Solarium commissioners focus on cyber director, better attribution

Negotiations between the House and Senate on a $740 billion defense authorization bill will determine which recommendations from the Cyberspace Solarium Commission make it into law.

cybersecurity (vs148/Shutterstock.com)
 

 

The Cyberspace Solarium Commission has successfully lobbied the House to include nearly two dozen of its recommendations in the latest defense authorization bill. They're now working to convince the Senate to adopt ideas like a new White House Cyber Director while also pushing the federal government and its allies to produce quicker attribution and joint sanctions for malicious cyberattacks.

During a House Armed Services Subcommittee on Intelligence and Emerging Threats hearing, ranking member Rep. Elise Stefanik (R-N.Y.) said at least 22 of the more than 50 legislative proposals from the report were included in the final version of the National Defense Authorization Act passed by the House.

Those provisions must still survive a conference with the Senate and a potential veto from the White House, which has already stated its opposition to numerous provisions in the House and Senate versions.

In his opening statement, Subcommittee Chairman Rep. Jim Langevin (D-R.I.) outlined goals beyond this year's legislative accomplishments, saying he hopes the report acts as "a blueprint for legislative and executive actions that force the country to break apart the institutional stovepipes" around cybersecurity policy in Congress and the executive branch.

That includes a provision to establish a new White House Cyber Director who would be responsible for breaking down those barriers and coordinating cyber policy across government. The position was included in the House NDAA but the Senate version would only mandate an independent assessment of the position. Proponents made it clear they intend to continue their advocacy during the conference process.

"The reality is right now we have enormously capable people throughout the federal government, but there's no central point of oversight, there's no central point of coordination, there's no central point of defining strategy," said Sen. Angus King (I-Maine) co-chair of the commission during testimony.

While many in the cyber policy community have embraced the idea, likening it to a restoration of the now-defunct White House Cybersecurity Coordinator position eliminated in 2018, there are some detractors.

Phillip Retinger, president and CEO of the Global Cyber Alliance and former Deputy Under Secretary for the National Protection and Programs Directorate at DHS, has argued that far from clarifying roles and responsibilities around cyber policy, the position as written in the House NDAA would not have any explicit authority around offensive cyber operations carried out by the military and its focus on defensive issues would step on another one of the commission's priorities: further empowering NPPD's successor, the Cybersecurity and Infrastructure Security Agency.

In a piece for Lawfare this month, Retinger wrote that "creating a new Office of the National Cyber Director within the Executive Office of the President would do little to elevate CISA. In fact, it would likely have the opposite effect: reducing the influence of CISA as the new national cyber director works to clear some bureaucratic space by asserting authority and throwing some elbows."

On the other end of the spectrum, Rep. Don Bacon (R-Neb.) expressed concern during the hearing that if the director position did have authority over offensive and intelligence aspects of U.S. cyber policy, it might muddy up current the chain of command to authorize offensive operations between U.S. Cyber Command, the Secretary of Defense and the President. King said such concerns are why the legislation makes clear that the position was designed for planning and coordination.

"We want this person to be accountable for the coordination, but [they] would not have an operational role," King said.

One area where commissioners and lawmakers said they want to see the U.S. and allies get more aggressive is attributing major cyberattacks back to specific groups and their patron countries. One recommendation from the report is strengthening the Cyber Threat Intelligence Integration Center within the Office of the Director of National Intelligence to provide "analysis and coordination necessary for rapid and accurate attribution."

The Department of Justice and Special Counsel Robert Mueller's investigation have issued indictments containing detailed accusations and evidence linking a series of intrusions and influence campaigns during the 2016 election to the Russian government, while the White House and other U.S. agencies have worked to publicize evidence linking China, Iran and North Korea to other high profile attacks.

Earlier this month, the U.K.'s National Cyber Security Centre attributed a widespread espionage campaign targeting Western research organizations that are working on a COVID-19 vaccine to a hacking group with ties to Russian intelligence. Those findings, endorsed by agencies in the U.S. and Canada, also wound up linking a number of malware tools used by the group. The same day of the hearing, the European Union imposed economic and travel sanctions on six individuals and three organizations from China, Russia and North Korea for carrying out the WannaCry, NotPetya and CloudHopper cyber campaigns.

Many of the individuals and entities had previously been identified by U.S. and Western governments, causing Langevin to question whether more could be done to "shorten the timeline between incident and response" when it comes to attribution.

"The WannaCry and NotPetya malware, for instance, were both released in the first half of 2017, and we have known the culprits were the North Koreans and the Russians, respectively, for almost as long," said Langevin in a separate statement sent to FCW before the hearing. "Like-minded nations that believe that cyberspace is not the 'Wild West' must work together to take swift and decisive action in the face of continued belligerence from countries seeking to benefit from 'gray zone' conflict in cyberspace. I urge the Council to publicly commit to working to reduce the time between incident and response."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.