CYBERSPACE SOLARIUM COMMISSION WHITE PAPERS

CYBERSPACE SOLARIUM COMMISSION WHITE PAPERS

CYBERSPACE SOLARIUM COMMISSION WHITE PAPERS

To provide more detail on recommendations outlined in the U.S. Cyberspace Solarium Commission Report, the Commission produced a series of white papers in 2020. The first, published in May 2020, revisited the Commission’s recommendations through the lens of the unfolding COVID-19 pandemic, examining both the manner in which the pandemic affected national cybersecurity and general lessons that could be drawn from managing a global crisis. The second white paper outlined in detail the Commission’s vision for a National Cyber Director. Though it was drafted and shared with legislators in the spring of 2020, to provide room for deliberation first on draft legislation and then on policy implementation the paper has not yet been released publicly. The third and fourth white papers, published in autumn of 2020, focused on the federal cybersecurity workforce and the ICT supply chain, respectively; they articulated in separate recommendations many ideas that the original report had consolidated within single recommendations. Because their

⁹³ Matthew Nelson, “DISA Approves ThreatQuotient Platform for DoD Information Network,” ExecutiveBiz, June 11, 2020, https://blog.executivebiz.com/2020/06/disa-approves-threatquotient-platform-for-dod-information-network/.

publication was more recent, there has been less time to implement the more detailed actions outlined in the four white papers. Nevertheless, they are included in this assessment, and the Commission is pleased to report significant progress on many fronts.

WHITE PAPER #1: CYBERSECURITY LESSONS FROM THE PANDEMIC

Assessment of Overall White Paper Progress

Because the Commission’s white papers were published after the original report, the timeline for implementing their recommendations has been shorter. However, this white paper has a notable exception: the recommendation to modernize state, local, tribal, and territorial information technology (Recommendation PAN1.1) is a direct outgrowth of the original report’s Recommendation 4.5.1. This provision was the basis of the proposed State and Local IT Modernization and Cybersecurity Act in the 116th Congress,⁹⁴ which charts a course for the 117th Congress to follow in providing significant security improvements to state and local governments. Though the bill did not pass, it represents significant progress toward the recommendation’s implementation and better cybersecurity, and this effort will continue to be a priority in 2021. Another key priority for the coming months will be the implementation of the Commission’s recommendation to enhance assistance and recovery support for victims of cybercrime (Recommendation PAN1.3.b). Though not a new problem, fraud, abuse, and other internet-enabled crime have become especially pernicious during the COVID-19 pandemic, making passage of this legislation particularly timely: it will be a significant indicator of progress in this area in the coming months.WHITE PAPER #1: CYBERSECURITY LESSONS FROM THE PANDEMIC Assessment of Overall White Paper Progress.

progress in this area in the coming months.

⁹⁴ State and Local IT Modernization and Cybersecurity Act, H.R. 8048

Recommendation Progress

PAN Recommendation 1.1 – Provide State, Local, Tribal, and Territorial Government and Small and Medium-sized Business IT Modernization Grants: CSC staff have proposed legislation for this recommendation, and it requires appropriations to be implemented. CSC Commissioners Representatives Langevin and Gallagher introduced the State and Local IT Modernization and Cybersecurity Act in the 116th Congress, which supported modernizing and securing state and local government information technology. The legislation did not pass; however, the CSC will be recommending its reintroduction in the 117th Congress.

PAN Recommendation 1.2 – Pass an Internet of Things Security Law: Section 9204 of the FY21 NDAA signaled Congress’s increasing interest in the Internet of Things (IoT); it applies only to the federal government, however, not to the market as a whole. Meanwhile, the executive order on improving the nation’s cybersecurity calls on the Director of NIST to identify IoT cybersecurity criteria for a consumer labeling program.⁹⁵ This does not implement the recommendation to create a national IoT security standard, but it does lay groundwork upon which a federal IoT security law may be built. Further legislation is needed to advance this recommendation, and the legislative language proposed by CSC staff for passing an IoT security law stresses the creation of enduring standards both for authentication and for patching.

PAN Recommendation 1.3 – Support Nonprofits That Assist Law Enforcement’s Cybercrime and Victim Support Efforts: CSC staff have proposed legislation that would establish a federally supported nonprofit National Cybercrime Victim Assistance and Recovery Center to serve as a nationwide resource to provide information, technical assistance, and support to individuals and small businesses victimized by cybercrime. In 2020, CSC staff also proposed legislation supporting nonprofit organizations that work with law enforcement to provide victim assistance.

PAN Recommendation 1.4 – Increase Nongovernmental Capacity to Identify and Counter Foreign Disinformation and Influence Campaigns: CSC staff have proposed legislation that would authorize the Department of Justice, in consultation with the Department of Homeland Security, Department of State, and the National Science Foundation, to provide grants to nonprofit centers seeking to identify, expose, and explain malign foreign influence campaigns to the American public while putting those campaigns into context in order to avoid amplifying them. Appropriations will be needed to advance this recommendation, and the CSC’s congressional Commissioners included a request in support of this recommendation in a letter to congressional appropriations committees for FY22.

PAN Recommendation 1.4.1 – Establish the Social Media Data and Threat Analysis Center: The center discussed in this recommendation was initially authorized by Section 5323 of the FY20 NDAA, which also specified that the effort may use up to $30 million of the funds appropriated to the National Intelligence Program for fiscal years 2020 and 2021. Section 9301 of the FY21 NDAA reaffirmed the requirement to establish a Social Media Data and Threat Analysis Center. The Social Media Data and Threat Analysis Center is long overdue. The Commission looks forward to seeing the law implemented with the establishment of the center. Meanwhile, the CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending continued appropriations through FY22 to support the effort.

⁹⁵ Exec. Order No. 14028.

WHITE PAPER #2: NATIONAL CYBER DIRECTOR

NATIONAL CYBER DIRECTOR

Uniquely, this white paper has only one recommendation: establish a National Cyber Director. At the request of the Senate Armed Services Committee and the Senate Homeland Security and Governmental Affairs Committee in their letter dated May 14, 2020, the paper provides greater detail on Recommendation 1.3 from the original Cyberspace Solarium Commission Report. With the passage of Section 1752 of the FY21 NDAA, the actions outlined in this white paper have turned into a legal obligation that the President must implement. However, the Commission’s job here is not done.

After a 60-day review of the position and its requirements,⁹⁶ the administration nominated Chris Inglis, who also served as a Commissioner with the Cyberspace Solarium Commission, for the role. The Senate held a confirmation hearing on June 10, 2021, and Chris Inglis was confirmed as the first National Cyber Director on June 17, 2021. On May 12, 2021, the Biden administration’s executive order on improving the nation’s cybersecurity further integrated the NCD into existing policy by clarifying that once the NCD is appointed, portions of the order may be updated to enable the NCD to execute their responsibilities.⁹⁷

While the Biden-Harris administration has begun to adapt its National Security Council structures to include the NCD,⁹⁸ the relationship between the newly created position of Deputy National Security Advisor for Cyber and the NCD will have significant bearing on the NCD’s overall authority. The FY21 NDAA designates the responsibilities and functions conferred to the NCD but in general assigns particular authorities with a light touch. Such authorities are ultimately derived from the President. As a consequence, the choices made by the Biden-Harris administration in defining the role of the National Cyber Director will largely dictate whether the NCD becomes a powerful tool for ensuring national cybersecurity or a mere technical requirement. One step Congress can take to ensure that the position is empowered to build a more secure cyberspace is to appropriate funding sufficient to enable adequate staffing, space, secure access to classified systems, and other necessities for the office’s functionality. To that end, the CSC’s congressional Commissioners submitted a letter to the appropriations committees including both a recommended funding amount and suggested language for the bill appropriating that funding. The President’s FY22 Budget Request included $15 million for the establishment of the Office of the National Cyber Director.⁹⁹

⁹⁶ Ellen Nakashima, “Tension Grows between Congress and the Administration over How White House Cyber Policy Should Be Run,” Washington Post, February 18, 2021, https://www.washingtonpost.com/national-security/biden-cybersecurity-policy-congress-tension/2021/02/18/7f9d7398-6c9b-11eb-ba56-d7e2c8defa31_story.html.

⁹⁷ Exec. Order No. 14028.

⁹⁸ Joseph R. Biden, Jr., “Memorandum Renewing the National Security Council System,” February 4, 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/02/04/memorandum-renewing-the-national-security-council-system/.

⁹⁹ Office of Management and Budget, Budget of the U.S. Government: Fiscal Year 2022, 32.

Although this report considers Recommendation 1.3—and thus the recommendation of this white paper—technically implemented as a function of the passage of the FY21 NDAA, the Commission recognizes that a number of criteria must be met for the recommendation to be successful. In order to make meaningful improvements, the National Cyber Director must bring direction and coherence to national cybersecurity strategy, policy, and operations. The recommendation will be deemed successful when the position of the National Cyber Director brings leadership, coordination, and consistent advocacy for cybersecurity priorities within the White House.

WHITE PAPER #3: GROWING A STRONGER FEDERAL CYBER WORKFORCE

Assessment of Overall White Paper Progress

Many of the main barriers to progress outlined in the Commission’s white paper on the federal cybersecurity workforce result from a lack of strategy, leadership, and coordination. If the position is established effectively, the National Cyber Director would bring these much-needed elements to developing the federal cybersecurity workforce. While the passage of Sections 9401 to 9407 of the FY21 NDAA made significant progress in implementing Recommendation 1.5 from the original Solarium report of 2020, an effective National Cyber Director could take major strides toward implementing Federal Cyber Workforce White Paper Recommendation 1 by creating the leadership and coordination structures, some of which would be led by the NCD, that would enable the white paper’s other recommendations. Consequently, in the coming months the Commission expects to see significant progress on the executive-led recommendations from this white paper.

executive-led recommendations

Recommendation Progress

Federal Cyber Workforce White Paper Recommendation 1 – Establish Leadership and Coordination Structures: Executive action is required to implement this recommendation and establish the leadership and coordination structures necessary for strengthening the federal cyber workforce. CSC staff have provided text to the administration for an executive order that both would designate the Office of the National Cyber Director as the convener of an interagency working group tasked with overseeing the federal government’s strategy for the cyber workforce and would create a separate interagency working group to support federal departments and agencies in implementing their agency-specific programs aimed at strengthening the cyber workforce.

Federal Cyber Workforce White Paper Recommendation 2 – Properly Identify and Utilize Cyber-Specific Occupational Classifications: Executive action is required to implement this recommendation. CSC staff have provided the administration with text for an executive order in support of this recommendation, which would commission a study that, in part, examines the viability of creating a cyber-specific occupational classification and considers potential congressional action needed for its creation.

Federal Cyber Workforce White Paper Recommendation 3 – Develop Apprenticeships: This recommendation requires congressional or executive action to establish a pilot apprenticeship program within CISA. Such a program would serve as a proof of concept for other federal departments and agencies, as well as SLTT governments seeking to establish registered apprenticeship programs. CSC supports the Federal Cybersecurity Workforce Expansion Act, introduced by Senators Maggie Hassan and John Cornyn in June 2021, which would implement this recommendation.¹⁰⁰

Federal Cyber Workforce White Paper Recommendation 4 – Improve Cybersecurity for K-12 Schools: This recommendation requires congressional action for its implementation. In 2021, a bipartisan group of Representatives introduced the Enhancing K-12 Cybersecurity Act of 2021,¹⁰¹ which CSC supports as a key means of implementing this recommendation. The legislation would create an information exchange, registry of cyber incidents, and a Technology Improvement Program for K-12 schools. A similar Senate bill, the K-12 Cybersecurity Act of 2021, works toward the same goal of securing K-12 schools by commissioning a study that will inform recommendations and an online training toolkit for K-12 officials.

Federal Cyber Workforce White Paper Recommendation 5 – Provide Work-Based Learning via Volunteer Clinics: Executive action is needed to implement this recommendation. CSC staff have provided the administration with a draft executive order that would create a grant program, overseen by the Office of the National Cyber Director, for institutions of higher education seeking to provide work-based learning opportunities via volunteer clinics that provide free cybersecurity services and training to individuals, nonprofit organizations, and small businesses in the grantee’s community.

Federal Cyber Workforce White Paper Recommendation 6 – Improve Pay Flexibility/Hiring Authority: Executive action is needed to implement this recommendation. An executive order on federal cyber workforce coordination, drafted by CSC staff and provided to the administration, commissions a study to review existing pay flexibilities and hiring authorities that could strengthen the federal cyber workforce and recommend further action that would create additional flexibilities or authorities in support of the effective recruitment, development, and retention of the federal cyber workforce.

Federal Cyber Workforce White Paper Recommendation 7 – Incentivize Cyber Workforce Research: A bill passed by the House, the National Science Foundation for the Future Act, includes a cybersecurity workforce data initiative that would fulfill significant elements of this recommendation if it becomes law. Additionally, the CSC’s congressional Commissioners submitted a letter to the appropriations committees recommending the funding of additional personnel to support the National Center for Science and Engineering Statistics in its efforts to identify, compile, and analyze existing nationwide data and

¹⁰⁰ “Senators Hassan, Cornyn Introduce Bipartisan Bill to Strengthen Federal Cyber Workforce,” Office of Senator Maggie Hassan, June 25, 2021, https://www.hassan.senate.gov/news/press-releases/senators-hassan-cornyn-introduce-bipartisan-bill-to-strengthen-federal-cyber-workforce.

¹⁰¹ Enhancing K-12 Cybersecurity Act, H.R. 4005, 117th Cong. (2021), https://www.congress.gov/bill/117th-congress/house-bill/4005/text.

conduct surveys as necessary to better understand the national cyber workforce. The CSC’s congressional Commissioners also recommended increased funding for NIST’s National Initiative for Cybersecurity Education to support regional programs as required by FY21 NDAA Section 9401. A proposed executive order drafted by CSC staff also details the creation of a grant program to incentivize research on the workforce, pathways to entry into the federal cyber workforce, and strategies for promoting diversity, equity, and inclusion in the federal cyber workforce.

Federal Cyber Workforce White Paper Recommendation 8 – Mitigate Retention Barriers and Invest in Diversity, Equity, and Inclusion in Recruiting: Congressional or executive action is needed to implement this recommendation. CSC staff have proposed draft legislative and executive order language in support of this recommendation, which would establish training programs for managers to cultivate practices that foster a more inclusive work environment, institutionalize a cyber career pathways program, and ask each cybersecurity agency to update its department- and agency-specific Diversity and Inclusion Strategic Plans, among other provisions. While not specific to cybersecurity, the Biden administration’s June 25, 2021 Executive Order on Diversity, Equity, Inclusion, and Accessibility in the Federal Workforce takes steps towards prioritizing government-wide efforts to recruit, hire, and retain a more diverse and inclusive workforce.

WHITE PAPER #4: BUILDING A TRUSTED ICT SUPPLY CHAIN

Assessment of Overall White Paper Progress

Although “Building a Trusted ICT Supply Chain” was the most recently published of the white papers, its recommendations have also seen the most success in implementation (the single-recommendation white paper on the NCD aside). This progress is largely due to the Biden-Harris Administration’s executive order on America’s supply chains.¹⁰² The reports mandated in this executive order put three recommendations of this white paper in process (SC1, SC2, and SC4), and helped create momentum in support of several others. Building on this momentum, the Commission expects in the coming months to prioritize two major legislative actions from this white paper: the establishment of a National Security Investment Corporation (SC3.3) and of a National Supply Chain Intelligence Center (SC4.1), which would create critical tools for constructing a trusted ICT supply chain.

trusted ICT supply chain

trusted ICT supply chain *** ¹⁰² Exec. Order No. 14017

Recommendation Progress

ICT Supply Chain White Paper Recommendation 1 – Develop and Implement an Information and Communication Technologies Industrial Base Strategy: This recommendation is in progress as a result of the Biden-Harris administration’s executive order on America’s supply chains. The executive order directs a 100-day review of U.S. supply chains in key areas, including semiconductor manufacturing, advanced packaging, and critical and strategic mineral supplies. The order also mandates the assessment of sectoral supply chains and a general review and recommendations, including those for congressional or executive action, to strengthen the integrity of American supply chains. Once the initial review is complete and, pursuant to the executive order, a process for quadrennial supply chain reviews has been established, the Biden-Harris administration should act on the findings and associated recommendations and publish an annually updated national supply chain strategy outlining the federal government’s role in and means of securing the U.S. industrial base supply chain.

ICT Supply Chain White Paper Recommendation 2 – Identify Key Information and Communication Technologies and Materials: This recommendation is in progress as a result of the Biden-Harris administration’s executive order on America’s supply chains. The executive order directs an assessment of sectoral supply chains, including that of the ICT industrial base, to review the critical goods and materials supporting each supply chain.¹⁰³

¹⁰³ Exec. Order No. 14017.

ICT Supply Chain White Paper Recommendation 3 – Conduct a Study on the Viability of and Designate Critical Technology Clusters: This recommendation requires congressional action, and CSC staff have drafted legislation in support of the designation of American localities as critical technology clusters. CSC staff have also provided the administration with language for an executive order that commissions a study on the viability of such a strategy for stimulating domestic manufacturing. The Senate-passed USICA would create a regional technology hubs program that would meet the intent of this recommendation by providing strategy development and strategy implementation grants to support geographically based multi-stakeholder consortia focused on U.S. leadership in technology and innovation, regional economic development, the diffusion of innovation, and domestic job creation.¹⁰⁴ The FY21 NDAA included a number of provisions that aim to support domestic semiconductor and microelectronic manufacturing through a financial assistance program, a public-private partnership, a common funding mechanism for partner and allied supply chains, and research and development centers.¹⁰⁵ Though not organized around regional hubs, these actions promote the goal of strengthening the domestic production of critical technologies; USICA includes a provision that would authorize appropriations in support of several of these initiatives.¹⁰⁶

ICT Supply Chain White Paper Recommendation 3.1 – Provide Research and Development Funding for Critical Technologies: In a broad sense, the USICA bill addresses some elements of this recommendation, but its successful implementation in this case will depend on the appropriations that support its work. The CSC’s congressional Commissioners submitted a letter to the appropriations committees for FY22 recommending an increase in appropriations in support of this recommendation. CSC staff has provided the administration with a draft executive order that includes reviewing federal investment in research and development in emerging technologies; tasking the Office of Science and Technology Policy (OSTP) with coordinating with other relevant federal stakeholders to assess federal priorities, including OSTP budgetary priorities; and identifying opportunities to make progress in areas relevant to ICT supply chain security.

ICT Supply Chain White Paper Recommendation 3.2 – Incentivize the Movement of Critical Chip and Technology Manufacturing out of China: Congressional action is needed in order to implement this recommendation. CSC staff have proposed draft legislation that includes creating a dedicated fund for a grant program to provide incentives to companies for projects that move chip and technology manufacturing into the United States. Elements of the USICA bill do work toward a similar goal. For example, Section 3101 of the bill would authorize contracts with qualified experts to assist with supply chain management issues related to China, including exiting Chinese markets or relocating facilities. In the aggregate, however, the bill largely pursues different means than those outlined in the CSC recommendation, which calls on the U.S. government to work with companies to defray the cost of relocating manufacturing facilities.

ICT Supply Chain White Paper Recommendation 3.3 – Conduct a Study on a National Security Investment Corporation: Congressional action is needed to establish a public-private national security investment corporation that would coordinate investment in strategically important areas. CSC staff have proposed draft legislation and have provided the administration with text for an executive order commissioning a study on the viability of such a public-private corporation. Because this is one of its key priorities for the upcoming fiscal year, the CSC is engaging with relevant stakeholders and legislators to establish support for this recommendation.

¹⁰⁴ USICA, § 2401.

¹⁰⁵ FY21 NDAA, §§ 9902–9903, 9905–9906.

¹⁰⁶ USICA, § 1002.

ICT Supply Chain White Paper Recommendation 4 – Designate Lead Agency for ICT Supply Chain: The Biden-Harris administration’s executive order on America’s supply chains represents an important first step in fulfilling this recommendation.¹⁰⁷ The executive order designates the Departments of Commerce and Homeland Security as responsible for carrying out the portions of the executive order related to the ICT industrial base, but further action can be taken to formally designate the Department of Commerce as the lead federal agency for ICT supply chain management after the review required by the executive order is completed.

ICT Supply Chain White Paper Recommendation 4.1 – Establish a National Supply Chain Intelligence Center: Congressional action is required to establish a National Supply Chain Intelligence Center, and CSC staff have provided draft legislation. The legislation would mandate an assessment of the viability of a national supply chain intelligence center focused on consolidating and coordinating federal supply chain intelligence efforts and coordinating with industry stakeholders.

ICT Supply Chain White Paper Recommendation 4.2 – Fund Critical Technology Security Centers: Congressional action and appropriations are needed to accomplish this recommendation, which mirrors Recommendation 4.1.1. CSC staff have developed a legislative proposal that would codify the existence of the centers

ICT Supply Chain White Paper Recommendation 5 – Incentivize Open and Interoperable Standards and Release More Mid-band Spectrum: This recommendation requires executive action. CSC staff have provided the administration with language for an executive order that would facilitate the creation of a National 5G Deployment Plan, which would focus in part on options for reallocating mid-band spectrum for expanded 5G deployment.

ICT Supply Chain White Paper Recommendation 5.1 – Develop a Digital Risk Impact Assessment for International Partners for Telecom Infrastructure Projects: Congressional action and appropriations are needed to support this recommendation. The CSC’s congressional Commissioners submitted a letter to the appropriations committees in support of the elements of this recommendation that can be done under existing authorities. To further advance the proposal, CSC staff have provided draft legislation to Congress that would direct the United States Agency for International Development (USAID) to work with international partners in developing a digital risk impact assessment that highlights the risks associated with the use of untrusted technologies in implementing digitization and telecommunications infrastructure projects.

ICT Supply Chain White Paper Recommendation 5.2 – Ensure That the Export-Import Bank (EXIM), U.S. International Development Finance Corporation (DFC), and United States Trade Development Agency (USTDA) Can Compete with Chinese State-owned and State-backed Enterprises: This recommendation requires congressional action, and CSC staff have provided draft legislation to Congress. CSC staff have also provided the administration with a draft executive order that would task relevant agencies with reviewing existing authorities, regulations, and legislation and recommending potential action to be taken in support of this recommendation.

ICT Supply Chain White Paper Recommendation 5.3 – Develop a List of Contractors and Vendors Prohibited from Implementing Development Projects: This recommendation requires executive action, and CSC staff have provided the administration with language for an executive order that calls on relevant departments and agencies to create a list of companies whose products cannot be used in federally funded development projects. CSC staff have provided draft legislation to Congress that would direct the executive branch to initiate the creation of such a list of prohibited vendors.

¹⁰⁷ Exec. Order No. 14017.