Many Cyberspace Solarium Commission recommendations expected to become federal law

Several cybersecurity proposals are advancing in both the US House and Senate that flow from the prolific work of the public-private brainstorming initiative called the Cyberspace Solarium Commission. The Commission was formed in 2019 to break through the seemingly intractable barriers blocking the path to devising and implementing practical solutions to the most challenging cybersecurity problems.

The vehicle through which the commission hopes to enact several dozen of its legislative recommendations (out of 75 recommendations included in its inaugural report this past spring) is the National Defense Authorization Act (NDAA), an annual “must-pass” federal law that sets the budget and expenditures for the US military. The commission’s executive director Mark Montgomery estimated earlier this month that each chamber’s bills would feature eight to 20 of the commission’s recommendations.

On the House side, members voted on at least 11 amendments to the NDAA related to the Solarium Commission, including a study on the cybersecurity insurance market and expanded use of the DMARC (Domain-based Message Authentication, Reporting, and Conformance) security standard among email providers. The House also approved an amendment to create a National Cyber Director, strengthen CISA authorities, and set a five-year term for CISA director, among other provisions that originate from the commission’s recommendations.

The Senate version of the NDAA, passed last Thursday, features at least a dozen amendments “advancing the Department of Defense’s cybersecurity strategy, including implementing recommendations from the Cyberspace Solarium Commission.” The speed with which the Solarium Commission has managed to turn its recommendations, which only emerged in March, into actual legislation is rare on Capitol Hill and even more rare for a thorny, complex topic such as cybersecurity.

Will budgetary concerns hamper cybersecurity legislation?

The crumbling US economy and continued political strife may limit funding of all but the most mandatory congressional initiatives. In terms of which commission recommendations should be given priority given the likely looming budget constraints, “I would say the assistant secretary position at the State Department as well as the bureau that was under that person” is top of the list, Cyberspace Solarium Commission member Congressman Jim Langevin (D-RI) tells CSO.

The State Department had until recently an office of international cybersecurity policy headed by diplomat Christopher Painter, a resource that the White House eliminated early in the administration. “Cyber is not just a US problem; it’s an international problem,” Langevin says. “We need to build cyber norms and enforce those cyber norms.”

The other Solarium proposals that rate high on Langevin’s priority list include establishing a national risk management cycle and clarifying the roles of sector risk management agencies along with maintaining a continued focus on IT modernization and cloud migration. “It’s something we’ve seen in the time of COVID. We are acutely aware that many states have antiquated IT infrastructure. It’s difficult to update, modernize, and defend in the event of cyberattacks. You want to incentivize companies to move their data to the cloud,” he says.

Some experts are optimistic that most of the current Solarium-related legislative proposals will make it into the NDAA. “I think at the end of the day a lot of the recommendations of the commission will make it into the NDAA,” Jamil Jaffer, consultant to the commission, executive director of the National Security Institute and a senior vice president at IronNet Cybersecurity, tells CSO. “A lot of the stuff about DOD and CISA, stuff about strengthening authorities, is likely to get in just because most of it is like motherhood and apple pie,” he says. “There are a lot of pieces that are fairly straightforward.”

Some of the more challenging Solarium Commission recommendations could meet with resistance. “The real question is, what about the bigger pieces? What about the national cyber director? What about the joint collaborative environment?” Jaffer says. (The joint collaborative environment is a cloud platform that shares threat information across the federal government and the private sector.)

Collective defense a “game-changing piece”

Another idea advanced by the Solarium Commission, and most notably promoted by Jaffer’s boss at IronNet, General (Ret) Keith B. Alexander, former head of both NSA and Cyber Command, is the notion of “collective defense,” which involves both public and private organizations working together.

“The provisions on collective defense is really one of the game-changing pieces,” Jaffer says. “No single company standing alone can possibly be expected to defend themselves against nation-state attackers. It’s an unwinnable fight.”

Regarding how the Solarium Commission has managed to be so successful turning its recommendations into legislative reality, “the genius is in how it’s structured,” Jaffer says. “They picked people who other members of the House and Senate would listen to. Then they picked just a bunch of rock star outside experts. What’s amazing is that they were able to get consensus on all these things.”

Now that both the House and Senate have passed their versions of the NDAA, congressional negotiators will take several weeks to hammer out the differences between the two bills. At that point, it will become clearer just how many of the Solarium Commission’s recommendations survive.

One wrinkle in both the process and timing of the bill is President Trump. He has threatened to veto the NDAA unless the provisions in both bills that call for renaming military bases currently named after confederate generals are eliminated. The House passed the NDAA by a vote of 295 to 125, while the Republican-dominated Senate overwhelmingly voted 86 to 14 in favor of their text. If Trump were to veto the final bill, these margins suggest that Congress would likely override his veto, which would be the first such rejection of the Trump administration.