[Congressional Record Volume 164, Number 98 (Wednesday, June 13, 2018)]
[Senate]
[Pages S3927-S3928]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
NATIONAL DEFENSE AUTHORIZATION BILL
Mr. SASSE. Mr. President, I rise to draw attention to one
particularly important element of the National Defense Authorization
Act, which sits before this body.
First, it is worth noting that--despite the bizarre dysfunction of
the last couple of days around here--the NDAA is usually a time each
year when the Senate looks like an actual deliberative body. We look
like an actual legislature.
Most of the typical bickering and made-for-TV sound bites get set
aside this week or two every year as we focus on the first purpose of
the Federal Government, which is to provide for the common defense.
The NDAA reveals our shared commitment to the men and women in
uniform who serve our country so well. This legislation aims to
scrutinize and annually reprioritize among the many important tasks
that are going on in the Pentagon and in the broader Department of
Defense.
If we are going to call on the men and women in the armed services
who defend our freedoms to stand ready to defend us and to go into
battle when necessary, we must equip them with the right tools to be
able to get their job done. That is what this legislation is about each
year, but it is not enough to simply be about defending against
traditional enemies and traditional threats. We also need to use this
annual occasion to pause and deeply look at new and emerging threats we
face.
When you ask national security and intelligence experts in private
and in public what keeps them up at night, as I do multiple times every
week--I ask this question of people in the SCIF. You find something
strange in this city. You have an agreement. Public and private sector
experts, legislative and executive branch folks, career folks,
political folks, whether Republican or Democratic, have widespread
agreement that the long-term domain challenge we face is that America
is woefully unprepared for the age of cyber war.
Thirty years ago, when the digital age was still in its infancy and
the first computer viruses and bugs were created, the United States did
not have a cyber doctrine to defend our interests. That was
understandable in 1986 because these were new threats. It doesn't make
any sense in 2018, and yet it is still true. We don't really have any
coherent doctrine to defend our interests. This is inexcusable.
We are, today, overwhelmingly the most advanced digital economy and
digital society in the world. Thus, we are, almost inevitably, the No.
1 target globally for cyber crime, but our adversaries are attacking us
not merely as targets of opportunity, they are also attacking us
because they sense our passivity.
State and nonstate actors alike are becoming regularly more brazen.
Year over year, from 2012 to 2013, to 2014, to 2015, and to the
present, we see this brazen action coming from China, Russia, Iran,
North Korea, and lots of jihadi nonstate actors. Yet we still do not
have a cyber doctrine to guide our planning process, we don't have a
cyber doctrine to guide our actions, and we are unprepared for the
warfare of 2020, 2025, and 2030.
How can this be? How can we lack a strategic plan, not merely to
respond to the attacks against U.S. public and private sector networks
but also to go a step further and deter them in real time? Why do we
lack this plan?
Since joining this body in January of 2015, alongside the Presiding
Officer, I have pushed for a strategic plan that clearly articulates
how we will defend ourselves against the new threats in this cyber
space. Unfortunately, this call has fallen on deaf ears in both the
legislature and the executive branch, both Democratic and Republican
administrations. There is far too little urgency. When you speak with
generals, when you speak with CIA station chiefs around the world,
nobody disputes this. Everyone knows we are unprepared, and we are
underinvested in this domain. Yet no one is really in charge.
Fortunately, we are taking a major step in this NDAA to address this
deficit in our war planning. While no one piece of legislation and no
single proposal can possibly address all of our cyber deficits, there
is, nonetheless, some very good news in this NDAA for both the public
as a whole and those of us who are losing sleep about our cyber
underpreparedness.
The legislation we are debating today, and will vote on in some form
tomorrow, includes a proposal to bring American national security into
the 21st century by establishing a Cyberspace Solarium Commission. This
Commission is modeled after President Dwight Eisenhower's 1953 Project
Solarium. At that time, as the Soviet Union was on the cusp of
achieving a devastating thermonuclear weapon, Ike recognized that our
Nation needed a clear strategy. We needed to be able to defend
ourselves and our allies against the expanding Soviet threat. This is
where both the historian and the strategist in me gets excited.
Never one to lack a plan, Eisenhower sequestered three different
teams of experts at the National War College for 6 weeks. He tasked
them with articulating a menu of large-scale, strategic frameworks for
the age of nuclear confrontation. The result of Ike's competitive
effort was a new national security directive, NSC 162/2, that charted a
course that would successfully guide U.S. policy and bureaucratic
development over many decades of the Cold War.
We desperately need similar strategic clarity today. The threats to
American security are actually even more dynamic and unpredictable than
in those early years of the Cold War. Then there were giant
technological and scale barriers to becoming a nuclear power; whereas,
today, launching a cyber attack that has global reach requires only
some coding capability, a laptop, and an internet connection.
[[Page S3928]]
This new group, the Cyberspace Solarium Commission, will be made up
of 13 members, putting cyber and national security experts, along with
many Silicon Valley types, in the same room to debate, to think
through, and to propose a comprehensive path forward to guide our cyber
policy.
One of the reasons Ike's Solarium Commission worked so well was
because there was urgency and focus. Under this Cyberspace Solarium
Commission, there will be a deadline for the delivery of a
comprehensive plan with blue sky freedom to reenvision all current
bureaucracies and organizations across our cyber plan and response
units within 1 year.
By September 1, 2019, this Commission would be delivering to both the
President's Cabinet and to the defense and intelligence committees of
the Congress a comprehensive plan to guide cyber security policymaking
going forward.
We cannot continue to stand idly by waiting for a massive cyber
attack to occur and then figure out how we will use that as a catalyst
to begin future planning. We should be planning and prioritizing before
the crisis. For 30 years, we haven't yet developed or committed to a
serious strategy. Now is the time to act, and this NDAA represents one
of the best innovations we have had; that we can set up this national
Cyberspace Solarium Commission to report back, within 1 year, a
comprehensive plan.
Thank you.
____________________