Senate panel tees up cyber legislation with expanded powers for CISA and a new White House role
- By Derek B. Johnson
- May 13, 2020
The Senate Homeland Security and Governmental Affairs Committee is moving closer to developing legislative proposals for a number of Cyberspace Solarium Commission recommendations, and Chair Ron Johnson (R-Wis.) signaled in a May 13 hearing that they could start with a proposal to create a new White House Cybersecurity Directorate.
As FCW has reported, restoring and expanding the White House Cybersecurity Coordinator position eliminated in 2018 by then-National Security Advisor John Bolton is a top priority for a number of Republican and Democratic members of Congress following the release of the commission's report. Sen. Mike Rounds (R-S.D.) had sent a letter to commissioners asking them to develop a structure and potentially legislative language for a bill. Sen. Angus King (I-Maine), a Solarium co-chair, said commissioners were actively working on the proposal.
Carving out specific roles and responsibilities for the directorate that don't conflict with those of CISA and other agencies will be key. Solarium co-chair Rep. Mike Gallagher (R-Wis.) said the commission considered a number of models for the position, including one similar to the Office of the Director of National Intelligence. Ultimately, commissioners determined that the U.S. Trade Representative position was a better comparison because "it's interdisciplinary, it's functionally oriented and it's institutionalized with Senate confirmed leadership and situated within the executive office of the President."
Suzanne Spaulding, a Solarium commissioner who led CISA's predecessor, noted that the agency only has jurisdiction over protecting civilian federal agencies. The new position would be charged with bridging the gap between the country's defensive and offensive capabilities, even as the commission envisions a civilian leader for the role.
"This national cyber director among other things would be able to bring together the defensive and offensive planning to make sure those things are coordinated, that they're working in a synergistic way and not at cross purposes and bring in [DOD] authorities into that broader whole of nation, whole of government planning," she said.
The committee has already laid the groundwork for another priority recommendation, giving CISA the authority to subpoena Internet Service Providers to obtain records of critical infrastructure providers with known cybersecurity vulnerabilities. Gallagher said commissioners were satisfied with the bill approved by the committee in January and are set to conduct a bipartisan full-court press in the House to include it in the upcoming National Defense Authorization Act.
The legislation would "strengthen CISA's ability to be proactively detecting vulnerabilities in critical infrastructure and help secure them before they're compromised," Gallagher said
Anxiety about China loomed large over the hearing, which came on the same day that CISA and the FBI released a joint advisory saying the federal government is actively investigating "the targeting and compromise of U.S. organizations conducting COVID-19-related research by [People's Republic of China] affiliated cyber actors and non-traditional collectors."
The agencies claim these actors have been observed targeting intellectual property and data related to vaccines, treatments and testing at U.S. based research organizations who have appeared in press reports detailing their work on COVID-19 research. They advised researchers to actively scan their web applications for anomalous activity, boost credential requirements to include multi-factor authentication, ensure internet-connected systems are patched in a timely fashion and suspend access for any users who are exhibiting strange behavior.
Senator Gary Peters (D-Mich.), he committee's Ranking Democrat, expressed concern about the reported hacks in a May 12 letter to the White House. Peters asked the administration to direct CISA and U.S. Cyber Command to prioritize support to hospitals and medical research institutions, request increased funding for state and local cybersecurity, boost security funding at the Department of Health and Human Services and confront China using "all levers of national power – diplomatic, military, economic and law enforcement."
King said the commission determined that activities like the kind attributed to the Chinese government will only be deterred by an international coalition that is willing to impose collective consequences on countries who break with international norms in cyberspace. Such consequences could be delivered through cyberspace, a military response or other means, but King said the penalties should be even graver when done during the COVID-19 outbreak or other emergency.
"This is exactly the kind of thing we've been talking about and frankly…if you come at us in a time of national crisis like the pandemic, the response will be even stronger." King said of the commission's work.
Senator Mitt Romney (R-Utah) suggested that countries who violate cyber norms ought to face economic consequences.
"I figure the only way we're really going to get China to be dissuaded from the course they're on is if we and other nations that follow the rule of law, if we come together and say 'hey China if you keep doing these things, you can no longer have unfettered access to our markets,'" Romney said.
Derek B. Johnson is a former senior staff writer at FCW.