Would it be your intent that this Cyber
Director be identified as much as a Principal Cyber Advisor,
similar to the DOD, versus having authority, responsibility,
and the ability to silo those areas and create a roadblock for
cyber actions in the future?
Senator King?
Senator King. Mr. Chairman, I would say that our proposal
is the anti-silo. The problem is now, as I mentioned, we've got
cyber activities and planning and work going on throughout the
Federal Government, and the whole idea is to bring some
coherence and coordination to that.
To your specific question, which I think is an important
one, we do not propose that the National Cyber Director be in
the chain of command for cyber actions. It's Cyber Command,
Secretary of Defense, President of the United States. We are
not talking--and you used the term ``policy executed"--we're
not talking about adding a layer, in terms of execution of
policy. We're talking about adding a coordinating function to
bring together the expertise throughout the Federal Government.
I think that's a very important distinction. That's a totally
valid question, but we view this as a bringing-together of a
coherent organization with someone at the top that has
oversight and situational awareness of what's going on in all
these different agencies. But, in terms of cyber action, such
as the action you cite in the 2018 election, this person would
be an advisor to the President, yes.
Senator Rounds. That's what I am hoping, and that's what
I--I just wanted to make it clear so that--and I would sure
like to have Representative Gallagher concur with that, if he's
available, as well.
Representative Gallagher. I do concur with what Senator
King expressed. I think I speak for the whole Commission when I
say the intent of this proposal was to build interagency
integration and not to add bureaucracy. I think, Mr. Chairman,
you did a great job of laying out how far we've come in recent
years on the offensive side. A lot of this starts 2 years ago
with the provisions we put in, as Congress, to make cyber
surveillance and reconnaissance a persistent military activity
and traditional military activity.
Senator Rounds. Correct.
Representative Gallagher. NSPM-13 is laid on top of that,
and one of the--I think, the primary values of NSPM-13 is that
it just establishes clear authority. Right? As my good friend
Senator King continually reminds me, you always want one throat
to choke, one person to keep accountable. I think our vision
for this was to provide the President with that person
primarily on the defensive side.
Now, the final thing I would say is just to confess, my
bias when I came into this was to resist the creation of new
agencies and, you know, positions. Largely, I think, we have
avoided that. But, with this, I have come to believe it's
actually the least bureaucratic option. One option would be to
create a separate agency entirely. I think that's pretty
bureaucratic. But, doing nothing I actually think is the most
bureaucratic option, because I think it will lead to a
catastrophic cyber incident that will require in layering on of
new agencies and positions in response to that. So, we really
want that National Cyber Director to get to the left of that
cyber boom by coordinating and advising the President primarily
on the defensive side of the equation.
Senator Rounds. Great, and thank you very much.
I am about out of time, but, Mr. Inglis, what would your--
very quickly, what would your thought----
Brigadier General Inglis. I would say that--I think I speak
confidently--the Commission would support your sense of the
substance and the spirit of the National Cyber Director. The
National Security Advisor is busy. He doesn't have the time, or
she doesn't have the time, to, on a daily basis, try to figure
out what our overall strategy is, vis a vis cyber. Much like
this Committee has reconciled how we think about the military
instrument of cyberpower, what we asked, I think, 2 years ago,
was, of the Nation, What is the context of the application of
the military instrument of cyberpower? Is it a traditional
military instrument--traditional military activity, or not?
Give us the expectations of what, then, it might do, and then
let us go do it. I think the National Cyber Director needs to
treat all the instruments of power in the same way: provide
context, provide expectations, and allow the depth of expertise
to then do that in a distributed fashion.
But, absent the sense of the context or the fabric, what
we'll have is a series of stovepipes that actually are a jazz
band that makes no music worth listening to.
Senator Rounds. Thank you.
Senator Manchin.
Senator Manchin. Thank you, Mr. Chairman.
I guess, to Senator King and to Congressman Gallagher and
to General Inglis, I am understanding that the way we have the
17 different intelligence agencies--and I would assume every
intelligence agency has its own cyber--I know that the FBI has
a cyber center for law enforcement, DHS has a cyber center for
dealing with cyberattacks on the Homeland, DOD, and on and on.
So, you're saying that this one person would be gathering all
the information. So, I think, if we have a credible threat to
the Homeland, if we have a credible threat, they all would have
to interact, I would assume, and agree that this is a valid
threat to present. Is that the way it's done now, or is it,
basically, just each one taking their own different direction
and shot at how they're going to----
Senator King. Well, we've----
Senator Manchin.--counter this?
Senator King. Different agencies have different
responsibilities. In addition to the ones that you mentioned,
other--the other agencies that have cyber responsibilities are
FERC----
Senator Manchin. Sure.
Senator King.--the EPA, the Department of Energy. I mean,
it's just so broad. What we're talking about is having an
office--and not a big office. We talked about the possibility,
as Representative Gallagher mentioned, of creating a new
department, but we thought that was too bureaucratic, too
heavyhanded, and would take too long. This is a position
that's--there are really two models for the position we're
talking about. One is the Cyber Advisor in the Department of
Defense. I think that's an almost exact analogy, because it was
created because there was too many moving parts in the
Department of Defense. There needed to be a coordinator. The
other model was the U.S. Trade Representative, Office of
Management and Budget, the Drug Office, and--I can't think--I
think there's one other. But--Science Technology, that's right.
These are all presidential-appointed, Senate-confirmed, and it
provides them with the status and the ability to have some
authority--and budget review authority is part of it--over the
range of cyber-involved agencies in the Federal Government.
Senator Manchin. Who do these agencies report to now,
Senator? Right now. Who do the heads of these agencies, when
there is a cyberattack----
Senator King. Well, they--they're--they would report
directly to the President. There's no cyber coordinator. That's
the whole problem.
Senator Manchin. So, this is, basically, the coordinator
you're talking about.
Senator King. Yes. There was a cyber--one of the arguments
is, well, this was--traditionally been a position in the
National Security Agency as an appointed position by the
National Security Advisor. The problem with that is, it's at
the whim of any particular----
Senator Manchin. I gotcha.
Senator King.--National Security Advisor. Two years ago,
this position was eliminated by the then National Security
Advisor. That's why we're saying, let's elevate this to the
status and the organizational status that it needs in order to
be effective to defend the country.
Senator Manchin. General Inglis, being the military person
you are, the Commission report specifically rejected the idea
of deterring cyberattacks on critical infrastructure by
threatening retaliation against the attacking country's
critical infrastructure. So, I understand the desire to be
reserved, but how do you feel your--this recommendation is
going to be adequate to deter?
Brigadier General Inglis. Well, first, if I might go a
half-step back and answer another question that you asked----
Senator Manchin. Okay.
General Inglis:--which was a concern about whether sector-
specific agencies might then be thwarted in the intimate and
direct relationship they have, very profitably, in terms of
outcomes, with their respective sectors. The Commission
actually is with you on that. We actually want to strengthen
the sector-specific agencies' relationships and allow them, as
representatives of the Government, to, on their various faces,
continue that strength, and so, the National Cyber Director
should benefit from that, but never constrain that; should,
essentially, take advantage of that.
To your question about whether the Commission believes it
is appropriate or inappropriate to attack the critical
infrastructure of other nations, I think that our views on that
are perhaps more nuanced than a yes or a no. We would start by,
first, saying that we believe, as the United States has long
attested, we will follow international law, and we will adhere
to the global standards of normal behavior that we attested to
in 2015 through the auspices of the State Department, that we
wouldn't, in peacetime, attack the critical infrastructure of
other nations. That being said, in wartime, it is a political
decision of the leadership of this Nation to determine, with
necessity and proportionality, how we should array the various
instruments of national power that we bring to bear. We
shouldn't be in a place where we never say never, we just need
to follow the rules of proportionality and necessity and the
international laws that govern such things.
I would offer, though, that it's often a discussion that
takes place with respect to the use of force or armed attack.
What we have found is that our adversaries are operating well
below that with impunity; essentially, like termites in the
woodwork----
Senator Manchin. Right.
General Inglis:--as opposed to this flash and bang that
might kind of be effected through kinetic weapons.
Senator Manchin. I gotcha.
Brigadier General Inglis. What we then have to address is
whether or not our adversaries are taking inappropriate
advantage of our either complacency or perhaps our implicit
tolerance of them inserting themselves into our critical
infrastructure, and how do we stop that. You know, I think that
there are an array of----
Senator Manchin. Yes.
General Inglis:--methods, some of which include cyberpower.
But, the use of diplomacy, the use of legal methods, the use
of, perhaps, public shaming, all of those need to be brought to
bear to stop that and to hold them at risk in ways that follow
international law, that use necessity and proportionality.
Senator Manchin. If I could ask one final question to
Congressman Gallagher.
Congressman, I think, in your opening statements, you all
have laid out a significant number of Commission legislative
recommendations. Am I correct that each of these
recommendations that you described appear in some form in
either the House or Senate NDAAs, and they'll be part of the
issues in play in our conference of the NDAA? So, it's--the
Commission's report, the recommendations you make, are they in
both?
Representative Gallagher. There were----
Senator Manchin. Congressman Gallagher?
Representative Gallagher. Yes, there were six specific
recommendations that I talked about that were--are in the House
version of the NDAA, but not in the Senate version of the NDAA.
I brought that up just to urge the Senate to consider the House
equities when we're in that discussion. I believe there is some
ongoing debate about our continuity-of-the-economy proposals. I
understand, for various jurisdictional issues in the House and
the Senate, there are some other recommendations that made it
into neither report. But, we feel fairly good about just the--
sort of the baseline of what made it into either the House or
the Senate, and hope there is a, you know, collaborative
approach in the conference committee processes.
Senator King. Senator Manchin, I can present to the
Committee a chart that exactly answers your question. There are
12 of our provisions in the House National Defense Act that
aren't in the Senate version. Okay? There are 12 in the House
that aren't in the Senate version. There are 11 in both the
House and the Senate versions. So, they match. Then there are
six in our version that aren't in the House. So, all together,
let's see, we've got 29 provisions, of which 11 are in both and
another more than a dozen can be, and hopefully will be,
resolved in the conference.
Senator Manchin. Are they outside of the jurisdiction? Is
that the problem that we have? Some of those are outside the
jurisdiction?
Senator King. No, these are all, we believe, close enough
so that----
Senator Manchin. So, they can be considered in to the----
Senator King. Yes.
Senator Manchin.--conferees.
Senator King. Yes. Yes, sir.
Senator Manchin. You think that will all be--all 29 will be
in play.
Senator King. Yes. So, they're in the bill, and we hope
that they can resolved so that as many as possible--I mean, you
know----
Senator Manchin. Yes.
Senator King.--we all know what happens with Commission
reports. We were determined to not have that happen.
Senator Manchin. I gotcha.
Senator King. That's why we actually drafted legislation
rather than just give you ideas. If we can finalize these
documents in the--these amendments in the bill as it comes out
of the conference committee, we will have done well more than
half of our total recommendations.
Senator Manchin. Thank you all. I appreciate it very much.
Senator Rounds. Thank you.
Yes, just in looking back over the numbers of--that I have
got in front of me, it's been great to see the number of them
that were actually put into the--this Subcommittee's mark, and
then the other three that were added on the floor. We couldn't
do them in Subcommittee, because of jurisdictional issues,
but--so, that was good to see, I think, 14 total coming out of
the Senate, and then holding a spot for the discussion on the
National Cyber Director position, as well. So, I think the
Committee has been very successful, and you've done some great
work.
Just to follow up a little bit, I did start out--when I
first got onto this Committee, I was very interested in a
National Cyber Advisor of--or National Cyber Director. Then I
kind of came around a little bit, saying there--the one thing I
was concerned about is, is that things were starting to work
within the Department of Defense. We were actually having some
movement forward, getting some things done, and I was concerned
that we not create any silos. I am very happy to hear all of
you indicate the same, that it is not the intention, and the
legislation should not be there, to create that. But, there is
clear evidence that the Congress has, in the past, asked for
Senate-approved members to advise the President or to
participate in the executive branch. I just thought I would
take a minute just to make that point here.
Examples of such positions that currently exist, that
Congress has put into law, top leaders of the Office of
Management and Budget, the Director, the Deputy Director, the
Deputy for Management, the Controller, the Office of Federal
Financial Management, OMB; Administrator, Office of Information
and Regulatory Affairs, OMB; Administrator, Office of Federal
Procurement Policy, OMB; Director of Office of National Drug
Control Policy; top leaders of the Office of Science and
Technology Policy, including the Director and the Associate
Directors; Intellectual Property Enforcement Coordinator;
Chairman, Council of Economic Advisors; Chair and Members,
Council on Environmental Quality; top leaders of the Office of
the United States Trade Representative, including the United
States Trade Representative, Deputy United States Trade
Representatives, Chief Agricultural Negotiator, Chief
Innovation and Intellectual Property Negotiator. I understand
that, really, a lot of the language that you've put into this
proposal comes from the legislation authorizing and directing
the United States Trade Representative, as well. So, there is a
format that's been followed here that we can look at to see
whether it's successful, or not, in terms of advising the
President of the United States.
So, I think you've done your work on it, and most
certainly, I would--if there's any part of it, as I say, that
we were concerned with, it was that we make sure that we allow
what is working within cyber operations of the DOD to continue
to work, and that we not create any other silos.
The other thing the Committee--that the Committee talked
about a little bit was the direction with regard to our
activity in cyberspace, whether there should be--you know, what
type of deterrence should be used, whether we should be putting
more emphasis on defensive activity, making it more difficult
for our adversaries to get in. I would just like to take just a
minute, because I--just to give you the opportunity to share a
little bit about your thoughts regarding the operations in
cyberspace. You've got air, land, sea, space, and cyberspace,
and most certainly, the most inexpensive of any to get into and
to create havoc everyplace else is cyberspace. We have to be on
top of our game. Can you share with me a little bit your
thoughts about the questions, concerns that your Commission
found or that you wanted to express and maybe haven't had the
opportunity to do so, so far?
Senator King. Thank you, Mr. Chairman.
There are a couple of aspects. One I want to touch on very
quickly. One of our major recommendations, which isn't before
this Committee, but--is for the creation of an Assistant
Secretary of State for Cyber, because international norms and
expectations are an important part of this discussion. If we're
not at that table, we can lose--when they are talking about
standards or whatever, this is a place where we've lost some
ground. So, that's one of our recommendations.
But, I think the--what I would like to say about the
deterrent issue is that this was a--there was a great deal of
discussion about this, and it grow--it grew, for me, out of
many of the hearings that you and I have sat through 4 over the
last 4 or 5 years, where we haven't had a deterrent policy.
We've been purely defensive. What we are saying is that there's
a level--everybody knows that there would be a response if
there was an attack on critical infrastructure. But, the
question is, What happens if there's an attack on our election,
or what happens if there's wholesale theft of intellectual
property? What's the response? Because there hasn't been, and
because, as you point out, this is a cheap way to make war,
then we've become a cheap date. We've become an easy target.
What the Commission suggests is, there needs to be a new
declaratory policy that there will be a response. It may not be
cyber. It may not be kinetic. It may be sanctions. It may be
any part of the national power toolkit, but that there will be
a response.
Another sort of wrinkle of this that's very important is,
85 percent of the target space in cyber is in the private
sector. It's not the Army and the Air Force. They will be under
attack--cyberattack. But, the target space is in the private
sector. That's where we have to really develop relationships.
This is a whole new way of thinking. One of the things we talk
about is the intelligence agencies being able to share with the
private sector what they're learning about cyberattacks on
SCADA systems at power plants.
So, you're absolutely right, the discussion of the
deterrent idea was an essential part and a lot of discussion in
the Commission, but we concluded that there had to be some
deterrent. It can't simply be defensive, patching, make it more
difficult, cyber hygiene. All those are important, but we
wanted our adversaries, when they're contemplating a
cyberattack on the United States, to say, ``But, what will they
do to us?'' We want that to be part of their risk calculus.
A formative moment for me was when we were interviewing the
head of National Security Agency (NSA), 3 or 4 years ago in
this Committee, and I asked him if there was any deterrent to
the--a foreign adversary taking these kinds of actions. His
answer, I have never forgotten, was, ``Not enough to change
their risk calculus.'' That, to me, is a--is an admonition and
a warning to us that we have to, not only defend ourselves, but
we--our adversaries have to know that we can and will respond
in such a way as to make them regret their attack.
Senator Rounds. Thank you, sir.
I am going to turn it over to Senator Manchin.
Senator Manchin. Mr. Inglis, one of the Commission's
recommendations that was included in the Senate NDAA is to have
the Defense Department carefully and comprehensively assess
whether the Cyber Mission Force, our military cyber forces, are
rightly sized. We included the 6 recommendation in our bill,
and it is important. Frankly, this mission is so new, and we
had to create everything from scratch 10 years ago. No one
really knew how many people it would take to perform this
mission, or even, really, the exact mix of skills we needed to
get the job done. But, as you know, we also realized that Cyber
Command can only get after targets, and clever people can
figure out to get inside that target through cyberspace and, if
we have infrastructure in the right places, to get access to
it. These are really high-end skills, and enabling accesses
requires a lot of smart planning by a lot of smart people. If
you don't have the accesses to military targets, adding more
cyber units are not going to accomplish much.
So, my question is, Did the Commission examine whether
Cyber Command has difficulties recruiting, training, and
retaining enough people with the requisite skills to generate
accesses to support an expansion of the cyber forces?
Brigadier General Inglis. I think that we did look at that,
nationally and then within the various components that
constitute those who employ cyber workers within the United
States Federal bureaucracy. Our sense of United States Cyber
Command is, they've done a great job within the authorities
that they have of recruiting, training, and developing for
careers the people necessary to do the work that they do. But,
as you well know, those forces were set in size in the year
2013. I think we're sitting now with a combined size of that
force, the actual, kind of, pointy-end of the force, about
6200, 133 teams, sized in a time and place when our sense of
how we use military cyberpower was different, in a time and
place when the sense of where that should be used was
different. It's time to review that. It's time to take a look
at that.
But, to your point, we need to also, at the same time, make
sure that we've done everything necessary to create a bigger
pie from which we can recruit, and, once we recruit, to focus
hard on: How do you retain those people across careers in cyber
disciplines?
Senator Manchin. If I could follow up with Congressman
Gallagher on that.
Congressman, your Commission did make a recommendation that
you have not emphasized here today, or Senator King, and, I
assume, because it did not get much serious consideration here
in Congress. That recommendation is that the House and Senate
should establish select committees on cybersecurity, with
members drawn mostly from all the committees, and each member
that has significant jurisdiction over our national
cybersecurity problem. So, maybe next year you can give it
another try and see if that goes anywhere. If you want to
comment on that, I am happy to 8 hear.
Representative Gallagher. Well, I understand the
difficulties of trying to reform committee jurisdiction in both
the House and the Senate. We view this as a critical
recommendation. It was one that we spent a lot of time debating
as--just as we want that single point of focus within the
executive branch, that person who wakes up every single day
thinking, How can we defend the country in cyber? So, too, I
think we want a repository of legislators who have the ability
to develop true cyber expertise, can hold that person, as well
as the other people in the executive branch that work on this
issue, accountable, and just creates a space where the
executive branch and the legislative branch can work together
to keep the country safe. So, I understand the difficulties of
this proposal, but I view it as necessary. It's one drawn from
Congress's own history of creating permanent select committees
on intelligence.
The final thing Iwould say, Senator, is that I think the
most forceful advocate for this proposal was my colleague in
the House, Congressman Jim Langevin, who presumably has the
most to lose, jurisdictionally, given that he chairs the HASC
Subcommittee that is analogous to your Committee, and
therefore--but, you know, might lose some jurisdictional power.
But, he feels very strongly about this proposal, as well.
Senator Manchin. Thank you.
Senator King, you might want to follow up, if you will,
real quick, on--let me ask you something else.
Senator King. Well, first, I wanted to----
Senator Manchin. Okay.
Senator King.--follow up. I think, to illustrate the
difficulty of the congressional organization, in order to get--
I gave you the list of those amendments that had been cleared
and put in--we had to get 180 clearances from both sides on
multiple committees and subcommittees. I mean, that gives you a
flavor of how bifurcated--there's got to be a word--fractioned,
or fractured, the congressional process is. So, that's
something that we're going to continue to work on.
The analogy is, the Intelligence Committee, which was
created in 1976 for the same reason, there was a realization
that intelligence was scattered throughout the Federal
Government and throughout the Congress, responsibility, and it
made sense to put it into one set of expert hands. That's the
origin of the Intelligence Committee. We think the same thing
should be done here, and I will continue to pursue the idea.
Senator Manchin. With all the expertise you all had on your
Commission--it seemed like you had a wide range of people
coming from different walks of life that had expertise to add--
what was the greatest concern, if we can talk about--maybe we
can't in this type of a setting--but, the greatest concern you
had with our cybersecurity right now, and what our adversaries
are trying to do to us on a daily basis, of the vulnerability
we might have that you was really concerned about? Or did all
of you agree you had one highly concerned sector of our society
that was vulnerable?
Senator King. I can't identify one sector, but critical
sectors, one that doesn't get enough attention, is water. Our
water system, there are something like 50,000 different water
companies----
Senator Manchin. Yes.
Senator King.--in the United States, and there are
vulnerabilities there; all of our financial system, our
telecommunication system; of course, electrical energy. This is
ongoing. We've talked to utility executives, for example, one
of whom told us his system was attacked 3 million times a day.
Senator Manchin. Jesus.
Senator King. Three million times a day, and that gives you
the range. Banks, I know, the same--I don't know if it's the
same number, but hundreds of thousands of times a day. So, this
is an ongoing threat, not only from State actors, but from
malign actors who are doing ransomware, sometimes they're just
garden-variety crooks, but they're also people that want to
undermine our society.
So, I can't give you one specific target that we most
worried about. I think our worry was that we just didn't feel
that the country was adequately prepared for what could, and
likely will, happen.
Brigadier General Inglis. Sir, could I speak to that, too,
then----
Senator Manchin. Of course.
Brigadier General Inglis.--you know, building on that, just
to say that there is the insidious threat, which is that our
concern was that our adversaries--whether they be criminals or
nation-states, or those in between, it could beat one of us,
without garnering the attention or the response of the rest of
us. We actually have a situation where we've been divided, and
we're slowly being conquered one at a time, ``The hole's not on
my side of the boat, therefore I am not going to help you kind
of patch the hole on your side of the boat.''
Our view is--and you won't find this line in the report,
but if I was stuck in an elevator with somebody and had 10
seconds to get out, what we propose is that, if you're an
adversary in this space, henceforth, you're going to have to
beat all of us to beat one of us. That actually derives from
using all of the talent, all of the expertise, all the
authorities that we already have in a more coherent, more
joined-up fashion, preparing as one, applying those resources
as one, such that, when we execute this in a distributed
fashion, much like the Department of Defense has, we're giving
the freedom to operate, we know that we're operating according
to some larger strategy, consistent with some larger purpose,
and that we're helping whatever is to the left of us, to the
right of us. That's a fundamental problem for us at this moment
in time.
As we made the rounds over 400 different engagements, most
of those in the private sector, we heard time and again from
the private sector, ``I like the part of government that I have
an interaction with"--maybe it's a sector-specific agency--"but
I am not sure I know what the government strategy overall is.
The government's not joined up and, therefore, not in a
position where it can be a viable collaborator with me, the
private sector, who is bearing, then, the burden of this, kind
of, transgression after transgression.'' They want the
government to be joined up, they want it to be coherent, they
want it to be a viable partner at the same speed that they
enjoy on the edge that they approach that government.
Senator Manchin. Thank you.
Senator Rounds. Look, I want to take this time to just say
thank you to all of our participants. This is critical, that we
get this right. Today, I think there's an understanding,
somehow, that the Department of Defense has a role to play with
regard to coming in and working internally within the United
States to defend, and yet they can't really step in unless they
coordinate with Homeland. Homeland, basically, requests, and
then DOD can, but it's almost like if--in terms of an analogy,
if you have archers on the outside shooting arrows in, you can
work all day at trying to catch each arrow that's coming in--
and you're talking millions of them--or at some point, you have
to go after the archer. The challenge on it is, defensively and
offensively, how do you do that in the best way possible?
I can't say enough about how important I think it is that
the work that you've done on the Commission be recognized, and
that we do our best to incorporate what we can into the NDAA.
The second piece that I think we have to recognize--and I
want to thank Senator Manchin for being here today--we had a
number of other members who were here early on, and then had to
leave. It's multiple meetings at the same time. But, we
shouldn't leave without recognizing how far our cyber teams
have come in just the last few years. The way in which General
Nakasone and those teams have really stood up what has been an
impressive series of achievements, both offensively and
defensively, and yet they will tell you it's still so much more
work to be done. Everything we can do to provide them with the
tools that they need and the correct public policy that they
need in order to do their job, the better off we're going to
be. Every other domain, whether you're talking air, land, sea,
space, all of them are dependent on our ability to protect them
in cyberspace, because it's all connected. It's the least
expensive way for our adversaries to get in and actually do
damage in any one of the other domains, and so, we have to pay
attention to it.
I think the work that you've done is to be commended, and
we appreciate your time today.
Senator Manchin, any final thoughts?
Senator Manchin. No, I appreciate all the work. I know
there's an awful lot of effort that you all have put in this
for quite some time, and I appreciate it very much.
Having served with Senator King on Intel Committee, it's
kind of opened our eyes. There's a lot of concerns we have.
We're still very good at what we do, but we can be a lot better
and make sure that we can protect the American people the best
we can.
My only thing was--I was wanting to ask the question on--do
you see the private sector starting to harden up a little bit?
Are we communicating with them well enough to let them know
they have a responsibility to harden up, also?
Senator King. The answer is yes. I would include, when you
say ``the private sector,'' also the States, the public--the
election system, for example.
Senator Manchin. Are they looking to us--I guess, Senator
King--are they looking to us, basically, to do it all for them,
or do they understand they've got to come to the table, too?
Senator King. No, no, they're very much engaged in their
own----
Senator Manchin. Okay.
Senator King.--in their own processes. But, as I said,
this--because 85 percent of the target space is the private
sector, and the Chairman, in his very opening remarks, said
that we're here to defend the Nation. We've got to help defend
them, but they have to----
Senator Manchin. Yes.
Senator King.--do their part.
Senator Manchin. Yes.
Senator King. Building those relationships is very much a
part of what we're trying to establish. It's happening, I can
assure you. But, we're not there yet.
Senator Manchin. Thank you all.
Thank you very much.
Senator Rounds. With that, I would like to say thank you to
our witnesses today: Senator Angus King, The Honorable Michael
Gallagher, and Brigadier General John Inglis, Retired. Thank
you, to all of you, for your testimony.
With that, this Subcommittee meeting is adjourned.
Thank you.
[Whereupon, at 3:43 p.m., the SubcCommittee adjourned.]
[Questions for the record with answers supplied follow:]
Questions Submitted by Senator David Perdue
potential liability in the event of a major cyber attack
1. Senator Perdue. Mr. Inglis, during a cyber-attack or a physical
attack on a critical lifeline sector, the Federal Government may need
to order private-sector entities to act (or refrain from acting)
alongside the Government to stop the attack. Private-sector companies
and utilities in these instances may want to cooperate and often do
cooperate in these instances; however, they often assume legal risk in
doing so. Recommendation 3.3.2 of the Cyberspace Solarium Commission
discusses this issue. It recommends that Congress ``clarify liability
for Federally directed mitigation, response, and recovery efforts,'' in
order to ensure that our critical lifeline sectors face no barriers
whatsoever in cooperating with our Government during a cyberattack. Do
you think that there are currently barriers for private-sector
companies who are a part of a critical lifeline sector to cooperate
with the U.S. Government during a cyberattack or physical attack, and
if so, what are those barriers?
Mr. Inglis. The lack of pre-event planning, trust building
activities and substantive collaboration leaves both sides (private
sector and USG) without needed relationships and muscle memory to
collaborate at speed during a crisis. While Congress made strides
towards this end (and attendant liability) with the Cybersecurity
Information Sharing Act of 2015, there is still significant resistance
to information sharing, trust, and cooperation. We should now work even
harder to ensure government held information is shared with the private
sector.
The Commission recommends building a more robust system for
private-public collaboration, through several recommendations such as
establishing an Integrated Cyber Center within the Cybersecurity and
Infrastructure Security Agency (CISA) (Recommendation 5.3), creating a
Joint Cyber Planning Office (JCPO) (Recommendation 5.4) to coordinate
cybersecurity planning and readiness across the Federal Government and
between the public and private sectors; establishing and funding a
Joint Collaborative Environment (Recommendation 5.2) for sharing and
fusing threat information; and establishing authority for CISA to
threat hunt on .gov networks (Recommendation 1.4). These all also can
work in concert to create a more resilient infrastructure, a
significant improvement from what we have today. \1\ We can't continue
to bank on our ability to forge and leverage coalitions after a cyber
campaign is initiated by an adversary. That would condemn us to start
and stay behind an adversary who has the advantage of having pre-
planned the time, place and manner of their attack. Improving
intelligence support to the private sector and codifying processes for
identifying private sector cyber intelligence needs and priorities
would markedly improve situational awareness across critical
infrastructure and allow private sector partners the insight necessary
to defend their networks. Identifying the key partners can be done, as
we recommend, through a process which identifies and empowers
Systemically Important Critical Infrastructure (SICI) entities to this
end. As key partners in protecting America's critical infrastructure,
the private sector must have full awareness into the severity of the
threats we face.
---------------------------------------------------------------------------
\1\ All four of these recommendations: the Integrated Cyber Center,
the JCPO, the Joint Collaborative Environment, and CISA threat hunting
on .gov are only included in the House Fiscal Year 2021 NDAA.
2. Senator Perdue. Mr. Inglis, how big of a threat is litigation in
discouraging private sector companies from complying with an order or
request from the U.S. Government during an attack?
Mr. Inglis. An order based on law or similar (enforceable)
executive branch authority is likely sufficient to motivate compliance.
However, it is often too late to request information during an attack
if it is to be useful to guide efforts designed to counter and curtail
that attack. Pre-attack data exchanges are the key to resolving this
issue.
To address this shortcoming, Congress should pass a law codifying a
``Cyber State of Distress''--a federal declaration that would trigger
the availability of additional resources through a ``Cyber Response and
Recovery Fund''--to assist state, local, tribal, and territorial
governments and the private sector beyond what is available through
conventional technical assistance and cyber incident response programs
(Recommendation 3.3). Creating this emergency declaration would resolve
any concerns private industry would have about litigation in response
to complying with a request from the government after an attack, as the
Stafford Act has done through government directives requiring private
sector action during national emergency declarations for natural
disasters. The declaration would be used exclusively for responding to,
or preemptively preparing for, cyber incidents whose significance is
above ``routine'' but below what would trigger an emergency declaration
and for incidents that exceed or are expected to exceed the capacity of
federal civilian authorities to effectively support critical
infrastructure in response and recovery.
The fund would be used to augment or scale up government technical
assistance and incident response efforts in support of public and
private critical infrastructure. A key provision is the inclusion of
preemptive action and preparation, which accounts for instances when
the Federal Government has a reasonable expectation that a significant
cyber incident is likely to occur and preemptive action and preparation
would reduce potential consequences of disruption or compromise. The
declaration would invoke current authority that establishes the
Secretary of Homeland Security as the principal federal official
responsible for coordinating incident response, recovery, and
management efforts on behalf of the entire Federal Government. In
addition to addressing response and recovery efforts, this coordination
would need to account for, and protect, law enforcement interests,
including the preservation of forensic data necessary to attribute the
attack and enable subsequent investigations by law enforcement
agencies. This coordination role should not supersede other existing
department and agency authorities or direct law enforcement activity.
3. Senator Perdue. Mr. Inglis, do you believe the current statutory
framework provides enough of a liability shield for companies that do
comply with U.S. Government orders or requests, and if not, what should
we take into account as we update this framework?
Mr. Inglis. The statutory framework for liability coverage for
private companies working with the U.S. Government is necessary in
order to ensure strong coordination and cooperation between the private
sector and the U.S. Government in response to cyber attacks. If the
United States were to suffer a significant cyber incident, the Federal
Government would undoubtedly require the assistance of private-sector
partners in response and recovery. Existing laws to facilitate these
activities, such as the Defense Production Act and Federal Power Act,
are limited in their ability to provide reliable liability protections
for private-sector entities or public utilities that take action, or
refrain from taking action, at the direction of the Federal Government.
When the Federal Government orders a private entity to take action or
refrain from taking action in pursuit of national cybersecurity,
shielding that entity from liability related to that action or inaction
is crucial.
Building better public-private collaboration will require more
active and deeper collaboration between the Department of Defense (DOD)
and other federal departments and agencies and private-sector
stakeholders, including owners and operators of systemically important
critical infrastructure. DOD brings considerable resources, expertise,
and advanced capabilities that, when integrated appropriately with new
or existing public-private initiatives, can substantially increase the
timeliness and effectiveness of U.S. cyber defense and security
efforts. The Commission recommends that the executive branch establish
a Joint Cyber Planning Cell (Recommendation 5.4) under CISA to
coordinate cybersecurity planning and readiness across the Federal
Government and between the public and private sectors; joint cyber
exercises (Recommendation 3.3.4), intelligence community support
(Recommendation 5.1.2), strengthen the Office of the Director of
National Intelligence's (ODNI) Cyber Threat Intelligence Integration
Center (CTIIC) (Recommendation 1.4.1), and DOD's Integrated Cyber
Center and Joint Operations Center (ICC/JOC); strengthen an Integrated
Cyber Center within CISA (Recommendation 5.3), and sector-specific
agency (SSA) interaction vis a vis the creation and designation of
systemically important critical infrastructure (SICI) (Recommendation
5.1).
cybersecurity and infrastructure security agency (cisa) advisory
committee
4. Senator Perdue. Mr. Inglis, the Cyberspace Solarium Commission
recommended that the Secretary of Homeland Security establish a
``Cybersecurity Advisory Committee to advise, consult, and make
recommendations to CISA on policies, programs, and rulemakings, among
other items, to account for non-Federal interests.'' Currently, CISA
has no formal channels through which the private sector can share
information with CISA about cyber threats to our critical
infrastructure. I introduced a bill with Senator Kyrsten Sinema to fix
this problem. It creates a formal channel for the private sector and
our Government to share threat information. It will also ensure that
critical insights into our cyber threat environment and develop best
practices for deterrence and detection. I am proud that it was included
in the National Defense Authorization Act (NDAA) that we recently
passed out of the Senate. How important is this provision to achieving
that goal of information sharing?
Mr. Inglis. The Commission fully supports the ``Cybersecurity
Advisory Committee'' provision as it went through the Senate and the
Commission's House of Representative members plan to support the motion
in the NDAA conference. In addition the Commission believes the U.S.
Government has a unique capacity to take in information from disparate
sources, including the intelligence community, and integrate that
information to produce a more holistic picture of and better insights
into the national collective understanding of threats, building on the
good work of CISA and the Automated Indicator Sharing (AIS) program.
Building on those strengths, Congress should review and update
intelligence authorities to increase intelligence support to the
broader private sector (Recommendation 5.1.1); establish and fund a
Joint Collaborative Environment, a common and interoperable environment
for the sharing and fusing of threat information, insight, and other
relevant data across the Federal Government and between the public and
private sectors (Recommendation 5.2); expand and standardize voluntary
threat detection programs (Recommendation 5.2.1); and direct the
executive branch to strengthen a public-private, integrated cyber
center within CISA in support of the critical infrastructure security
and resilience mission as well as conduct a one-year, comprehensive
systems analysis review of federal cyber and cybersecurity centers,
including plans to develop and improve integration (Recommendation
5.3).
5. Senator Perdue. Mr. Inglis, what steps can we take to ensure
that we're using the expertise of the private sector to protect our
cyberspace?
Mr. Inglis. The private sector, which owns and operates 85 percent
of our critical infrastructure and constitutes the lifeblood of our
economy, is both an essential partner in our efforts to protect our
cyberspace and a main target of adversary cyber operations.
First, we need to foster public-private collaboration to address
threats to shared digital infrastructure. The private sector will be
more willing to contribute their expertise when the goal is one of
common interest. The Commission recommends the creation of a Joint
Collaborative Environment to share and fuse threat information,
insight, and other relevant data between public and private sectors
(Recommendation 5.2); a review of intelligence authorities to increase
intelligence support to the broader private sector (Recommendation
5.1.1); the expansion and standardization of voluntary threat detection
programs (Recommendation 5.2.1); and the strengthening of a public-
private, integrated cyber center within CISA (Recommendation 5.3). Each
of these proposals would both enable the Federal Government to better
protect the private sector and its assets, and enhance the government's
ability to learn from and leverage the expertise of the private sector.
Second, exchange tours between public and private sectors will
provide opportunities to deepen this collaborative relationship. In
addition to facilitating greater communication and trusted
relationships between sectors, such a program would enrich the
knowledge base of both sectors, as they gain greater experience in a
range of circumstances and encounter variances in threats and tools.
This type of ongoing learning opportunity will enhance our cyber
workforce by enriching career paths, keeping employees engaged,
increasing retention. For these reasons, the Commission recommends a
public-private talent exchange program (Recommendation 1.5).
Finally, the Commission supports your recommendation for the
creation of a Cybersecurity Advisory Committee (Recommendation 1.4),
``to advise, consult, and make recommendations to CISA on policies,
programs, and rulemakings, among other items, to account for non-
federal interests.'' Having a formal channel for the private sector to
engage with the Federal Government on cybersecurity matters is
essential. This will streamline the sharing of information between both
sectors and better inform the policies, programs, rules, and
regulations that CISA makes.
6. Senator Perdue. Mr. Inglis, how can we ensure that the Federal
Government remains agile enough to respond to our rapidly evolving
threat environment?
Mr. Inglis. We can do so by creating needed coherence of vision
through the development of a viable national strategy, and by
allocating and collectively exercising appropriate roles and
responsibilities to the various departments, agencies, and private
sector organizations. This will ensure that we have the cohesion of
relationship and unity of effort to adjust on-the-fly to cyber crises.
As Eisenhower said, ``The plan is nothing. Planning is everything.'' To
that, the Commission would add that the muscle memory and inherent
agility of a coalition comes from exercise-derived from the shared work
of addressing contingency and crisis and exercises that stress and
strengthen plans and relationships across a broad range of scenarios.
The United States must also practice constant vigilance analogous
to the DOD's ``persistent engagement'' strategy across all instruments
of national power--to include private sector--with the goal of
continuous situational awareness, early discernment of cyber threats,
and early and collaborative action to address cyber threats. This can
be accomplished through the creation of a Joint Collaborative
Environment to share and fuse threat information, insight, and other
relevant data between public and private sectors (Recommendation 5.2);
strengthening an integrated cyber center within CISA (Recommendation
5.3); strengthened SSAs (Recommendation 3.1), and threat hunting on the
DIB and .gov (Recommendations 6.2.2, 1.4).
Investing in human capital will also ensure we broaden the base of
talent (both within and external to government), moving away from a
strategy reliant on the relative few cyber defenders and towards a
strategy where every person play some role in the defense of
cyberspace, taking a lesson from the United States Marines Corps who
make a similar point in their mantra that ``Every Marine is a rifleman
. . . ''
7. Senator Perdue. Mr. Inglis, with your background at the National
Security Agency (NSA), do you think it's important for the private
sector to share threat-information with the Federal Government?
Mr. Inglis. Yes. The Federal Government has assets that can be
better employed if it knows more about the threats operating against or
inside of private sector assets that the Federal Government cannot, and
does not want to, surveil. Consider the example where an information
sharing and analysis center (ISAC) relays to the Federal Government
that it is experiencing an unusual rate or kind of activity. The
Federal Government would then use its lawfully assigned intelligence
powers to reconcile that activity to a particular source beyond the
visibility or authority of the private sector. Such sharing from
private to public sector allows the public sector to orient and focus
on matters that are more closely aligned with private sector needs.
However, the Cyberspace Solarium Commission believes that threat
information sharing should not be a one-way street. The private sector
is on the front lines protecting our nation's critical infrastructure
and the systems that underpin it. We believe that information sharing
should be a truly joint collaborative effort between the government and
the private sector. This means integrating public and private cyber
defense efforts as well as ruthlessly prioritizing government support
to private entities.
The Federal Government should not be a black hole to the private
sector. Collaboration in threat information sharing can build better
situational awareness of cyber threats which can then inform the
actions of both the private sector and the government. The U.S.
Government has a unique capacity to take in information from disparate
sources, including the intelligence community, and integrate that
information to produce a more holistic picture of and better insights
into the national collective understanding of threats. The CSC has a
number of recommendations, most notably codifying systemically
important critical infrastructure'' (Recommendation 5.1), improving
intelligence support to the private sector (Recommendation 5.1.1),
strengthening and codifying processes for identifying broader private
sector cybersecurity intelligence needs and priorities (Recommendation
5.1.2), and establishing a Joint Collaborative Environment for the
sharing and fusing of threat information between the public and private
sectors to make collaboration truly joint (Recommendation 5.2).
8. Senator Perdue. Mr. Inglis, what has the relationship between
the private-sector and our Federal Government looked like previously on
cybersecurity issues, and how can we strengthen that relationship going
forward?
Mr. Inglis. The Commission devoted considerable time and energy to
engaging with the private sector to solicit their feedback on the
efficacy, or lack thereof, of public-private collaboration on
cybersecurity issues. We found that many in the private sector perceive
the Federal Government as incoherent and unable to synthesize the many
aspirations and capabilities of government into a cohesive,
approachable framework. \2\ To address this issue, the Commission
recommends the creation of a National Cyber Director (NCD) to
coordinate existing federal cybersecurity strategy and policy
(Recommendation 1.3); the designation and codification of systemically
important critical infrastructure (SICI) to better prioritize and
protect our most critical private sector assets (Recommendation 5.1);
and the establishment of Continuity of the Economy (COTE) planning to
ensure the public and private sectors, in tandem, are prepared to
rapidly restart and restore the U.S. economy in the aftermath of a
major disruption (Recommendation 3.2).
---------------------------------------------------------------------------
\2\ To quote one observer: ``Capability, will and authority for
cyber action is seldom found in the same place within the Federal
Government . . . never in peacetime and seldom even in crisis''
---------------------------------------------------------------------------
On the issue of information sharing, specifically, members of the
private sector felt that this was a one-way street. While they were
expected to, and often made efforts to share threat information with
the Federal Government, the information they received was often out-of-
date or simply rehashed the same information that was originally
provided by the private sector to the government. The Commission
recommends the creation of a Joint Collaborative Environment to share
and fuse threat information, insight, and other relevant data between
public and private sectors (Recommendation 5.2); a review of
intelligence authorities to increase U.S. Government intelligence
support to the broader private sector (Recommendation 5.1.1); the
expansion and standardization of voluntary threat detection programs
(Recommendation 5.2.1); and the strengthening of a public-private,
integrated cyber center within CISA (Recommendation 5.3). Each of these
proposals would not only enable the Federal Government to better
protect the private sector and its assets, they would enhance the
government's ability to learn from and leverage the expertise of the
private sector.
*While there is significant room for improvement, our conversations
with the private sector did illuminate instances of success that we
must emulate and expand upon. DHS and, in particular, CISA, is
increasingly recognized as an effective convening authority for public-
private collaboration. The Federal Bureau of Investigation (FBI) and
NSA, similarly, are perceived as competent cyber organizations able to
share valuable insights on threat actors and cybersecurity trends. The
National Institute of Standards and Technology (NIST), as well as other
enablers, are viewed as trusted sources of information and guidelines,
such as NIST's Cybersecurity Framework. Again, though, despite these
isolated pockets of effectiveness, the whole of the government
contribution to the private sector is certainly not seen as greater
than the sum of its parts.
In short, the government must be more ``joined up''--both to better
employ its unique authorities and capabilities, and to be a more
reliable and helpful partner to the private sector. It must be more
proactive in offering its services and capabilities in support, through
an accessible, efficient private-public collaboration system. It must
be more aggressive in identifying and remediating the foundational
vulnerabilities in the cyber ecosystem, not least of which is restoring
a balance between actions--both good and bad--and consequences.
__________
Questions Submitted by Senator Marsha Blackburn
national nuclear security administration
9. Senator Blackburn. Mr. Inglis, the Cyberspace Solarium
Commission's report recommends the Department of Defense (DOD)
undertake efforts to secure the defense industrial base (DIB),
including hunting on DIB company networks. Can you think of a reason
why the Commission's recommendations should not also apply to the
National Nuclear Security Agency (NNSA) portions of the DIB, especially
for contractors supporting nuclear weapons development?
Mr. Inglis. No, I cannot. This is a good suggestion. A shared
picture of the threat environment within the DIB is essential to
proactively and comprehensively address cyber threats and
vulnerabilities to this key sector, and that includes nuclear weapons
development and maintenance. \3\ Just as forother classified areas of
the DIB, classification considerations can be addressed. Improving the
detection and mitigation of adversary cyber threats to the DIB is
foundational to ensuring that key military systems and functions are
resilient and can be employed during times of crisis and conflict. The
NNSA and nuclear weapons, as one of the most critical components of
national defense, cannot be excluded from participation. Congress
should therefore direct regulatory action that the executive branch
should pursue in order to require companies that make up the Defense
Industrial Base, as part of the terms of their contract with DOD, to
create a mechanism for mandatory threat hunting on DIB networks
(Recommendation 6.2.2).
---------------------------------------------------------------------------
\3\ This recommendation applies to the DIB, defined as ``[t]he
Department of Defense, government, and private sector worldwide
industrial complex with capabilities to perform research and
development and design, produce, and maintain military weapon systems,
subsystems, components, or parts to meet military requirements.'' This
recommendation does not include entities such as Defense Critical
Infrastructure (DCI), defined as ``Department of Defense and non-
Department of Defense networked assets and facilities essential to
project, support, and sustain military forces and operations
worldwide.'' Office of the Chairman of the Joint Chiefs of Staff, DOD
Dictionary of Military and Associated Terms (January 2020), 59, https:/
/www.jcs.mil/Portals/36/Documents/Doctrine/pubs/dictionary.pdf.
---------------------------------------------------------------------------
The Commission recommends that Congress should legislatively
require these companies to participate in a threat intelligence sharing
program that would be housed at the DOD component level. A DIB threat
intelligence sharing program should contain a number of key elements,
including:
Incentives for certain types of specifically delineated
information sharing, such as incident reporting.
A shared and real-time picture of the threat environment;
joint, collaborative, and co-located analytics; and investments in
technology and capabilities to support automated detection and
analysis.
Consent by DIB entities for the NSA to query in foreign
intelligence collection databases on DIB entities \4\ and provide
focused threat intelligence to them, as well asenable all elements of
DOD, including the NSA, to directly tip intelligence to the affected
entity.
---------------------------------------------------------------------------
\4\ These queries would examine collections already authorized
against and focused on adversaries for references to or efforts against
DIB entities.
10. Senator Blackburn. Mr. Inglis, what are the unique challenges
that would need to be overcome in order to holistically support the
NNSA's industrial base?
Mr. Inglis. Supporting the NNSA's industrial base is an important
issue that goes beyond the immediate scope of the Commission's
recommendations. Nevertheless, the Commission did promulgate a
strategic objective of ensuring the security and resilience of nuclear
weapons systems and functions, starting with Congress directing the DOD
to conduct cybersecurity vulnerability assessments of all segments of
nuclear command, control, and communications (NC3) systems
(Recommendation 6.2). Ensuring the cybersecurity of the NNSA's
industrial base therefore plays an important role in contributing to
the Commission's broader objectives with respect to the intersection of
cybersecurity and nuclear capabilities.
Similar to the recommendations pertaining to the DIB, there are a
number of unique challenges that would need to be overcome to support
the NNSA's industrial base. Unlike the DIB, which has its own
Information Sharing and Analysis Center (ISAC), NNSA should consider
convening an ISAC-like entity to promote the sharing of threat
information as well as best practices for security across the industry.
Additionally, an executive entity could be identified to lead efforts
to develop a holistic approach to securing the supply chain for all
segments of the NNSA's industrial base, as well as to promote a risk-
based approach to threat identified and hunting. Furthermore, NNSA
could pursue initiatives in harmonization with the DOD's Cybersecurity
Maturity Model Certification (CMMC) to categorize entities within the
industrial base by relative levels of maturity and ensuring
requirements for maintaining appropriate levels of cybersecurity.
Finally, given the strategic significance of this industrial base,
direction could be given for the prioritization of foreign intelligence
collection against cyber threats to key entities within the NNSA's
industrial base and protocols developed for rapid and meaningful
sharing of information with affected entities to enable their defense.
This type of relationship could be piloted through a Pathfinder-like
program, similar to the DOD's Pathfinder programs established for the
Energy and Financial Services sectors.
11. Senator Blackburn. Mr. Inglis, are there additional authorities
needed from Congress to be able to support the NNSA's industrial base?
Mr. Inglis. The Commission does not specifically address NNSA
industrial base requirements and concerns, however, more generally
speaking the Commission recommends a comprehensive strategy to ensure
the continued availability and trustworthiness of critical technologies
(Recommendation 4.6). Specifically, the Commission recommends a
strategy that:
1. Identifies key technologies and equipment through government
reviews and public-private partnerships to identify risk.
2. Ensures minimum viable manufacturing capacity through strategic
investment and the creation of economic clusters.
3. Protects supply chains from compromise through better
intelligence and information sharing.
4. Identifies and supports partners around the world and in the
public and private sectors.
5. Ensures global competitiveness of American and partner
companies in the face of Chinese anti-competitive behavior in global
markets.
__________
Questions Submitted by Senator Kirsten Gillibrand
election cybersecurity budget
12. Senator Gillibrand. Mr. Inglis, the Elections Assistance
Commission is a small organization with a massive mission and its role
continues to expand as it assists election officials in dealing with
election security, aging and vulnerable technology, and accessibility
in the lead-up to the 2020 elections. Elections are the cornerstone of
our democracy, making election cybersecurity equivalent to national
security. Unfortunately, election cybersecurity lacks a national
security budget. How will the Commission's recommendations give the
Election Assistance Commission sufficient authority, flexibility, and
resources to help election officials face increasingly diverse and
sophisticated cyber-threats?
Mr. Inglis. The EAC suffers from chronic funding shortages and
requires a more robust staff to better execute its responsibilities for
improving State, Local, Tribal, and Territorial (SLTT) governments
election cybersecurity capacity. Further, the EAC commissioners and
staff require more technical cybersecurity expertise to enact urgent
reforms to protect the integrity of voting systems against malicious
cyber activity. Finally, increased funding for SLTT grants will help
the EAC ensure SLTT election entities have the means to address cyber
threats. By increasing and regularizing the EAC's funding and capacity
and adding technical cyber expertise to the Commission, policymakers
will ensure that evolving threats to the integrity of our electoral
process are better understood and prioritized. Specifically:
Congress should amend the Help America Vote Act to create
a fifth nonpartisan commissioner and add a Senior Cyber Policy Advisor
to the staff, both with established cybersecurity backgrounds in order
to vote exclusively on issues of or relating to cybersecurity and
strengthen both the technical and cyber policy expertise of the
commission.
Congress should increase and regularlize the EAC's annual
operating budget to enable the hiring of new staff to improve the
performance of core responsibilities.
Congress should streamline and modernize sustained grant
funding for SLTT entities to improve election systems.
The EAC itself should finalize and release its long-
delayed update to the Voluntary Voting System Guidelines and increase
the breadth and frequency of its recommendations and guidance
concerning voting systems and processes.
internet of things
13. Senator Gillibrand. Mr. Inglis, since the onset of the COVID-19
pandemic, Americans have relied on technology to stay connected, to do
our jobs, and to see our friends and families. Many Americans have
transitioned to remote work, often using personal consumer electronics
to connect to work from home. Vulnerable personal devices and home
networks present an attractive target with significant cybersecurity
and data privacy risks. Can you please elaborate on how the
Commission's recommendation to pass an internet of things security law
will address the challenge of American consumers' widening dependency
on global manufacturers with poor security practices who are based
beyond American jurisdiction?
Mr. Inglis. Outside the digital infrastructure common to businesses
who build, operate, and defend systems for well defined business
environments, Internet-of-Things (IoT) devices, have an outsized impact
on security or insecurity (like the routers and smart home hubs common
in the homes and other locations drafted as a substitute for
traditional workplaces). Today, we know that many routers--and cyber-
aware devices like lightbulbs, smart home hubs, thermostats and
refrigerators--in peoples' homes do not include rudimentary or baseline
security measures and the market for these devices has not yet moved to
demand security. Recognizing this shortcoming in the market and the
imperative of more secure IoT devices given their increasing importance
in our economy and society, the Commission recommended the passage of
an IoT security law that mandates minimum or baseline security measures
for devices sold in the United States. These standards should be
identified and developed in close coordination with relevant industry
stakeholders to ensure that they neither place undue burden on the
developers of these devices nor undermine innovation.
While the recommendation in our Pandemic report cannot wholly
remediate a failure to build out IoT with security as an upfront goal,
the sector is too important to not begin to redress those errors of
omission and the increasing exploitation of malicious actors. Over
time, a combination of government compellence and market forces will
create a growing body of IoT that consumers can use with increased, if
not absolute, confidence. Mitigation measures will be important
throughout and even after this transition to ensure that improved
analytics, threat sharing, and enforcement action reduces the benefits
that accrue to bad actors across the realm of IoT.
national guard interoperability
14. Senator Gillibrand. Mr. Inglis, the Commission recommended
Congress enact legislation to clarify the cyber capabilities and
strengthen the interoperability of the National Guard and assess the
establishment of a military cyber reserve to provide a surge capacity
that could be rapidly mobilized in a time of crisis. The United States
currently suffers from a shortage of cybersecurity experts. The public
sector faces the additional challenge of trying to recruit and train
qualified experts in the field who are often lured to private industry
by higher salaries. Can you please elaborate on how these
recommendations could bolster the public cybersecurity cadre and what
recruiting and retention benefits may be associated with these
recommendations?
Mr. Inglis. As a 20+ year veteran of the Air National Guard and an
original sponsor of the standup of the MD ANG's cyber units, I was
privileged to witness first-hand the multiplicative effect that Guard
service has in leveraging precious skills that are nurtured in one
sector, and honed in another. This effect is particularly true in
peacetime when the unique authorities and missions of the military
offer an attractive outlet to employ skills learned in the private
sector, resulting in an exchange and growth of critically short
expertise that would not happen in a zero sum world of stovepiped
activities separated by the private-public sector boundaries. Despite
the fact that the pay and benefits of the Guard and Reserves are easily
outmatched by those available in the private sector, the flexible
arrangements offered make it possible for citizen-airmen and soldiers
to lend their talents to one without shortchanging the other. Even in
crises, the Guard's ability to work across federal (Title 10 and 50)
and state (Title 32) boundaries is a great resource in establishing
coalitions that derive strength from collaboration as much or more from
literal numbers (put another way, if you have too few people to conduct
a mission, they are best deployed in the flexible manner akin to what
Guard and reserve service offers in leveraging members who hold roles
in both the private and public sectors). It's also useful to note that
few crises will require full-scale, nation-wide mobilization. The
Guard's flexibility in deploying federalized assets across state lines
is also useful to support crises that are localized to a particular
region, without undermining the security of a region outside the crisis
arena.
Moreover, you are completely right that the challenge of achieving
effective security and defense in cyberspace depends on people as much
as it does on technology or policy. Today, the U.S. Government suffers
from a significant shortage in its cyber workforce. Across the public
sector more broadly, one in three positions (more than 33,000) remains
unfilled. \5\ These shortages aredriven by a need for personnel that
have specific cybersecurity skills and experience, but they are
complicated by government hiring, training, and development pathways
that are not well-suited to recruit and retain those personnel.
---------------------------------------------------------------------------
\5\ ``Cybersecurity Supply/Demand Heat Map,'' CyberSeek, Burning
Glass, CompTIA, and the National Initiative for Cybersecurity
Education, accessed February 18, 2020, https://www.cyberseek.org/
heatmap.html.
---------------------------------------------------------------------------
The good news is that today's cybersecurity skills and experiences
can be gained with unusual ease outside standard channels of education
and training. That means, however, that the government must more
effectively take advantage of those unconventional pathways, especially
when they do not include typical college education or prior government
experience. Overall government approaches to successfully deepen and
diversify this candidate pool should include:
Developing programs to bring in new employees via
apprenticeships, promoting cooperative study, and expanding training
programs so that existing workers can enhance their career
trajectories.
Researching and implementing measures of competency
alongside more commonly used certifications.
Streamlining processes and reducing institutional
barriers to onboarding cyber talent quickly.
Identifying opportunities and building hiring pathways
for members of underrepresented communities, including the
neurodiverse, \6\ women, and people of color.
---------------------------------------------------------------------------
\6\ Kevin Pelphrey, ``Autistic People Can Solve Our Cybersecurity
Crisis,'' Wired, November 25, 2016, https://www.wired.com/2016/11/
autistic-people-can-solve-cybersecurity-crisis/.
---------------------------------------------------------------------------
To achieve these objectives for recruiting today's cybersecurity
talent into public service, the government should pursue the following:
Congress should fund research into the current state of
the cyber workforce, paths to entry, and demographics in coordination
with the ongoing work at the Office of Personnel Management (OPM), DHS,
the National Science Foundation (NSF), and the National Institute of
Standards and Technology (NIST). This research should align with and/or
build on NIST's National Initiative on Cybersecurity Education (NICE)
Cybersecurity Workforce Framework, which outlines cybersecurity work
roles and the knowledge, skills, abilities, and tasks involved in each
role. New research should also build on emerging work from NICE and
others on career paths and certifications.
Congress should resource recruiting programs specifically
designed to target cyber talent and expand current programs that have
made demonstrated progress in innovating recruitment.
Congress and the executive branch should reinforce and
authorize the role of the NICE in coordinating U.S. Government efforts
to advance cybersecurity workforce development nationwide, and resource
the office sufficiently for this role.
Congress should require the Government Accountability
Office (GAO) to issue a report within one year: (1) estimating how
frequently candidates are deterred from pursuing government careers
because of delays in issuing security clearances; (2) assessing the
effectiveness of current clearance processes at striking a balance
between the national security risk of insider threats, and the national
security risk of leaving cyber jobs vacant; and (3) recommending a lead
agency for developing and implementing a plan for addressing any
shortcomings discovered.
Upon entering government, cybersecurity personnel should have
rewarding career paths and the education and training opportunities
necessary both to keep their skills relevant and up-to-date in a
rapidly changing field and to motivate them to continue their careers
in public service. To meet these objectives, Congress should:
Fund DHS, NSF, and OPM to expand the existing CyberCorps:
Scholarship for Service program. Since its inception in 2001, this
proven program has graduated 3,600 students. The program should be
resourced to grow steadily and eventually reach as many as 2,000
students per year.
Direct and fund CISA to design a process for one- to
three-year exchange assignments of cyber experts from both CISA and the
private sector. If successful, this model should be expanded to other
agencies as well.
Direct OPM, NICE, and DOD to design cybersecurity-
specific upskilling and transition assistance programs for veterans and
transitioning military service members to move into federal civilian
cybersecurity jobs.
Direct OPM to require departments and agencies to develop
training for managers to cultivate practices that foster a more diverse
cyber workforce and more inclusive work environment.
Require federal cyber contractors to implement known
best-practice workplace policies in order to improve employee retention
on federal contracts.
Direct OPM, in partnership with federal departments and
agencies including NIST and DHS, to issue a report evaluating the
potential for a new Civil Service Cyber: a system of established cyber
career paths that allows movement between departments and agencies and
into senior leadership positions. In order to facilitate movement
between different departments and agencies, this plan should:
Establish greater standardization and demonstrated
equivalences across the government.
Incorporate competence-based metrics, work-based learning
programs, and--after rigorous assessment of their utility and impact--
cyber aptitude tests.
Include standardization tools such as the NICE
Cybersecurity Workforce Framework and the Cyber Talent Management
System (CTMS). The new CTMS--to be launched at DHS starting in fiscal
year 2020--will establish a new DHS cybersecurity service, composed of
civilian employees hired using streamlined processes, new assessments,
and market-sensitive compensation. If CTMS is successful at DHS, it
should be considered for aggressive expansion Federal Government-wide.
It is clear that the pace of malicious cyber incidents is severely
outmatching the personnel needed to secure systems. The government
needs to act now to strengthen the cyber workforce to meet these
threats, and these recommendations will bring us closer to do just
that. The Commission appreciates your work in this space and stands
ready to work together to make these changes a reality.
[all]