May 13, 2020
WASHINGTON, D.C. – Today, U.S. Senator Angus King (I-Maine), co-chair of the Cyberspace Solarium Commission (CSC), along with CSC co-chair Representative Mike Gallagher (R-Wis.) and Commissioners Suzanne Spaulding and Thomas Fanning, testified before the Senate Committee on Homeland Security and Government Affairs and present the CSC’s recommendations to establish a comprehensive, forward-looking cybersecurity posture for the United States. The final report, issued on March 11, lays out more than 75 recommendations to improve the security of U.S. critical infrastructure and provides a strategic approach of layered cyber deterrence to defend the United States against cyberattacks of significant consequences. The Cyberspace Solarium Commission’s final report can be read in full HERE. Click HERE to read or download the detailed executive summary.
“The real basis of the Commission rests upon three issues. One is reorganization. Get the structure right, which the Chairman talked about this at the beginning. The second is resilience. How do we build cyber defenses to keep ourselves safe from attack? And the third is response. How do we respond to attacks in such a way as to defend our country. Now, the fundamental strategy, if you will, is called layered cyber-deterrence,” said Senator King during his opening statement, beginning at 1:21. “Here are the layers: number one is shape behaviors. That is, establish norms and standards in the international community so that this isn't a unilateral, one country kind of effort. The second is to deny benefits. And that is to strengthen our cyber defense, and that’s, part of this is reorganization, part of this is strengthening CISA and other agencies, that we'll talk about later this morning, but to basically be more resilient. And that includes plans for the recovery of the economy in the case of a cyberattack. The third is the strategy of deterrence.
We have been attacked over and over for the last 10 or 15 years, and our adversaries have paid little price. We need to establish a clear declaratory policy that, if you attack the United States in cyberspace, you will have to pay a cost. And that’s really the fundamental idea of deterrence, and we’ve got to be clear about it and we’ve got to have our adversaries make the calculation that attacking us is going to cost them. I want to change their calculus when they’re making that decision, and that’s what the fundamental strategy is that we’re going to be presenting you today.”
During the hearing, Senator King and his fellow commissioners discussed the urgent need to ensure economic continuity in the face of a cyberattack, citing the impact of the ongoing coronavirus pandemic; emphasized the danger of outsourcing material for critical infrastructure; urged a funding plan to bolster the state and local cybersecurity programs; emphasized the importance of centralized leadership, including beginning with the creation of a National Cyber Director; and argued in favor of advancing international norms in cyberspace. Quotes from Senator King on these subjects can be found below.
On the importance of establishing a strong structure to spearhead cyber defense, including the need for a National Cyber Director and development of select committees.
(Begins at 00:00)
“I have a life principle that structure is policy. If you have a messy structure, you’re going to have a messy policy. And right now, we have a structure in our government that is, we have really good people and really good agencies like CISA, like Cyber Command, but there’s nobody in charge. Again, going back to my business days, I always like to have one throat to choke. And that’s the National Cyber Director. We need somebody at a very high level who can oversee and coordinate and work on the planning with all of these different disparate parts of the federal government that are working on this. I think that’s an absolutely critical need.
The other recommendation, which hasn’t gotten much discussion today, is we recommend that the Congress reorganize itself and develop select committees on cyber because of, we’ve got cyber jurisdiction just scattered across, I’ve heard as high as 80 subcommittees in the Congress. It’s very difficult to get anything done. Now, that’s going to be difficult, because I’m on Intelligence and Armed Services we’re talking now to Homeland Security, people are going to give up some jurisdiction in order to gain a more coherent approach to this issue both in Congress and in the Executive Branch.”
On the importance of ensuring economic continuity of the economy during a potential cyberattack:
(Begins at 00:29)
“I think one of the first things we’ve learned is the necessity of planning, the necessity of thinking the unthinkable, of putting smart people into a room and talking about what could happen and what would happen and how to bring the economy back. I think that the continuity of the economy, planning and setting that up as a real function, is one of our most important recommendations. And we’ve got to be thinking about what happens if the northeast grid goes down, or the southern grid. We’ve got to be thinking about the lessons that we’re learning now, some unanticipated…. we want to be the 9/11 commission without 9/11. That’s exactly what we’re trying to do here, to think about how to respond in a systematic, across the government kind of way, and the private sector. But, that’s the key. The 9/11 Commission, without 9/11.”
On the dangers of outsourcing production of critical infrastructure:
(Begins at 00:05)
“We’ve learned in the COVID situation how critical the supply chain is and what a mistake it is to rely on supplies for critical materials outside of our borders…we have to realize that the Chinese are integrating economic policy with intelligence and national policy by subsidizing things like Huawei to make it cheaper in order to insinuate itself into the nations, or the world’s internet infrastructure. We have to realize the cheapest may not always be the answer, and maybe a little premium on the price to have control of the supply chain is an insurance policy. And I think that’s the way we have to look at this because historically we’ve just said, ‘well, we’ll get the cheapest wherever we can,’ and that’s going to bite us. And supply chain, I think, we just have to analyze every piece of military equipment, every piece of critical infrastructure and say, where is it coming from? And is it safe?”
On the value of establishing and enforcing international norms in cyberspace:
(Begins at 00:00)
“Churchill once said the only thing worse than fighting with allies is trying to fight without allies. And in my visits to Asia, what I’ve found is, China has clients and customers, we have allies. And we don’t take sufficient advantage of that, and one of our recommendations is a new position of Assistant Secretary of State for International Norms in Cyberspace. We’ve got to involve the rest of the world in setting what the guardrails are. So if China violates them they’re not just going to be facing some kind of sanctions from us, but from the entire world. And they’re, above all else, sensitive to economic responses. If it’s an international economic response, it’s going to be a lot more powerful than it’s just, if it’s unilateral from our side.”
On the Commission’s plan to help state and local governments bolster their cybersecurity:
(Begins at 00:15)
“In fact, a major wave of ransomware has attacked our cities and towns. We’ve had small towns in Maine that have hits of ransomware. I think there were something like 45 mentions of state, local, tribal governments. And here, here’s what we wrestled with. We believe, and we advocate for the creation of a fund to assist states and localities in dealing with these issues, not only money but also technical expertise, which CISA has, we have throughout the federal government. But part of it, part of the thing we wrestled with is what I call moral hazard. We don’t think the federal government should relieve the states of their own obligations to protect their own networks and to do what’s necessary…
“So what we’ve proposed was a matching program where it would start with a 90% federal share, 10% match for improving critical infrastructure on the state level which, year by year would scale up and end up being 50-50. We want the states to be engaged as well… So, that was the way we approached it, but we understood and believe deeply that working with the states on critical infrastructure is absolutely important.”
The Cyberspace Solarium Commission was established by statute in the 2019 National Defense Authorization Act (NDAA), and officially launched in April 2019. The Commissioners convened nearly every Monday that Congress was in session for a year, and its staff conducted more than 400 engagements, drawing upon the expertise of corporate leaders, federal, state and local officials, academics, and cybersecurity experts. The meetings and the ensuing report sought to understand America’s posture in cyberspace and identify opportunities to improve our national preparedness to defend ourselves against cyberattacks.
The CSC was established in the spirit of the original Project Solarium convened by President Dwight D. Eisenhower in 1953. The original Solarium was created to develop a consensus strategy to counter the Soviet Union as it was threatening the United States and its allies in the early days of the Cold War. This work contributed to the strategies that guided the United States through the Cold War ending with the fall of the Berlin Wall and the collapse of the Soviet Union. The newest iteration of the Solarium seeks to create a path forward that will guide the United States through a new age of warfare.