The fiscal 2021 National Defense Authorization Act is loaded with amendments inspired by the Cyberspace Solarium Commission.
But supporters don’t intend to stop there.
The Cyberspace Solarium Commission was established in the fiscal 2019 National Defense Authorization Act to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.” Following the release of the commission’s report earlier this year, the group’s members almost immediately identified the latest NDAA as a prime vehicle to implement much of their agenda.
Lawmakers serving on the commission — whose members also include agency executives and experts from outside government — introduced dozens of NDAA amendments based on the report’s recommendations. As a result, both the House and Senate versions of NDAA — passed July 21 and 23, respectively — incorporate a number of commission-backed provisions. Co-chairman Sen. Angus King (I-Maine) sponsored or co-sponsored 18 amendments, while on the House side Rep. Jim Langevin (D-R.I.) was involved in submitting at least 16.
In some cases, legislators drew inspiration from multiple recommendations to incorporate cybersecurity initiatives into appropriations language. The commission wants to make it as easy as possible for this Congress or future ones to do that, so it released a document with over 50 ready-made legislative proposals — complete with draft bill language — and distributed it to relevant congressional committees and subcommittees.
“While some recommendations set forth in the March 2020 report
require action by the executive branch; private-sector corporations; state, local, tribal and territorial governments; and ordinary American citizens, we hope these legislative proposals will expedite the implementation process and better prepare the nation to protect itself in cyberspace,” Executive Director Mark Montgomery wrote.
In all, nearly two dozen recommendations made it into the House version of NDAA, while the commission saw somewhat less traction in the Senate. Still, much depends on how this year’s defense authorization process plays out. The numerous differences between the House and Senate bills (cyber-related and otherwise) must be hashed out in conference, but the White House has threatened to veto the bill and specifically objected to several cyber provisions.
Some proponents expect the results to be a mixed bag, with provisions strengthening the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and promoting economic continuity expected to have the best chances of making it into the final legislation.
“Whatever we can’t do in this defense bill we’ll continue to try to move in individual pieces of legislation or in the defense bill next year, but I think we’re already well on the way,” King told reporters earlier this summer.
After the House and Senate passed their versions of the NDAA, Langevin echoed that strategy by saying that although the recommendations included in those bills are a good start, the commission’s report should continue to serve as “a blueprint for legislative and executive actions that
force the country to break apart the institutional stovepipes” related to cybersecurity policy.
Cyber leadership starts at the top
Commission backers are particularly interested in establishing a Senate- confirmed national cyber director position at the White House. The House bill included language to create the position, and Rep. Carolyn Maloney (D-N.Y.), chairwoman of the House Oversight and Reform Committee, held a hearing in July on a stand-alone version of the legislation.
“A challenge as complex and pervasive as cybersecurity requires that our government be strategic, organized and ready,” she said at the hearing. “Democrats and Republicans agree we need a national cyber director to ensure we are fully prepared for, and coordinated in, our response to cyberattacks as our nation fights this silent war.”
The Senate’s version of NDAA, however, would mandate only an independent assessment of the position.
Proponents have made it clear that they intend to continue their advocacy during the conference process. “The reality is right now we have enormously capable people throughout the federal government, but there’s no central point of oversight, there’s no central point of coordination, there’s no central point of defining strategy,” King said during testimony before the House Armed Services Committee’s Intelligence and Emerging Threats and Capabilities Subcommittee in July.
Many cybersecurity policy experts have embraced the idea of
August 2020 FCW.COM 33