RECOMMENDATIONS FROM THE CYBERSPACE SOLARIUM COMMISSION REPORT

RECOMMENDATIONS FROM THE CYBERSPACE SOLARIUM COMMISSION REPORT

RECOMMENDATIONS FROM THE CYBERSPACE SOLARIUM COMMISSION REPORT

The U.S. Cyberspace Solarium Commission Report, issued in March of 2020, presents 82 recommendations separated into six thematic pillars. Proceeding by pillar, this section outlines progress on each recommendation. Recommendations listed in the original report as “Key Recommendations” are indicated in bold in the charts displayed below.

PILLAR ONE: REFORM THE U.S. GOVERNMENT’S STRUCTURE AND ORGANIZATION FOR CYBERSPACE

Assessment of Overall Pillar Progress

Pillar One of the CSC report highlights one of the Commission’s flagship recommendations: the establishment of a National Cyber Director (Recommendation 1.3). Section 1752 in the FY21 National Defense Authorization Act established the position in law, a step that was further advanced when the Biden administration announced a nomination for the position on April 12, 2021 and a Director was confirmed on June 17, 2021. Recommendation 1.4, which focuses on strengthening CISA, is similarly crucial. The recommendation represents several different related actions, four of which were enacted into law in the FY21 NDAA. Overall, significant steps have been taken toward implementation of the Commission’s recommendations in this pillar, but as emphasized above, there is a distinction between implementation and success. Even for these major achievements, the manner in which the law is carried out will significantly impact the overall success of these recommendations in making meaningful, lasting improvements in national cybersecurity. Moreover, other prominent recommendations from this pillar remain to be implemented. Funding for cyber workforce development programs in the National Science Foundation (NSF), NIST, and CISA, in particular, will be a key priority for the coming months.

key priority for the coming month

key priority for the coming months

Recommendation Progress

Recommendation 1.1 – Issue an Updated National Cyber Strategy: This recommendation will require executive action. While the Biden-Harris administration has indicated that cybersecurity will be an early priority,²⁷ a new National Cyber Strategy has yet to be released. At a May 14 hearing before the House Armed Services’ Subcommittee on Cyber, Innovative Technologies, and Information Systems, Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang indicated that the Biden administration is currently conducting the review that will culminate in the issuance of a new National Cyber Strategy.²⁸ Separately, CSC staff have offered the administration text for an executive order, providing further specificity in fulfilling the recommendation.

Recommendation 1.1.1 – Develop a Multitiered Signaling Strategy: This recommendation will require executive action, and CSC staff have drafted text for an executive order that outlines a detailed plan for developing a multitiered signaling strategy aimed at altering adversaries’ decision calculus and addressing the risks of escalation in cyber conflicts. Recent action from the Biden administration, including the June 2021 meeting with Russian President Vladimir Putin,²⁹ demonstrates a willingness to engage in signaling through individual engagements, but does not—in and of itself—demonstrate a multitiered signaling strategy.

Recommendation 1.1.2 – Promulgate a New Declaratory Policy: This recommendation will require executive action. CSC staff have drafted text for an executive order that reforms the United States’ declaratory policy regarding cyberspace and is focused on a use-of-force threshold in order to reinforce deterrence of strategic cyberattacks.

Recommendation 1.2 – Create House Permanent Select and Senate Select Committees on Cybersecurity: The Commission expected and has encountered significant pressure against this recommendation, which is one of the four that face known significant barriers to implementation. However, the recommendation has been drafted into legislative language and stands ready should a future emergency create the political impetus needed to overcome existing barriers.

²⁷ Maggie Miller, “Biden: US Taking ‘Urgent’ Steps to Improve Cybersecurity,” The Hill, (February 4, 2021), https://thehill.com/policy/ cybersecurity/537436-biden-says-administration-launching-urgent-initiative-to-improve-nations.

²⁸ Eoyang, testimony at hearing, “Operations in Cyberspace and Building Cyber Capabilities Across the Department of Defense,” at 20:18.

²⁹ Vladimir Soldatkin and Humeyra Pamuk, “Biden Tells Putin Certain Cyberattacks Should Be ‘Off-limits,’” Reuters, June 16, 2021, https://www.reuters.com/technology/biden-tells-putin-certain-cyber-attacks-should-be-off-limits-2021-06-16/.

Recommendation 1.2.1 – Reestablish the Office of Technology Assessment: The Office of Technology Assessment is already authorized, and requires only the appropriation of funds to implement the recommendation. CSC’s Commissioners who are members of Congress submitted a letter to the appropriations committees recommending $6 million for this purpose in FY21; however, the joint explanatory statement accompanying the FY21 appropriations bill recommended additional funding to support the development of technological expertise in the Government Accountability Office (GAO) and the Congressional Research Service.³⁰ Because both these organizations function by responding to specific reporting requests, they cannot maintain the in-the-moment expertise needed by legislators and their staffs. Accordingly, for FY22 the CSC’s congressional Commissioners repeated their recommendation for $6 million to fund the Office of Technology Assessment.

Recommendation 1.3 – Establish National Cyber Director: The position of National Cyber Director was established in Section 1752 of the FY21 NDAA, and the Biden administration nominated Cyberspace Solarium Commissioner Chris Inglis as the first to serve in the post.³¹ The Homeland Security and Governmental Affairs Committee in the Senate held a confirmation hearing on June 10, 2021, and Inglis was confirmed as National Cyber Director on June 17, 2021.³² Executive branch leaders can continue to ensure adherence—both in letter and in spirit—to the law establishing this position by empowering the National Cyber Director to coordinate, support, and deconflict whole-of-nation cybersecurity and defensive cyber efforts. Taking steps in this direction, Executive Order 14028 (“Improving the Nation’s Cybersecurity”) clarifies that upon the appointment of the NCD and the establishment of the related office, portions of the order may be modified to ensure that the NCD can execute his duties. The CSC’s congressional Commissioners submitted a letter to the appropriations committees during the FY22 appropriations cycle recommending that $50 million in funding be provided for this purpose, with half of that available through FY23. The President’s Budget Request includes $15 million to establish the Office of the National Cyber Director.³³

Recommendation 1.4 – Strengthen the Cybersecurity and Infrastructure Security Agency: This recommendation, composed of several elements, was largely put into law in Sections 1705, 1718, 1745, and 9001 of the FY21 NDAA. The Biden administration’s recent executive order on improving the nation’s cybersecurity further strengthens CISA by implementing such efforts as cyber vulnerability reduction, incident response planning for the federal government, and the creation of an endpoint detection and response (EDR) initiative to bolster federal government capability to detect incidents.³⁴ The remaining element of the Commission’s recommendation not yet implemented is a five-year term for the Director of the Cybersecurity and Infrastructure Security Agency. The Commission will be pursuing this legislative objective in the coming months. Moreover, during the FY21 appropriations cycle the CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending an increase in funding for CISA to bolster mission support activities (an increase

³⁰ U.S. Congress, Joint Explanatory Statement, Division I (to Accompany the Consolidated Appropriations Act, 2021), 116th Cong., 2nd sess. (2020), 2, https://docs.house.gov/billsthisweek/20201221/BILLS-116RCP68-JES-DIVISION-I.pdf.

³¹ “Statement by National Security Advisor Jake Sullivan on National Cyber Director and CISA Director Nominations,” White House Briefing Room, April 12, 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/12/statement-by-national-security-advisor-jake-sullivan-on-national-cyber-director-and-cisa-director-nominations/.

³² Homeland Security and Governmental Affairs Committee Hearing, “Nominations of Robin Carnahan to be Administrator, General Services Administration; Jen Easterly to be Director, Cybersecurity and Infrastructure Security Agency, DHS; and Chris Inglis to be National Cyber Director,” 117th Cong. (2021), https://www.hsgac.senate.gov/hearings/nominations-of-robin-carnahan-to-be-administrator-general-services-administration-jen-easterly-to-be-directorcybersecurity-and-infrastructure-security-agency-dhs-and-chris-inglis-to-be-national-cyber-director; Riley, “Chris Inglis Confirmed as First US National Cyber Director.”

³³ Office of Management and Budget, Budget of the U.S. Government: Fiscal Year 2022 (Washington, DC: U.S. Government Publishing Office, 2021), 32, https://www.whitehouse.gov/wp-content/uploads/2021/05/budget_fy22.pdf.

³⁴ Exec. Order No. 14028.

of approximately $56.5 million over FY20 enacted levels) and support additional hunt and incident response teams (an increase of $40 million). The large majority of the mission support activities were funded in the FY21 appropriations bill, but only $3 million was provided to increase CISA’s threat-hunting capabilities. The CSC’s congressional Commissioners recommended additional funding for CISA during the FY22 appropriations cycle. The request included an increase of $400 million to the 050 National Defense Budget Function, from which CISA draws almost all of its funding, in order to augment the overall share of money that can be allocated to CISA during the appropriations process.

Recommendation 1.4.1 – Codify and Strengthen the Cyber Threat Intelligence Integration Center (CTIIC): CSC staff have proposed legislation in support of this recommendation. Since the CTIIC was established in 2015, it has consistently been underresourced, lacking the funds, manpower, and analytical assets it needs to carry out its mission. Legislative action and subsequent appropriations are needed to implement this recommendation.

Recommendation 1.4.2 – Strengthen the FBI’s Cyber Mission and the National Cyber Investigative Joint Task Force: The implementation of this recommendation requires additional funding. During the FY21 appropriations cycle, the CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending an increase in funding to the Federal Bureau of Investigation Cyber Division of $28.5 million above the FY20 enacted level, and $17 million above the presidential FY21 request. The FY21 appropriations bill did not follow this recommendation. The CSC’s congressional Commissioners have again recommended funding support for these critical functions in the FY22 appropriations cycle, and the President’s Budget Request includes $40 million to “increase the FBI’s capacity for unilateral, joint, and enabled [cyber] operations with other Federal, State, local and international partners.”³⁵

Recommendation 1.5 – Diversify and Strengthen the Federal Cyberspace Workforce: Legislation passed in the FY21 NDAA partially met this recommendation but requires an increase in appropriations to enable the newly authorized work (Sections 9401–9407), and the Federal Cybersecurity Workforce Expansion Act, introduced in June 2021, would implement elements of the recommendation related to federal apprenticeship and veteran upskilling programs if passed.³⁶ Further authorization is needed to implement other elements of the recommendation. The CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending an increase in funding during the FY21 appropriations cycle of $20 million above the FY20 enacted level in order to grow the CyberCorps: Scholarship for Service program. The FY21 appropriations bill provided an additional $5 million over FY20 enacted levels, stipulating that $7.5 million must be used to support a specific subset of programs. For FY22, the President’s Budget Request has recommended a $10 million increase to the program’s budget.³⁷ However, to ensure future growth of this critical federal cyber workforce program commensurate with the need for cyber professionals, the CSC’s congressional Commissioners have recommended an additional increase of $20 million for the FY22 appropriations cycle.

Recommendation 1.5.1 – Improve Cyber-Oriented Education: To support the provision of curricula, educator training, and other resources to improve cybersecurity education nationwide, CSC supported the codification of the Cybersecurity Education and Training Assistance Program (CETAP), which was implemented through Section 1719 of the FY21 NDAA.

³⁵ Department of Justice, “Federal Bureau of Investigation (FBI): FY 2022 Budget Request at a Glance,” Department of Justice, 122, https://www.justice.gov/jmd/page/file/1399031/download.

³⁶ “Senators Hassan, Cornyn Introduce Bipartisan Bill to Strengthen Federal Cyber Workforce,” Office of Senator Maggie Hassan, June 25, 2021, https://www.hassan.senate.gov/news/press-releases/senators-hassan-cornyn-introduce-bipartisan-bill-to-strengthen-federal-cyber-workforce.

³⁷ National Science Foundation, National Science Foundation: FY 2022 Budget Request to Congress (May 2021), 48, https://www.nsf.gov/about/budget/fy2022/pdf/fy2022budget.pdf.

The President’s Budget Request for FY22 suggested eliminating the budget for this program.³⁸ The CSC’s congressional Commissioners also submitted a letter to the appropriations committees recommending additional funding for this program in the FY22 appropriations cycle.

PILLAR TWO: STRENGTHEN NORMS AND NON-MILITARY TOOLS

Assessment of Overall Pillar Progress

Progress toward implementation of Pillar Two recommendations largely took the form of building momentum via public engagement for legislation in the upcoming months, though funding a portion of the recommended Cyber ALATs in the FBI is a significant accomplishment in its own right. In February of 2021, the Cyber Diplomacy Act was reintroduced in the House of Representatives, and its co-sponsors included two CSC Commissioners. This legislation would implement the key Recommendation 2.1 of this pillar by establishing the Bureau of International Cyberspace Policy led by an ambassador, reporting to the Undersecretary of State for Policy or a higher State Department official. As of the time of publication, the bill has passed the House and has been received in the Senate. Passage of this legislation would represent major progress for this pillar, and will remain a major priority for the Commission in 2021. An additional priority for 2021 is the consolidation of capacity-building funds as outlined in Recommendation 2.1.3. Capacity building incentivizes and enables countries to abide by norms of responsible state behavior and thereby improves cybersecurity globally, but its effective implementation requires the flexibility and comprehensive approach of a consolidated fund.

comprehensive approach of a consolidated fund

³⁸ U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency: Budget Overview, Fiscal Year 2022, 154.

Recommendation Progress

*Recommendation 2.1 -– Create a Cyber Bureau and Assistant Secretary at the U.S. Department of State: *CSC staff have proposed legislation in support of this recommendation, and the Cyber Diplomacy Act of 2021, which closely aligns with the CSC’s proposal, was introduced on February 23, 2021, and passed in the House of Representatives on April 20, 2021.³⁹ The Cyber Diplomacy Act recommends the creation of the Bureau of International Cyberspace Policy and, if passed, will meet the intent of the Commission’s recommendation; the bureau will require additional appropriations to be fully funded and resourced.

Recommendation 2.1.1 – Strengthen Norms of Responsible State Behavior in Cyberspace: This recommendation will require executive action, and CSC staff have provided text to the administration for a draft executive order that outlines actions federal departments and agencies can take to accomplish this recommendation through diplomatic engagement, expanded capacity building, and reinvigorated confidence-building measures. Recent executive actions demonstrate that steps implementing this recommendation are at least partially underway. The establishment of a working group announced in March involving the United States, Japan, India, and Australia is a major step toward international engagement to strengthen norms of responsible state behavior,⁴⁰ and certainly shows that these issues have been elevated to the level of head-ofstate conversations. However, many more steps such as these will need to be taken if this recommendation is to be fully implemented.

Recommendation 2.1.2 – Engage Actively and Effectively in Forums Setting International Information and Communications Technology Standards: Executive action and appropriations are required for this recommendation. To address both the requirements of this recommendation and the related requirements in Recommendation 4.1.2 below, the CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending an increase in funding of $30 million for FY21 to support NIST’s cybersecurity and privacy programs. The Consolidated Appropriations Act for FY21 did not include this increase, though the requirements for work on standards have grown rapidly. Accordingly, the CSC’s congressional Commissioners have recommended a significant increase to support NIST’s cybersecurity and privacy programs for FY22. The President’s FY22 Budget Request includes a modest increase (approximately $2.35 million) for the Standards Coordination and Special Programs portfolio, which includes NIST’s work on international standards development,⁴¹ as well as increases totaling $3.5 million that would benefit specific standards initiatives in the areas of advanced communications and would help strengthen diversity and equity in the standards workforce.⁴² Separately, the Senate-passed USICA includes several provisions that make progress on this issue. Section 2306 would require the Secretary of Commerce to work with the Secretary of Energy to build capacity and training programs for U.S. engagement in standards setting, partner with the private sector on developing standards for digital economy technologies, and prioritize efforts focused on developing standards for emerging technologies. Section 3210 requires the President to establish an interagency working group, led by the Secretary of State, whose goal is to increase U.S. engagement in international standards bodies focused on 5G. The working group would also be assigned responsibility for providing a strategy that addresses U.S. engagement at 5G standards

³⁹ “Meeks, McCaul, Gallagher, Langevin, Kinzinger, Keating Reintroduce the Cyber Diplomacy Act,” U.S. House of Representatives Committee on Foreign Affairs – Press Releases, February 23, 2021, https://foreignaffairs.house.gov/2021/2/meeks-mccaul-gallagher-langevin-kinzinger-keating-reintroduce-thecyber-diplomacy-act; Vavra, “House Green Lights New State Department Cyber Bureau.”

⁴⁰ “Press Briefing by Psaki and Sullivan.”

⁴¹ Department of Commerce, National Institute of Standards and Technology, National Technical Information Service: Fiscal Year 2022 Budget Submission to Congress (June 2021), 80, https://www.commerce.gov/sites/default/files/2021-06/fy2022_nist_congressional_budget_justification.pdf.

⁴² Department of Commerce, NIST Fiscal Year 2022 Budget Submission to Congress, 81–84, 90–92.

bodies, diplomatic engagement with partners and allies, China’s presence and engagement at standards bodies, and engagement with private-sector stakeholders to develop 5G standards. Other provisions direct the Assistant Secretary of Commerce for Communications and Information to prepare a briefing on barriers to robust U.S. government participation in standards activities at the International Telecommunication Union and on opportunities for further participation, authorize a grant program to encourage private-sector participation at standards bodies, and direct the Secretary of State to establish a regular dialogue with partners and allies on international regulatory issues, including standards setting.⁴³

Recommendation 2.1.3 – Improve Cyber Capacity Building and Consolidate the Funding of Cyber Foreign Assistance: Legislation and appropriations are needed to achieve this outcome. CSC staff have provided a legislative proposal that would consolidate foreign assistance in support of efforts to build cyber capacity. In addition, the CSC’s congressional Commissioners submitted a letter to the appropriations committees for FY21 recommending $10 million in increased funding for cyber capacity building. The FY21 NDAA authorized a military cyber capacity building program under Department of Defense authorities specific to Vietnam, Thailand, and Indonesia (Section 1256); the Consolidated Appropriations Act for FY21 included $7 million for capacity building through the Office of the Coordinator for Cyber Issues, which was repeated in the FY22 President’s Budget Request.⁴⁴ In order to maintain these existing programs while also addressing new and emerging priorities, the CSC’s congressional Commissioners recommended an increase in funds for multiple foreign assistance accounts to be appropriated for FY22 for cybersecurity capacity building at the State Department. USICA may also enable progress in this area, as a provision of the proposed legislation would authorize $100 million in funding annually for FY22–26 in support of the Digital Connectivity and Cybersecurity Partnership, which aims in part to build cybersecurity capacity in foreign countries.⁴⁵

Recommendation 2.1.4 – Improve International Tools for Law Enforcement Activities in Cyberspace: The CSC has put forward two elements in support of this recommendation. The first is a legislative proposal from the CSC staff that aims to grant subpoena authority to the Office of International Affairs at the Department of Justice in order to streamline the execution of Mutual Legal Assistance Treaties and Mutual Legal Assistance Agreements, and congressional action is needed to pass the proposed legislation. The second aims to increase the number of Cyber Assistant Legal Attachés serving the FBI from 10 to 22. The CSC’s congressional Commissioners therefore submitted a letter to the appropriations committees recommending that the funding level for FY21 be set at $17.6 million. Six additional attachés were funded in FY21, but further appropriations are needed to support the remaining positions. The CSC’s congressional Commissioners recommended an increase in appropriations for FY22 in support of these positions.

Recommendation 2.1.5 – Leverage Sanctions and Trade Enforcement Actions: In support of this recommendation, CSC staff proposed legislation that codifies Executive Order 13848, which allows for the imposition of sanctions in the event of foreign election interference.⁴⁶ The legislative proposal mandates an assessment and report on foreign election interference and a subsequent assessment of the extent to which any such identified interference materially affected the security or integrity of

⁴³ USICA, §§ 2517, 2520, 3208.

⁴⁴ U.S. Department of State, Congressional Budget Justification: Department of State, Foreign Operations, and Related Programs: Fiscal Year 2022 (May 2021), 144, https://www.state.gov/wp-content/uploads/2021/05/FY-2022-State_USAID-Congressional-Budget-Justification.pdf.

⁴⁵ USICA, § 3122.

⁴⁶ Exec. Order No. 13848, “Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election,” 86 Fed. Reg. 46843 (2018), https://www.federalregister.gov/documents/2018/09/14/2018-20203/imposing-certain-sanctions-in-the-event-of-foreign-interference-in-a-united-states-election.

election infrastructure or the infrastructure of a political organization, campaign, or candidate.⁴⁷ Legislative action is needed to further implement the recommendation. Separately, the administration has recently imposed sanctions against Russian actors in response to the Foreign Intelligence Service’s involvement in the compromise of SolarWinds and other information technology infrastructures.⁴⁸

Recommendation 2.1.6 – Improve Attribution Analysis and the Attribution-Decision Rubric: This recommendation requires executive action, and CSC staff have provided text to the administration for a draft executive order laying out what federal departments and agencies should do. The draft executive order outlines processes for convening incident-triggered Cybersecurity Incident Attribution Analysis Working Groups, aimed at coordinating the task of attribution in the wake of a cyber incident. The draft executive order also mandates the creation of a Cyber Incident Attribution and Analysis Decision Rubric, which correlates appropriate U.S. government response actions to cyberattacks with levels of confidence in assigning attribution.

Recommendation 2.1.7 – Reinvigorate Efforts to Develop Cyber Confidence-Building Measures: This recommendation will require executive action, and CSC staff have provided text to the administration for a draft executive order that outlines actions to be taken by the State Department, including engaging with diplomats at international cyber norms forums, undertaking bilateral and multilateral accords, and encouraging like-minded countries to similarly engage in such forums and processes.

PILLAR THREE: PROMOTE NATIONAL RESILIENCE

Assessment of Overall Pillar Progress

The passage of the National Defense Authorization Act for FY2021 made dramatic progress in the implementation of this pillar, most particularly by beginning work on the development of a Continuity of the Economy plan (Recommendation 3.2 and NDAA Section 9603) and the establishment of Sector Risk Management Agencies (Recommendation 3.1 and NDAA Section 9002). However, significant work remains. First, these critical steps forward must be funded through appropriations, now that they have been authorized. Second, the Commission must prioritize advancing the next tranche of priorities. Establishing the National Cybersecurity Assistance Fund (Recommendation 3.1.2) will remain a key priority for authorizing legislation, while funding existing programs that advance civics education as a means of countering disinformation (part of Recommendation 3.5) will be a key priority in the Commission’s recommendations to congressional appropriators.

congressional appropriators

⁴⁷ CSC Staff, Legislative Proposals (2020), 53, https://drive.google.com/file/d/1S5N7KvjFfxow19kCnPl0nx7Mah8pK0uG/view.

⁴⁸ White House, “FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian Government.”

Recommendation Progress

Recommendation 3.1 – Codify Sector-specific Agencies into Law as “Sector Risk Management Agencies” and Strengthen Their Ability to Manage Critical Infrastructure Risk: The FY21 NDAA codified sector-specific agencies into law as Sector Risk Management Agencies (Section 9002). The CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending two funding increases for FY21 in support of this recommendation. The first increase was to support CISA’s management efforts across all sector-specific agencies—now Sector Risk Management Agencies, and the second was to support the Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) at the Department of the Treasury, which serves as the Sector Risk Management Agency for financial services. The first was partially realized through the Consolidated Appropriations Act for FY21, but the second was not. The CSC’s congressional Commissioners recommended further appropriations in FY22 to carry out this original recommendation.

Recommendation 3.1.1 – Establish a National Risk Management Cycle Culminating in a Critical Infrastructure Resilience Strategy: Implementation of this recommendation will require legislative action to direct the executive branch to conduct an initial risk identification and assessment of critical infrastructure based on currently defined national critical functions and to establish processes and procedures to establish a recurring National Risk Management Cycle. Legislation that would meet the intent of this recommendation is already underway. In April 2021, Senators Maggie Hassan and Ben Sasse introduced the National Risk Management Act of 2021, which would implement this recommendation.⁴⁹ The bill has been folded into USICA;⁵⁰ it would require the Secretary of Homeland Security, acting through the Director of CISA, to establish a recurring process for identifying, assessing, and prioritizing both risks to critical infrastructure (including both cyber and physical threats) and the resources needed to address such risks. Once an initial report identifying such risks has been produced, the President must deliver a national critical infrastructure resilience strategy, and the Secretary of Homeland Security must annually brief Congress on activities taken pursuant to the strategy.

Recommendation 3.1.2 – Establish a National Cybersecurity Assistance Fund: CSC staff have proposed legislation in support of this recommendation to establish a National Cybersecurity Assistance Fund for programs and projects that are intended to increase the resilience of public and private infrastructure. Congressional action is needed to adopt the legislative proposal; once implemented, the proposal will require funding through appropriations to provide grants to projects and programs that address its intent.

Recommendation 3.2 – Develop and Maintain Continuity of the Economy Planning: The FY21 NDAA authorized the development of a Continuity of the Economy Plan (Section 9603), but the administration has not yet indicated which federal agency will lead this effort or what role the National Cyber Director will play in it. The legislation directs the President to coordinate with relevant federal agencies and the private sector in developing a plan for creating a Continuity of the Economy plan to provide for the restoration of the U.S. economy in the event of a significant drop in economic activity caused by a cyberattack or other serious event. The CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending that funds be appropriated to support a team at CISA to implement this planning requirement.

Recommendation 3.3 – Codify a “Cyber State of Distress” Tied to a “Cyber Response and Recovery Fund”: This recommendation is a key priority for the CSC, and its implementation will require legislation to codify the process of declaring a “cyber state of distress” in the event of, or in preparation for, a significant cyber incident or series of incidents. Once that declaration is made, federal agencies can then scale up or augment the capabilities by drawing on an existing fund. The President’s Budget Request included $20 million for the establishment of a Cyber Response and Recovery Fund.⁵¹ In addition, the Senatepassed USICA legislation includes key provisions based on a bill introduced by Senators Gary Peters and Rob Portman that, if passed by the House, would fulfill the intent of this proposal.⁵² Section 4252 authorizes the Secretary of Homeland Security, in consultation with the National Cyber Director, to make a declaration of a significant incident, after which the Director has the responsibility to coordinate asset response activities with other federal agencies, public and private entities,

⁴⁹ National Risk Management Act of 2021, S. 1350, 117th Cong. (2021), https://www.congress.gov/bill/117th-congress/senate-bill/1350/.

⁵⁰ USICA, §§ 4461–4462.

⁵¹ Shalanda D. Young, Acting Director Office of Management and Budget, letter to the Honorable Patrick Leahy, Chairman, Committee on Appropriations, United States Senate, April 9, 2021, with enclosure, “Summary of the President’s Discretionary Funding Request,” 16, https://www.whitehouse.gov/wp-content/uploads/2021/04/FY2022-Discretionary-Request.pdf, 16; U.S Department of Homeland Security, Cybersecurity and Infrastructure Security Agency: Budget Overview, Fiscal Year 2022, 8.

⁵² Cyber Response and Recovery Act of 2021, S. 1316, 117th Cong. (2021), https://www.congress.gov/bill/117th-congress/senate-bill/1316/text.

SLTT governments, law enforcement agencies, and emergency management and response agencies. The section also creates a Cyber Response and Recovery Fund for supporting asset-response activities and providing technical assistance following such a declaration.⁵³

Recommendation 3.3.1 – Designate Responsibilities for Cybersecurity Services under the Defense Production Act: The Commission expected and has encountered significant pressure against this recommendation, which is one of the four that face known significant barriers to implementation.

Recommendation 3.3.2 – Clarify Liability for Federally Directed Mitigation, Response, and Recovery Efforts: This recommendation will require legislative action. In 2020 CSC staff drafted legislation to enable this proposal, which directs Congress to specify that any entities taking, or refraining from taking, action at the duly authorized direction of any agency head or any other federal official authorized by law will be insulated from legal liability.

Recommendation 3.3.3 – Improve and Expand Planning Capacity and Readiness for Cyber Incident Response and Recovery Efforts: This recommendation requires executive action, and CSC staff have proposed text for the needed executive order. Full implementation would include revising the National Cyber Incident Response Plan to add scenario-specific and sector-specific annexes drafted in consultation with sector-specific agencies and the Sector Coordinating Councils, accounting for options to mobilize additional resources to augment the government’s response efforts, and integrating planning efforts with existing emergency response and disaster recovery programs operated by federal and SLTT entities. Section Six of the Biden administration’s executive order on improving the nation’s cybersecurity requires the development of a playbook that would drive planning to improve and standardize processes for federal cyber incident response.⁵⁴ This order does not precisely implement the CSC’s recommendation, because the Commission focused on planning that involved a broader group of stakeholders rather than just the federal government. However, it has a similar intent as the Commission’s recommendation and helps lay the groundwork for future progress.

Recommendation 3.3.4 – Expand Coordinated Cyber Exercises, Gaming, and Simulation: CSC congressional Commissioners recommended an increase in appropriations for FY21 to support this recommendation. The Consolidated Appropriations Act for FY21 allocated just under $22.8 million to the National Infrastructure Simulation Analysis Center, an amount that meets the requirements for this recommendation.⁵⁵

Recommendation 3.3.5 – Establish a Biennial National Cyber Tabletop Exercise: Section 1744 of the FY21 NDAA accomplished this recommendation, and the CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending a small increase in funding to the CISA Exercises account in Infrastructure Assessments and Security in order to support development and execution of the exercise for FY22. The President’s Budget Request for FY22 includes an increase to the CISA Exercises account of approximately $2 million and specifically addresses the exercise required by Section 1744.⁵⁶

⁵³ USICA, §§ 4251– 4252.

⁵⁴ Exec. Order No. 14028.

⁵⁵ U.S. Congress, Joint Explanatory Statement, Division F, 48.

⁵⁶ United States Department of Homeland Security, Cybersecurity and Infrastructure Security Agency: Budget Overview Fiscal Year 2022, 253.

Recommendation 3.3.6 – Clarify the Cyber Capabilities and Strengthen the Interoperability of the National Guard: Section 1729 of the FY21 NDAA accomplished this recommendation, which appropriations will be needed to execute. The legislation directs the Secretary of Defense to evaluate the statutes, rules, regulations, and standards that pertain to the use of the National Guard for the response to and recovery from significant cyber incidents, and to issue updates to existing plans and policies as needed. At a hearing held by the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems, Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang indicated that the Biden administration is undertaking the review required by the FY21 NDAA and expects to complete it during the summer.⁵⁷

Recommendation 3.4 – Improve the Structure and Enhance Funding of the Election Assistance Commission: Legislation and appropriations are needed to accomplish this recommendation. H.R. 1, which was passed by the House of Representatives on March 3, 2021, includes a bipartisan amendment—co-sponsored by CSC Commissioners Representatives Jim Langevin and Mike Gallagher—on improving the Election Assistance Commission (EAC); it would clarify the duties of the EAC as they relate to the development and maintenance of cybersecurity guidelines and create the position of the Senior Cyber Policy Advisor to support the EAC’s work.⁵⁸ In addition, in February 2021 the EAC voted to approve an updated version of the Voluntary Voting System Guidelines, which are used in the testing and certification of voting equipment.⁵⁹ The CSC’s recommendation encouraged an updating of the guidelines, which were then more than six years old.⁶⁰ The Consolidated Appropriations Act for FY21 only partially addressed the CSC’s request for an increase in appropriations. Accordingly, the CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending a further increase in appropriations for FY22 in support of this recommendation. The President’s FY22 Budget Request includes an increase of approximately $5.8 million in funding for the EAC.⁶¹

Recommendation 3.4.1 – Modernize Campaign Regulations to Promote Cybersecurity: This recommendation requires legislative action. CSC staff have proposed legislation for this recommendation that amends the Federal Election Campaign Law to allow corporations to provide free and/or reduced-cost cybersecurity assistance to political campaigns on a nonpartisan basis.

Recommendation 3.5 – Build Societal Resilience to Foreign Malign Cyber-Enabled Information Operations: Legislation and appropriations are needed to accomplish this recommendation. To that end, CSC staff have put forward two legislative proposals. The first establishes a grant program for the development of education programs enabling Americans to identify foreign malign cyber-enabled information operations. The second commissions a GAO study on the effectiveness of existing cybersecurity education programs and establishes a grant program for research on the effectiveness of cybersecurity literacy curricula. In addition to a request in support of cybersecurity awareness at CISA, the CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending an increase in funding of $15 million for FY21 in support of relevant Department of Education programs, of which only $250,000 was appropriated, and made further recommendations in FY22 appropriations. The CSC’s congressional Commissioners also recommended an increase in funding in support of a Department of Defense (DoD) pilot program on civics education created in Section 234 of the FY20

⁵⁷ Eoyang, testimony at hearing, “Operations in Cyberspace and Building Cyber Capabilities Across the Department of Defense,” at 36:59.

⁵⁸ For the People Act of 2021, H.R. 1, § 3002(a),(g), 117th Cong. (2021), https://www.congress.gov/bill/117th-congress/house-bill/1/text.

⁵⁹ Maggie Miller, “Election Commission Approves New Guidelines to Secure, Update Voting Equipment,” The Hill, February 10, 2021, https://thehill.com/ policy/cybersecurity/538216-election-commission-approves-new-guidelines-to-secure-update-voting.

⁶⁰ “Voluntary Voting System Guidelines,” U.S. Election Assistance Commission (2021), https://www.eac.gov/voting-equipment/voluntary-voting-system-guidelines.

⁶¹ U.S. Election Assistance Commission, “Fiscal Year 2022 Congressional Budget Justification” (2021), 16, https://www.eac.gov/sites/default/files/cbj/FY_2022_CBJ.pdf.

NDAA. The Consolidated Appropriations Act for FY21 included a more modest increase of $2 million for civics education. Accordingly, the CSC’s congressional Commissioners recommended an additional increase in FY22, as well as additional funding in other departments to promote digital civics education, media literacy, and academic improvements in civics and history.

Recommendation 3.5.1 – Reform Online Political Advertising to Defend against Foreign Influence in Elections: This recommendation requires legislative action. CSC staff proposed such legislation, which is included among the drafts published in 2020; it calls for amending the Federal Election Campaign Act to specifically require that all U.S. online political advertisements be subject to the same restrictions on foreign national purchases as those in place for advertisement in traditional media.⁶²

PILLAR FOUR: RESHAPE THE CYBER ECOSYSTEM TOWARD GREATER SECURITY

Assessment of Overall Pillar Progress

The past year saw partial implementation of recommendations that will be valuable in strengthening the cybersecurity ecosystem. The reporting requirements of Section 9005 of FY21 NDAA are early steps toward fully implementing the Commission’s recommendations for research on insurance certification (Recommendation 4.4), while Section 9006 requires a strategy to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) across all U.S. email providers (addressing one of the three technological foundations that the Commission highlighted in Recommendation 4.5.2). Though very valuable, this progress is modest, and key priorities have yet to be achieved. Nevertheless, the Commission has made significant strides in terms of public engagement to gather input, refine, and build momentum around its priorities for 2021: setting up a National Cybersecurity Certification and Labeling Authority (Recommendation 4.1), establishing a Bureau of Cyber Statistics (Recommendation 4.3), amending Sarbanes-Oxley (Recommendation 4.4.4), and passing national data breach notification legislation (Recommendation 4.7.1). The Commission will also be prioritizing increased appropriations for NIST, an agency that plays an especially critical role in enabling stronger security across the national cyber ecosystem.

national cyber ecosystem.

⁶² Montgomery, “Legislative Proposals.”

Recommendation Progress

Recommendation 4.1 – Establish and Fund a National Cybersecurity Certification and Labeling Authority: Authorizing legislation and appropriations are needed to accomplish this recommendation. However, progress can also be made through executive action, and the Biden administration’s executive order on improving the nation’s cybersecurity did help lay groundwork for future progress.⁶³ CSC staff also put forward a legislative proposal in support of this recommendation. If authorized, the National Cybersecurity Certification and Labeling Authority (NCCLA) will require the appropriation of funds. Absent such an authorization, the U.S. government can still make some, albeit limited, progress toward implementing this recommendation by appropriating funding for the Federal Communications Commission’s Office of Engineering and Technology, Laboratory Division, to begin work to assess existing cybersecurity certifications pertinent to critical infrastructure and develop further resources as needed.

Recommendation 4.1.1 – Create or Designate Critical Technology Security Centers: A legislative change is needed to implement this recommendation; one approach is to amend the Homeland Security Act to specifically include critical technology security centers among the Homeland Security Advanced Research Projects Agency projects. Once authorized, the centers would need appropriated funding for this recommendation to be fully implemented.

Recommendation 4.1.2 – Expand and Support the National Institute of Standards and Technology Security Work: To address both the requirements of this recommendation and the related requirements in Recommendation 2.1.4 (see above), the CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending an increase in funding of $30 million for FY21 to support NIST’s cybersecurity and privacy programs. The Consolidated Appropriations Act for FY21 did not include this increase, though the requirements for work on standards have grown rapidly. In particular, the recent executive order on improving the nation’s cybersecurity requires the Director of NIST to establish best practices, guidelines, guidance, definitions, reviews, consultations, and other core elements needed to improve and standardize federal cybersecurity,⁶⁴ a tasking that makes this request even more urgent. Despite this expansion of its cybersecurity mission, the President’s Budget Request recommended only a modest 6 percent increase to the Cybersecurity and Privacy budget function at NIST, while the agency-wide NIST budget grew almost 45 percent.⁶⁵ Recognizing NIST’s critical role as an enabler of a stronger national cyber ecosystem nationwide, the CSC’s congressional Commissioners recommended a much more significant increase to support NIST’s cybersecurity and privacy programs for FY22.

Recommendation 4.2 – Establish Liability for Final Goods Assemblers: The Commission expected and has encountered significant pressure against this recommendation, which is one of the four that face known significant barriers to implementation. However, the recommendation has been drafted in proposed legislation and stands ready should a future emergency create the political impetus needed to overcome existing barriers.

Recommendation 4.2.1 – Incentivize Timely Patch Implementation: This recommendation can be implemented under existing authorities, but additional appropriations are required to support the development of a framework outlining patch implementation expectations and timelines. In a letter to congressional appropriators for FY22, the CSC’s congressional Commissioners included a recommendation for report language to accompany the FY22 appropriations bill directing NIST

⁶³ Exec. Order No. 14028.

⁶⁴ Exec. Order No. 14028.

⁶⁵ Mark Montgomery, “Biden’s cyber budget good, but still insufficient to meet the threats.” The Hill, June 15, 2021, https://thehill.com/opinion/cybersecurity/558507-bidens-cyber-budget-good-but-still-insufficient-to-meet-the-threats.

to detail its plans to update Special Publication 800-40, “Guide to Enterprise Patch Management Technologies,” which was last revised in 2013.

Recommendation 4.3 – Establish a Bureau of Cyber Statistics: Authorizing legislation is needed to establish the bureau. The Commission staff proposed draft legislation during the 2020 legislative cycle, working with stakeholders and industry groups to clarify the relationship between the proposed bureau and the private sector. Following that process, CSC staff have proposed a revised draft for consideration during the 2021 legislative cycle. If authorized, the Bureau of Cyber Statistics will still require the appropriation of funds.

Recommendation 4.4 – Resource a Federally Funded Research and Development Center to Develop Cybersecurity Insurance Certifications: Section 9005 of the FY21 NDAA partially meets the intent of this recommendation by mandating a GAO study on the topic, but further executive action is required that will direct a federally funded research and development center to establish a training and certification program for underwriters and claims adjusters. CSC staff have provided text to the administration for an executive order in support of this recommendation.

Recommendation 4.4.1 – Establish a Public-Private Partnership on Modeling Cyber Risk: This recommendation requires executive action that will direct the U.S. government to conduct a study on the topic. CSC staff have provided text to the administration for a draft executive order that would establish a cross-sector working group, under the authority of CISA’s Critical Infrastructure Partnership Advisory Council (CIPAC), focused on evaluating options for establishing a cyber incident data analysis repository and on assessing current laws, regulations, guidance, frameworks, and best practices concerning data collection and sharing and pricing cybersecurity risk. This working group would build off the initial work and findings of the Cyber Incident Data and Analysis Working Group, which also convened under the auspices of CIPAC during 2015 and 2016 and produced a number of key findings and conclusions that can inform the public-private partnership recommended by CSC.⁶⁶ While no new authorization is required, the CSC’s congressional Commissioners recommended appropriations report language in support of the formation of this working group.

Recommendation 4.4.2 – Explore the Need for a Government Reinsurance Program to Cover Catastrophic Cyber Events: This recommendation was partially accomplished through Section 9005 of the FY21 NDAA, which mandated a GAO study on the cyber insurance industry. However, an executive order and some legislative action are required to direct the GAO, in consultation with the Department of Commerce, Department of Homeland Security (DHS), and Department of the Treasury, to conduct a study on the current state of the cyber insurance market, including the need for reinsurance.

Recommendation 4.4.3 – Incentivize Information Technology Security through Federal Acquisition Regulations and Federal Information Security Management Act Authorities: The CSC recommendation calls on the executive branch to direct the Federal Acquisition Regulation Council and OMB to update its cybersecurity regulations in the Federal Acquisition Regulations (FARs) and cybersecurity guidance under the Federal Information Security Management Act at least every five years. Executive Order 14028, “Improving the Nation’s Cybersecurity,” meets the intent of this recommendation. Sections Two and Four of the executive order lean heavily on federal acquisition to incentivize information technology (IT) security, explicitly referring to the FARs several times. The executive branch can help ensure the effectiveness of these changes by continuing to regularly update the regulations.

⁶⁶ “Cybersecurity Insurance,” Cybersecurity and Infrastructure Security Agency, accessed March 22, 2021, https://www.cisa.gov/cybersecurity-insurance.

Recommendation 4.4.4 – Amend the Sarbanes-Oxley Act to Include Cybersecurity Reporting Requirements: As an amendment to existing legislation, this recommendation can be accomplished only through legislative means. Legislation for this amendment proposed by Commission staff will clarify cybersecurity oversight and reporting requirements for publicly traded companies by amending the Sarbanes-Oxley Act to explicitly account for cybersecurity and require penetration testing of security systems.

Recommendation 4.5 – Develop a Cloud Security Certification: This recommendation can be accomplished through a combination of legislative and executive action and requires appropriations. Though not precisely meeting the intent of this recommendation, the Biden administration’s executive order on improving the nation’s cybersecurity does move the conversation on cloud security within the federal government forward by mandating updates to agency plans to secure cloud services as well as updates to guidance for the Federal Risk and Authorization Management Program (FedRAMP).⁶⁷ In addition, CSC staff have proposed legislation in support of this recommendation. While some elements of this recommendation require further authorization, support through appropriations can help advance the activities covered under existing authorities. Ideally, the cloud security certification would be established through NCCLA, which would coordinate with NIST to develop metrics and standards for a secure cloud benchmark and serve as the certifying agent responsible for conducting initial and subsequent audits of eligible applicants. But even without congressional authorization for NCCLA, work on the cloud security certification can still move forward through executive or legislative action directing DHS to spearhead the effort and serve as the certifying agent, in coordination with NIST. The draft legislation proposed by CSC staff on the topic includes language for both circumstances, ensuring that whether or not NCCLA exists, Congress has model text that can be used to establish a federal cloud security certification. The CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending increased appropriations for joint efforts at CISA and NIST to enable the research needed to build a foundation for a cloud security certification and to allow CISA to serve as the certifying agent if NCCLA is not authorized.

Recommendation 4.5.1 – Incentivize the Uptake of Secure Cloud Services for Small and Medium-Sized Businesses and State, Local, Tribal, and Territorial Governments: Legislation introduced in the 116th Congress—The State and Local IT Modernization and Cybersecurity Act ⁶⁸—addressed this recommendation and included a provision for the appropriation of funds, but it was not passed. In the coming months, the Commission expects to pursue legislation to implement this recommendation.

Recommendation 4.5.2 – Develop a Strategy to Secure Foundational Internet Protocols and Email: This recommendation was partially fulfilled through Section 9006 of the FY21 NDAA. That section deviates slightly from the intent of the legislation proposed by CSC staff in 2020 in that it calls only for the creation of a strategy to implement DMARC across all U.S. email providers, without addressing the Border Gateway Protocol and Domain Name System. The CSC draft legislation covers the full intent of the initial proposal, and the Commission expects to pursue the remaining elements in the coming months.

Recommendation 4.5.3 – Strengthen the U.S. Government’s Ability to Take Down Botnets: The draft legislation proposed by CSC staff for this recommendation calls on Congress to enact Section Four of the International Cybercrime Prevention Act,⁶⁹ which was proposed in 2018. The legislation would provide courts with broader authority to address illegal botnets.

⁶⁷ Exec. Order No. 14028.

⁶⁸ State and Local IT Modernization and Cybersecurity Act, H.R. 8048, 116th Cong. (2020), https://www.congress.gov/bill/116th-congress/house-bill/8048.

⁶⁹ International Cybercrime Prevention Act, S. 3288, 115th Cong. (2018), https://www.congress.gov/bill/115th-congress/senate-bill/3288/text.

In June 2021, a bipartisan group of Senators reintroduced the International Cybercrime Prevention Act, including a section dedicated to botnet remediation.⁷⁰

Recommendation 4.6 – Develop and Implement an Information and Communications Technology Industrial Base Strategy: This recommendation is in progress as a result of the Biden-Harris administration’s executive order on America’s supply chains.⁷¹ The executive order directs a 100-day review of U.S. supply chains in key areas, including semiconductor manufacturing and advanced packaging supply chains and critical and strategic mineral supplies. The order also mandates the assessment of sectoral supply chains and a general review and recommendations, including those directed at congressional or executive action to strengthen the integrity of American supply chains. Once the review is complete pursuant to the executive order, it should inform a broader supply chain strategy effort that directs national investment priorities for ICT industrial capacity and research and development while focusing on coordination with trusted partners and allies in this effort.

Recommendation 4.6.1 – Increase Support to Supply Chain Risk Management Efforts: The February 24, 2021, executive order on America’s supply chains requires reports on topics including risks in the semiconductor manufacturing and advanced packaging supply chains, which partially implements this recommendation.⁷² Further implementation will require executive action to identify ways to improve collaboration with the private sector in order to limit risk to supply chains and implement the findings of the reports generated by the new executive order.

Recommendation 4.6.2 – Commit Significant and Consistent Funding toward Research and Development in Emerging Technologies: Increased federal investment in early-stage research is critical if policymakers are to understand challenges related to emerging technologies, including artificial intelligence, quantum information science, and 5G wireless technology—topics on which many of CSC’s recommendations focus. In a broad sense, the USICA bill addresses the core of this recommendation; but in this case, the key to successful implementation will be the appropriations that support that work. The CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending an increase to appropriations for the Department of Defense’s Foundational Artificial Intelligence Science and Alternative Computing for both FY21 and FY22.

Recommendation 4.6.3 – Strengthen the Capacity of the Committee on Foreign Investment in the United States (CFIUS): The CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending $26.4 million in FY21 for the Federal Judicial Center’s education and training program to support the education of bankruptcy judges on the CFIUS process. The CSC has once again advocated for this recommendation in a letter to the congressional appropriations committees for FY22.

Recommendation 4.6.4 – Invest in the National Cyber Moonshot Initiative: The Cyber Moonshot Initiative, created in 2018, is intended to “make the Internet safe and secure for the functioning of Government and critical services for the American

⁷⁰ “Whitehouse, Graham, Blumenthal, Tillis Reintroduce Legislation to Fight Cybercrime,” Office of Senator Sheldon Whitehouse, June 17, 2021, https://www.whitehouse.senate.gov/news/release/whitehouse-graham-blumenthal-tillis-reintroduce-legislation-to-fight-cybercrime-.

⁷¹ Exec. Order No. 14017.

⁷² Exec. Order No. 14017.

people by 2028.”⁷³ The FY21 NDAA addressed some principles highlighted by the initiative, but work remains. CSC will continue to recommend further investment in the initiative.

Recommendation 4.7 – Pass a National Data Security and Privacy Protection Law: The Commission expected and has encountered significant pressure against this recommendation, which is one of the four that face known significant barriers to implementation. However, the recommendation has been drafted in proposed legislation and stands ready should a future emergency create the political impetus needed to overcome existing barriers.

Recommendation 4.7.1 – Pass a National Breach Notification Law: This recommendation requires legislative action. CSC staff have drafted a proposal that combines breach notification legislation with limited elements of incident reporting legislation. The draft proposal, as well as several other national data breach notification proposals, is under consideration in Congress, and they have a moderate likelihood of passing.

PILLAR FIVE: OPERATIONALIZE CYBERSECURITY COLLABORATION WITH THE PRIVATE SECTOR

Assessment of Overall Pillar Progress

In 2020, the Joint Cyber Planning Office (Recommendation 5.4) was established in Section 1715 of the FY21 NDAA, and establishment of the office was funded in the Consolidated Appropriations Act for FY21. At the same time, Section 1731 initiated planning for an Integrated Cyber Center (Recommendation 5.3). Progress on these two recommendations represents a significant step in advancing the objectives of Pillar Five. However, two of the central elements of Pillar Five—the codification of the concept of Systemically Important Critical Infrastructure (Recommendation 5.1) and the establishment and funding of a Joint Collaborative Environment (Recommendation 5.2)—have yet to be addressed, and both will be priorities for the Commission’s legislative efforts in 2021.

Commission’s legislative efforts in 2021

⁷³ National Security Telecommunications Advisory Committee (NSTAC), “NSTAC Report to the President on a Cybersecurity Moonshot” (November 14, 2018), ES-1, 5, https://www.cisa.gov/sites/default/files/publications/NSTAC_CyberMoonshotReport_508c.pdf.

Recommendation Progress

Recommendation 5.1 – Codify the Concept of “Systemically Important Critical Infrastructure”: This recommendation, which is fundamentally legislative in nature, is one of the Commission’s priorities for implementation. After gathering input from government and industry groups in 2020 and the first half of 2021, the Commission expects to focus in the coming months on supporting a legislative proposal that would require the Secretary of Homeland Security to define a process for designating entities as Systemically Important Critical Infrastructure, with coordination from Sector Risk Management Agencies and relevant regulatory authorities. Entities so designated would be subject to higher security standards; they would also receive increased intelligence and protection to prevent disruption or compromise.

Recommendation 5.1.1 – Review and Update Intelligence Authorities to Increase Intelligence Support to the Broader Private Sector: This recommendation can be implemented through either legislative or executive action. CSC staff have proposed legislation that would direct the executive branch to conduct a six-month comprehensive review of intelligence policies, procedures, and resources to identify and address key limitations in the ability of the intelligence community to provide support to the private sector. Staff have also provided text to the administration for a draft executive order that would initiate a similar review, and the Commission expects to pursue these parallel tracks in the coming months.

Recommendation 5.1.2 – Strengthen and Codify Processes for Identifying Broader Private-Sector Cybersecurity Intelligence Needs and Priorities: Like Recommendation 5.1.1, this recommendation requires legislation or executive action. Legislative language proposed by the CSC staff directs the Director of National Intelligence to work with the CISA Director and SRMAs to establish a formal, recurring process for soliciting and compiling input from critical infrastructure sectors to inform national intelligence priorities. These inputs would help identify potential targets of nation-state cyber threats, gaps in critical infrastructure cybersecurity efforts, ways to refocus information collection and analysis in support of addressing those gaps, and means to assist SRMAs in identifying priorities and coordinating with the intelligence community. The draft legislation also requires the Director of National Intelligence and the CISA Director to submit an annual report to Congress assessing how such critical infrastructure inputs are shaping intelligence collection and evaluating efforts to share information with critical infrastructure owners and operators. In addition, CSC staff have drafted an executive order for the administration that directs the same set of actions.

Recommendation 5.1.3 – Empower Departments and Agencies to Serve Administrative Subpoenas in Support of Threat and Asset Response Activities: Section 1716 of the FY21 NDAA accomplished this recommendation by providing administrative subpoena authority to CISA for the purpose of identifying and notifying an entity that owns or operates a device or system related to critical infrastructure facing a specific security vulnerability. The provision outlines the limits on information obtainable through the subpoena process as well as liability protections, interagency coordination processes, the process for notifying identified entities, and a requirement to establish internal procedures for issuing subpoenas and handling information obtained through such subpoenas.

Recommendation 5.2 – Establish and Fund a Joint Collaborative Environment for Sharing and Fusing Threat Information: The House version of the FY21 NDAA included a provision that would have established the Joint Collaborative Environment (JCE).⁷⁴ In parallel, Senator Angus King introduced an amendment to include the JCE in the Senate version of the bill,⁷⁵ but the provision was ultimately dropped from the final FY21 NDAA. Section 1631 of the House version of the FY21 NDAA faced White House opposition, owing to concerns about sufficient protections for intelligence sources and methods.⁷⁶ The Commission supports the reintroduction of this legislative proposal in the 117th Congress. Notably, the May 12, 2021, executive order on improving the nation’s cybersecurity sets in motion a process to facilitate better information sharing among departments and agencies.⁷⁷ Though it does not actually establish the JCE, the executive order may help lay the groundwork for its future creation.

Recommendation 5.2.1 – Expand and Standardize Voluntary Threat Detection Programs: Elements of this recommendation can be implemented through either executive action or legislation, and it is making progress toward implementation. As part of the 100-day plan to protect U.S. critical infrastructure announced on April 20, 2021, the executive branch worked with critical infrastructure owners and operators to modernize enhanced detection efforts.⁷⁸ Meanwhile, CSC staff have provided the administration with text for an executive order to standardize threat detection programs by establishing a formal process to solicit and compile input from critical infrastructure providers. In addition, the proposal drafted in 2021 by CSC staff outlining a Joint Collaborative Environment (Recommendation 5.2) includes a Cyber Threat Data Standards

⁷⁴ National Defense Authorization Act for Fiscal Year 2021 (as engrossed in the House), H.R. 6395, § 1631, 116th Cong. (2020), https://www.congress.gov/bill/116th-congress/house-bill/6395/text/eh.

⁷⁵ 166 Cong. Rec. S3233 (daily ed. June 24, 2020) (S.Amdt. 1712 submitted by Sen. King), https://www.congress.gov/congressional-record/2020/06/24/senate-section/article/S3212-1.

⁷⁶ Mariam Baksh, “White House Cites Intel Sharing Efforts in NDAA Veto Threat,” Nextgov, July 21, 2020, https://www.nextgov.com/cybersecurity/2020/07/white-house-cites-intel-sharing-efforts-raising-veto-option-against-ndaa/167084/.

⁷⁷ Exec. Order No. 14028.

⁷⁸ “Statement by NSC Spokesperson Emily Horne on the Biden Administration’s Efforts to Protect U.S. Critical Infrastructure,” The White House, April 20, 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/20/statement-by-nsc-spokesperson-emily-horne-on-the-biden-administrations-efforts-to-protect-u-s-critical-infrastructure/.

and Interoperability Council, which, if established, would help coordinate and harmonize voluntary network monitoring or threat detection programs for critical infrastructure. Not all elements of this recommendation would require new authorities, and Congress can support expanding voluntary threat detection programs through appropriations to the Threat Hunting and Capacity Building functions at CISA. The CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending increased support for voluntary threat detection programs in FY22.

Recommendation 5.2.2 – Pass a National Cyber Incident Reporting Law: The Commission expected significant pressure against this recommendation; however, a series of high-profile cybersecurity events, including the recent SolarWinds incident, may prove sufficient to create impetus for its implementation,⁷⁹ and a number of pending legislative drafts suggest that future progress is possible. It may also be possible to incorporate some elements of the CSC staff–drafted legislative proposal in a national data breach notification law, which the Commission expects to pursue in the coming months. Notably, the May 12, 2021, executive order on improving the nation’s cybersecurity further increases the viability of implementation.⁸⁰ While it does not directly advance the implementation of this recommendation, which is intended as a broad-based national requirement, the executive order does implement changes for federal contractors. Moreover, the Cyber Safety Review Board established by the order will make information on incidents more readily available. Although progress on the implementation of CSC’s recommendation remains limited, these changes may signal an increasingly receptive environment for its implementation in the future.

Recommendation 5.2.3 – Amend the Pen Register Trap and Trace (PRTT) Statute to Enable Better Identification of Malicious Actors: As an amendment to existing legislation, this recommendation can be accomplished only by Congress. CSC staff have proposed the relevant legislation,⁸¹ which amends the PRTT Law to provide private-sector entities with a broader range of defensive techniques to aid in identifying malicious actors.

Recommendation 5.3 – Strengthen an Integrated Cyber Center (ICC) within CISA and Promote the Integration of Federal Cyber Centers: Section 1731 of the FY21 NDAA initiated implementation of this recommendation by requiring a report that charts a course for future coordination of federal cybersecurity centers within an ICC. While CISA is now investigating and will report to Congress on the path forward for the ICC, the CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending an increase in funding for CISA’s Operational Planning and Coordination, Threat Hunting, and Vulnerability Management accounts to ensure continued support for the currently authorized activities that would be brought under the umbrella of the ICC.

Recommendation 5.4 – Establish a Joint Cyber Planning Cell under the Cybersecurity and Infrastructure Security Agency: Section 1715 of the FY21 NDAA established the Joint Cyber Planning Office (JCPO), in line with this recommendation. The JCPO will coordinate cybersecurity planning and readiness across the federal government and work with SLTT government and private-sector stakeholders to address cyber threats and develop plans for protection, detection, response, and recovery. In the FY21 omnibus appropriations bill, Congress appropriated $10,568,000 above CISA’s FY21 cybersecurity request to establish the JCPO.⁸² For FY22, the CSC’s congressional Commissioners submitted a letter to the appropriations com-

⁷⁹ “SolarWinds Fallout Sparks Calls for Mandatory Incident Reporting, Repercussions after Cyber Attacks,” Federal News Network, February 24, 2021, https://federalnewsnetwork.com/cybersecurity/2021/02/solarwinds-fallout-sparks-calls-for-mandatory-incident-reporting-repercussions-after-cyber-attacks/.

⁸⁰ Exec. Order. No. 14028.

⁸¹ CSC Staff, Legislative Proposals, 224.

⁸² U.S. Congress, Joint Explanatory Statement, Division F, 51

mittees recommending an increase in appropriations to continue supporting the JCPO and providing it with the resources and personnel necessary to carry out its mission. The President’s Budget Request includes an increase of $10 million for the JCPO in FY22.⁸³ Though not explicitly connected to the JCPO, the executive order on improving the nation’s cybersecurity requires the development of playbooks for planning and conducting cybersecurity vulnerability and incident response activities.⁸⁴ These planning exercises may dovetail with the JCPO’s intended purpose of working across the federal government as it develops plans.

Recommendation 5.4.1 – Institutionalize Department of Defense Participationin Public-Private Cybersecurity Initiatives: Section 1728 of the FY21 NDAA partly accomplished this recommendation by mandating that DoD undertake the review of public-private cybersecurity initiatives. Unlike the CSC proposal,⁸⁵ however, it does not require coordination with DHS. In the coming months, CSC expects that additional legislation and appropriations may be necessary in FY22 to implement the recommendations on institutionalizing and strengthening the initiatives reviewed pursuant to Section 1728.

Recommendation 5.4.2 – Expand Cyber Defense Collaboration with Information and Communications Technology Enablers: This recommendation requires executive action to direct the U.S. government to provide more and more actionable information to internet service providers, cloud service providers, information technology software and hardware producers, and cybersecurity companies and to collaborate on cyber defense efforts by building new institutional mechanisms and operationalizing existing public-private partnerships.

PILLAR SIX: PRESERVE AND EMPLOY THE MILITARY INSTRUMENT OF POWER

Assessment of Overall Pillar Progress

Of the pillars of the original Commission report, Pillar Six is among the closest to full implementation. The reason for this success is that the primary legislative vehicle for the Commission’s recommendations in 2020 was the National Defense Authorization Act. Because of the pillar’s topical focus on military issues, many of the recommendations it contained involved no congressional committees beyond the Senate Armed Services Committee and the House Armed Services Committee, which simplified the pathway to implementation for these legislative recommendations. Consequently, key Recommendations 6.1 and 6.2 were both fully implemented in the FY21 NDAA, and many other priorities were at least partially implemented. Notably, Section 1711 eliminates a spending cap on the Cyber Command operations procurement fund, which partially resolves the barrier identified in Recommendation 6.1.1. Further priorities remain for the Commission’s work in 2021. In particular, significant elements of Recommendation 6.1.6, which calls for additional reporting metrics, have not yet been addressed. Developing such metrics will be crucial to evaluating the success of cyberspace policy and strategy going forward, and thus will be a focus of the Commission’s legislative work in the coming months.

Commission’s legislative work in the coming months

⁸³ U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency: Budget Overview Fiscal Year 2022, 68.

⁸⁴ Exec. Order No. 14028.

⁸⁵ CSC Staff, Legislative Proposals, 232.

Recommendation Progress

Recommendation 6.1 – Direct the Department of Defense to Conduct a Force Structure Assessment of the Cyber Mission Force (CMF): This recommendation was largely accomplished by Section 1706 of the FY21 NDAA, which mandates a comprehensive force structure assessment of the Cyber Operations Forces. The provision deviates slightly from the draft legislation proposed by CSC staff⁸⁶—the force structure assessment of the CMF is contained under the broader umbrella of the Cyber Operations Forces—but this difference is minor, and the provision meets the intent of the CSC recommendation. General Paul Nakasone testified before the House Armed Services Subcommittee on Cyber, Innovative Technologies and Information Systems that an assessment that meets the intent of this recommendation is under way.⁸⁷

Recommendation 6.1.1 – Direct DoD to Create a Major Force Program Funding Category for U.S. Cyber Command: Portions of the FY21 NDAA—Sections 1711 and 1746—partially meet the intent of this recommendation by, respectively, removing the $75 million cap on spending and requiring a report that contains recommendations on enabling the Commander of U.S. Cyber Command to execute budget and acquisition authorities in excess of imposed funding limits. However, the legislation does not create a Major Force Program funding category.

Recommendation 6.1.2 – Expand Current Malware Inoculation Initiatives: This recommendation requires executive action to accelerate the appropriate release of identified malicious code and other information gleaned from threat hunting and related activities that could aid defensive efforts. In releasing this information, the executive branch should also work to better coordinate the efforts of federal departments and agencies, the private sector, and allies and partners to improve the timing, granularity, and actionability of released malware samples. The U.S. government should pay specific attention to integrating the new enhanced coordination mechanisms proposed by other CSC recommendations and to releasing information to relevant private-sector stakeholders as quickly as is feasible.

Recommendation 6.1.3 – Review the Delegation of Authorities for Cyber Operations: Like Recommendation 6.1, this recommendation was authorized in FY21 NDAA Section 1706, which focuses on improving the quadrennial cyber posture review. Specifically, the provision calls for an “evaluation of the adequacy of mission authorities for all cyber-related military components, defense agencies, directorates, centers, and commands” and “assessment of the need for further delegation of cyber-related authorities, including those germane to information warfare, to the Commander of United States Cyber Command.”⁸⁸

Recommendation 6.1.4 – Reassess and Amend Standing Rules of Engagement (SROE) and Standing Rules for Use of Force (SRUF) for U.S. Forces: This recommendation will require executive action. CSC staff have drafted text for an executive order that requires a review of SROE/SRUF to ensure that they are relevant to action in and through cyberspace.

Recommendation 6.1.5 – Cooperate with Allies and Partners to Defend Forward: This recommendation will require executive action. CSC staff have drafted text for an executive order that mandates a review of the impact of defend forward and of persistent engagement on partners and allies, as well as an assessment of opportunities for collaboration and coordination with partners and allies in this area. Discussions with allies and partners, particularly those in NATO, during President Biden’s June 2021 visit to Europe signal an intent to engage in these activities, an intent which is also reflected in the recent joint

⁸⁶ CSC Staff, Legislative Proposals, 234.

⁸⁷ Nakasone, testimony at hearing, “Operations in Cyberspace and Building Cyber Capabilities Across the Department of Defense,” at 28:00.

⁸⁸ FY21 NDAA, § 1706.

statement attributing malicious cyber activity and irresponsible state behavior to the government of China,⁸⁹ but implementation will require turning those discussions into action.

Recommendation 6.1.6 – Require the Department of Defense to Define Reporting Metrics: This recommendation requires executive action or additional legislation. Section 1634 of the FY20 NDAA requires DoD to conduct quarterly assessments of the readiness of the Cyber Mission Forces and establish metrics to inform such assessments.⁹⁰ Pursuant to Section 1634, the Secretary of Defense is required to submit quarterly briefings to the congressional defense committees on the department’s progress in developing such metrics. CSC’s recommendation instructs DoD to ensure that they go beyond readiness to also include measures of defend forward outcomes across strategic, operational, and tactical levels. Such metrics can be added to DoD’s reporting requirements through either executive or legislative action, which should make clear how defend forward outcomes are to be measured.

Recommendation 6.1.7 – Assess the Establishment of a Military Cyber Reserve: This recommendation was authorized in FY21 NDAA Section 1730, which requires the Principal Cyber Advisor to the Secretary of Defense to submit to the congressional defense committees an assessment of reserve models tailored to support DoD’s cyberspace operations.

Recommendation 6.1.8 – Establish Title 10 Professors in Cyber Security and Information Operations: This recommendation could be carried out through either legislation or executive action. In the coming months, the Commission plans to work with stakeholders in the executive branch to support the implementation of this recommendation, but notes that a legislative intervention—a revision to the Joint Professional Military Education standards and the designation of centers of excellence—would be longer lasting.

Recommendation 6.2 – Conduct Cybersecurity Assessment across the NC3 and NLCC Systems & DoD Vulnerability Assessment of Weapon Systems: This recommendation was authorized in FY21 NDAA Sections 1712 and 1747. Section 1712 mandates an evaluation of cyber vulnerabilities of major DoD weapons systems, the establishment of policies and requirements, and the identification of a senior official responsible for reassessments of major weapons systems. This mandate largely meets the intent of CSC’s recommendation, though legislative language proposed by CSC staff called specifically for the assessment to include vulnerabilities across networked systems and the interaction of modern and legacy systems.⁹¹ Section 1747 mandates the creation of a plan for acting on the findings and recommendations of the first annual assessment of cyber resiliency of nuclear command and control systems; it also requires the development of a concept of operations and oversight mechanism for cyber defense of such systems. The May 12, 2021, executive order on improving the nation’s cybersecurity further advances the implementation of this recommendation by requiring the Secretary of Defense to issue a national security memorandum detailing cybersecurity practices for national security systems that meet or exceed the level of security outlined for federal civilian agencies in the executive order,⁹² which this recommendation did not consider.

⁸⁹ Maggie Miller, “NATO Members Agree to New Cyber Defense Policy,” The Hill, June 14, 2021, https://thehill.com/policy/cybersecurity/558383-natomember-states-agree-to-new-cyber-defense-policy-following; “The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China,” The White House, July 19, 2021, https://www.whitehouse.gov/briefing-room/statementsreleases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoplesrepublic-of-china/.

⁹⁰ National Defense Authorization Act for Fiscal Year 2020, Pub. L. No. 116-92, § 1634, 133 Stat. 1198 (2019), https://www.congress.gov/bill/116th-congress/senate-bill/1790/text.

⁹¹ CSC Staff, Legislative Proposals, 241.

⁹² Exec. Order No. 14028.

Recommendation 6.2.1 – Require Defense Industrial Base (DIB) Participation in a Threat Intelligence Sharing Program: This recommendation was partially authorized in Section 1737 of the FY21 NDAA, but that article does not fully meet the intent of the CSC recommendation. Rather than establishing a DIB threat intelligence program, the provision mandates a report from the Secretary of Defense on the feasibility and suitability of such a program. The bill does not require DoD to establish the program after the report is issued, instead leaving that decision to the discretion of the Secretary of Defense. It also characterizes the program as “threat information sharing” rather than “threat intelligence sharing.” Additional legislation will be required to fulfill the intent of the initial proposal.

Recommendation 6.2.2 – Require Threat Hunting on Defense Industrial Base (DIB) Networks: This recommendation was partially authorized in Section 1739 of the FY21 NDAA, but that article does not fully meet the intent of the CSC recommendation. Section 1739 has much the same relation to this recommendation as to the previous recommendation: it calls for an assessment on the feasibility and suitability of a DIB threat-hunting program but does not require DoD to establish the program after the report is issued, instead leaving that decision to discretion of the Secretary of Defense. Additional legislation will be required to fulfill the intent of the initial proposal.

*Recommendation 6.2.3 – Designate a Threat-Hunting Capability across the Department of Defense Information Network (DoDIN): *This recommendation will require executive action. In June 2020, the Defense Information Systems Agency granted authority to ThreatQuotient to operate its ThreatQ offering on the DoDIN, which would enable threat hunting, among other functions.⁹³ No DoD force structure element has been established to perform this function, but if the threat-hunting capability exists, its implementation would likely meet the intent of the recommendation.

Recommendation 6.2.4 – Assess and Address the Risk to National Security Systems Posed by Quantum Computing: This recommendation was put into law in Section 1722 of the FY21 NDAA, which mandates a comprehensive assessment of current and potential risks to critical national security systems posed by quantum computing, with recommendations for research, development, and acquisition activities aimed at securing those critical national security systems from such risks and threats.