The commission, stood up under the 2019 National Defense Authorization Act, issued 75 recommendations to improve the federal government’s response to a major cyber-attack.
“We want to be the 9/11 Commission without 9/11,” Sen. Angus King (I-Maine), one of the solarium’s co-chairs, told Federal News Network after the commission released its recommendations on Wednesday.
A majority of the recommendations would require congressional approval, but lawmakers who serve on the commission said their first step toward implementation would include standing up a national cyber director that would report directly to the president.
“I think this is a favor to the president, because cyber is a big problem, and it’s scattered throughout the federal government,” King said during the interview. “If I were the president, I would want somebody who I could go to who held the responsibility for overseeing all those agencies.”
Rep. Jim Langevin (D-R.I.), one of the solarium’s commissioners, told Federal News Network that the national cyber director role would look “similar” to the cybersecurity coordinator position that Rob Joyce held in addition to his current role as a senior cybersecurity adviser at the National Security Agency.
Former White House National Security Adviser John Bolton eliminated the cybersecurity coordinator in 2018, but Langevin said the new position would have “more teeth, with more authority, having policy and budgetary authority.”
“Not just an advisory role, but really a coordinator and convener that is going to be able to get all of government pulling in the same direction,” Langevin said.
The report also recommends the State Department create a Bureau of Cyberspace Security and Emerging Technologies, led by an assistant secretary.
That position also resembles a role previously held by Chris Painter, who led the State’s Office of the Coordinator for Cyber Issues before former Secretary of State Rex Tillerson folded that office’s responsibilities into the Bureau of Economic and Business Affairs.
Langevin, during the interview, said the new bureau should have the “personnel and the budget that goes along with the significance of the role.”
The commission also calls on Congress to strengthen the Cybersecurity and Infrastructure Security Agency to serve as the lynchpin to “integrate federal, state, and local, and private-sector security efforts.”
“Congress must invest significant resources in CISA and provide it with clear authorities to realize its full potential,” the report states.
Earlier Wednesday on Capitol Hill, members of the House Homeland Security Committee gave bipartisan pushback to the Trump administration’s fiscal 2021 budget request, which would cut CISA’s funding.
“Cutting CISA’s budget is not a really good idea at all,” Rep. John Katko (R-N.Y.) said. “In fact, the opposite is true. We need to expand your resources. So you can better handle emerging threats.”
Rep. Cedric Richmond (D-La.), chair of the cybersecurity, infrastructure protection and innovation subcommittee, said CISA can’t continue to do more with less.
“The fact is that with more you can do more,” Richmond said. “Technology is evolving and creating opportunities for our adversaries to hack critical infrastructure, disrupt our elections and hold state and local government networks hostage. CISA must be equipped to be an effective federal partner and S&T must be positioned to develop and identify technology to strengthen our defenses. The president’s FY 2021 budget fails to do either those important components.”
Tom Fanning, president and CEO of the Southern Company and a solarium commissioner, told Federal News Network that CISA and its National Risk Management Center have played a critical role as the federal cyber liaison for industries responsible for national critical infrastructure.
Fanning said a “tri-sector” group of finance, telecommunications and electricity companies, working together under the National Risk Management Center, have created a “joint threat matrix” that evaluates the likelihood of a cyber threat and the magnitude of the problem.
“We’re starting to develop a wish list similar to some of the legislative proposals that we’re coming out with in [the] solarium,” Fanning said.
The commission also seeks to consolidate cyber oversight in the legislative branch by creating standalone House and Senate cybersecurity committees.
King said that about 50-to-60 committees currently share a piece of cybersecurity oversight, but under the commission’s recommendations, these new committees would closely resemble the House and Senate Intelligence Committees.
“The various aspects of the intelligence community realized there really needed to be some centralized oversight in the Congress, and those committees were created to perform that function. We think it’s very similar to today, where there’s cyber scattered all over the Congress, cyber responsibilities scattered all over the executive branch,” King said.