A good first step for sure, however there needs to be a government-wide decision on cyber attacks being an act of war and how to respond.
- Reform the U.S. Government’s Structure and Organization for Cyberspace.
- Strengthen Norms and Non-Military Tools.
- Promote National Resilience.
- Reshape the Cyber Ecosystem.
- Operationalize Cybersecurity Collaboration with the Private Sector.
- Preserve and Employ the Military Instrument of National Power.
A much-anticipated government report aimed at defending the nation against cyber threats in the years to come opens with a bleak preview of what could happen if critical systems were brought down.
“The water in the Potomac still has that red tint from where the treatment plants upstream were hacked, their automated systems tricked into flushing out the wrong mix of chemicals,” the Cyberspace Solarium Commission wrote in the opening lines of its report.
“By comparison, the water in the Lincoln Memorial Reflecting Pool has a purple glint to it. They’ve pumped out the floodwaters that covered Washington’s low-lying areas after the region’s reservoirs were hit in a cascade of sensor hacks,” it continues.
So begins the report two years in the making from a congressionally mandated commission made up of lawmakers and top Trump administration officials, pointing to the vulnerabilities involved with critical systems being hooked up to the internet.
The report, which includes more than 75 recommendations for how to prevent the cyber doomsday it spells out, and the commission that made it were both mandated by the 2019 National Defense Authorization Act (NDAA).
The commissioners, who include co-chairmen Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), highlight a range of issues to address, but zero in on election security as “priority.”
“The American people still do not have the assurance that our election systems are secure from foreign manipulation,” King and Gallagher wrote in the report. “If we don’t get election security right, deterrence will fail and future generations will look back with longing and regret on the once powerful American Republic and wonder how we screwed the whole thing up.”
The focus on shoring up election security, and the agreed-upon recommendations for how to do this, sets the report apart from the approach to the subject on Capitol Hill, where it has been a major issue of contention between Republicans and Democrats since Russian interference in the 2016 presidential election.
Beyond election security, the commissioners call for overarching government reform to address cyber vulnerabilities. Chief among these is calling on the White House to issue an updated national strategy to address cyber threats and to establish a national cybersecurity director position to coordinate efforts.
In terms of congressional action, commissioners recommend that Congress create cybersecurity committees in both the House and Senate, establish a Bureau of Cybersecurity Statistics, and establish an assistant secretary position at the State Department to lead international efforts around cybersecurity.
“While cyberspace has transformed the American economy and society, the government has not kept up,” commissioners wrote in calling for reforms.
The commission also zeroed in on “imposing costs” to adversaries who attempt to attack the U.S. online. In order to do so, it recommended that the Department of Defense conduct vulnerability assessments of its weapons systems, including nuclear control systems, and that it make cybersecurity preparedness a necessity.
The Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security’s cyber agency, would be empowered as the “lead agency” at the federal level.
The report’s recommendations were debated on and pinpointed by a group of high-ranking commissioners who also included FBI Director Christopher Wray, Deputy Secretary of Defense David Norquist, Transportation Security Administration Administrator David Pekoske, Sen. Ben Sasse (R-Neb.), and Rep. James Langevin (D-R.I.).
Langevin said in a statement on Wednesday that the report is intended to shore up the nation’s cyber “resiliency for years to come.”
“Our charge in drafting this report was to prevent a cyber event of significant national consequence, and we know that the short- and long-term recommendations we crafted will better position us to realize the promise of the Internet, while avoiding its perils,” Langevin said. “The sooner our recommendations are implemented, the better positioned the country will be to prevent and respond to incidents that can disrupt the American way of life.”
The report’s recommendations may soon have real-world consequences on Capitol Hill.
Rep. John Katko (R-N.Y.), the ranking member on the House Homeland Security Committee’s cyber panel, told The Hill this week that there “definitely will be some legislation” stemming from the report’s recommendations, and that hearings would likely be held.
Katko noted that he had talked with Senate Homeland Security Committee Chairman Ron Johnson (R-Wis.) about the Senate also taking action around the report.
“This report screams of the need for bipartisan action on this, and I hope that we can leave the politics out of it, and I hope we can attack these problems quickly and effectively,” Katko said.
Rep. Cedric Richmond (D-La.), the cyber subcommittee’s chairman, opened a hearing on Wednesday by praising the report’s recommendations and saying he looked forward to working to “codifying” the ideas alongside House Homeland Security Committee Chairman Bennie Thompson (D-Miss.).
Industry groups also reacted positively to the report’s recommendations. Tom Gann, the chief public policy officer of cybersecurity firm McAfee, told The Hill in a statement that he agreed with most of the report’s findings and hoped that they are “acted upon with speed.”
Protect Our Power, a nonprofit with the goal of protecting the electric grid, also praised the report.
“These are compelling recommendations, echoing issues we have highlighted for several years now, and action is long overdue,” Jim Cunningham, executive director of the group, said in a statement. “Without a reliable supply of electricity before, during and following a disabling cyberattack, none of our critical infrastructure can function.”
While there may be legislative action soon – and praise from industry groups – both Gallagher and King emphasized in the report that their main aim was for it to open the eyes of Americans to the dangers posed by cyberattacks on critical systems.
“The status quo is inviting attacks on America every second of every day,” the co-chairmen wrote. “We all want that to stop. So please do us, and your fellow Americans, a favor. Read this report and then demand that your government and the private sector act with speed and agility to secure our cyber future.”