WASHINGTON — A committee created by Congress to develop a more strategic approach to defending against cyber-attacks lights up Tuesday, ending two and a half years of work on policy recommendations, legislative push and malware warnings , ransomware and other threats.
When the Cyberspace Solarium Commission issued its first recommendations in March 2020, its members pledged, after a year of research and writing, that the panel would operate differently from other Blue Ribbon exercises in Washington. Senator Angus King, independent from Maine and co-chair of the committee, said the recommendations wouldn’t end up dusty on a shelf like those drafted by many other well-meaning panels.
The committee’s name was based on the Eisenhower administration’s Project Solarium, which developed new policies for the Cold War. Influential members of the House and Senate Armed Forces Committees led the committee, which allowed its cybersecurity recommendations to be packaged as legislation to be incorporated into one of the few policy laws passed each year: the annual National Defense Authorization Act.
“This is an example of what I think was genius — and I can say that because it wasn’t my idea — instead of just issuing a report with recommendations, we handed the congressional committees fully drafted, completed legislation,” the statement said. lord king.
Congress originally set the commission to end by the end of 2020, but extended its work for an additional year. During that time, Mr. King, about half of the panel’s recommendations have been implemented, most through legislation, but some through executive actions.
The commission concludes with notable successes, such as the creation of a national cyber director in the White House and measures to strengthen the Cybersecurity and Infrastructure Security Agency’s powers, as well as provisions in this year’s defense bill, including requirements for revised response plans and more drills and exercises for government officials.
Some key initiatives remain unfinished, detailing legislation to be worked out or arguments about congressional jurisdiction to be disentangled.
“We are aware that there are some big things that need to be done that have not been done,” said Wisconsin Republican Representative Mike Gallagher and the committee’s other co-chair.
The committee developed a proposal for a bill that would have identified systemic infrastructure. Companies – such as Colonial Pipeline, which was hit by a ransomware attack in May – that play a critical role in the economy would receive special help to improve their cybersecurity. In return, however, they would impose additional security requirements and share additional information with the government.
More hearings with the House Homeland Security Committee will be needed before that legislation moves forward, as lawmakers grapple with details about liability protection and how to oversee the security of cloud computing providers and other industries.
Mr Gallagher, who has emerged as a rising star among members of his party targeting legislation for the past two years, said he wanted additional measures requiring companies and institutions that operate critical infrastructure to report burglaries or attacks to federal authorities. to report to the government.
“We believe Congress should authorize the Department of Homeland Security to establish requirements for critical infrastructure entities to report cyber incidents to the federal government,” said Mr. Gallagher. “But that failed to cross the finish line.”
The committee also developed proposals for a “joint collaborative environment” on cyber threats that would increase information sharing between private companies and the government. While government officials say they have taken steps in that direction, private companies say there are still too many barriers to information sharing — and committee members agree.
At this time, Mr Gallagher said, the federal government does not have the infrastructure to share data between agencies and with private companies. Mentality must also change, he said.
“It’s a matter of how you can change the culture of the intelligence community so that they are proactively willing to share things with the private sector, rather than just hoarding or demanding information,” said Mr. Gallagher.
What you need to know about ransomware attacks
Some legislative proposals — such as the creation of a national cyber director — were hotly debated, but the panel largely avoided partisan fights.
“I’ve put more time and energy into this project than anything else I’ve done in the Senate. And I didn’t want to waste that time and energy,” said Mr. King, who has caucuses with the Democrats.
Mr Gallagher and Mr King said they were hopeful that their remaining key legislation could be passed by Congress next year.
While the commission will end, lawmakers and other members will continue to work with a new nonprofit, said Mark Montgomery, the commission’s executive director.
The nonprofit will continue to investigate these initiatives and members and their staff will push for congressional action, he said. It will also be a resource for researchers and scholars investigating policy problems and solutions, and will host the committee’s report and papers on various topics.
Previous efforts to improve cybersecurity approaches have run out. But Mr Montgomery said the nonprofit could be able to maintain momentum, at least for a while, by keeping up with the committee’s annual appraisal reports.
The nonprofit, Mr. Montgomery said, will also maintain a variation of the committee’s name with a new website that will be up and running in the new year.
“I went and bought cybersolarium.org for $12,” said Mr. Montgomery. “So we’re going to have to move from solarium.gov to cybersolarium.org. But that’s $12 I was willing to spend.”