Sen. Ben Sasse (R-Neb.) says the Trump administration needs to get serious about cyberdefense. And he’s taking some cues from history with the hope of kicking the administration into action.
Tucked in a massive defense policy bill Congress appears poised to pass in the coming weeks is a measure from Sasse that would create a commission of top national security officials, lawmakers and experts to draw up a comprehensive cyberdefense strategy for the country. The proposal is based on the Project Solarium Commission, a Cold War effort President Dwight D. Eisenhower launched in the 1950s to counter the Soviet threat.
It’s another way Congress is trying to force President Trump’s hand in developing a clear doctrine for how the United States responds to cyberthreats from nation states like Russia, which Trump refuses to unequivocally state interfered in the 2016 election. As Trump waffles on Russia’s interference in the election, and his White House sheds top cybersecurity talent, the measure would give Congress and its hand-picked experts a more direct role in steering the national discussion.
“We need to have real debate if we’re going to produce a consensus-based framework to defend the country in cyberspace,” Sasse told me in an email. “The Commission will be successful if it helps finally define for our government how, when, and where we will seek to deter America’s adversaries; how we will organize government to ensure dominance in the new battlefield; and how government appropriately recruits and partners with the expertise and talent of the private sector.”
The 14-member “Cyberspace Solarium Commission” would consist of the director of the FBI and top deputies from the Office of the Director of National Intelligence, the Department of Homeland Security and the Pentagon. The remaining commissioners would be members of Congress and “nationally recognized” cybersecurity experts picked by House and Senate leaders from both parties.
The goal is to produce a “clean and coherent plan for deterring and defending our country from cyber attacks” by September 2019, Sasse said.
If approved, it would be a shot across the bow from lawmakers, said Bobby Chesney, a national security law professor at University of Texas at Austin and co-founder of the blog Lawfare. “There's no question that Congress by doing this is showing concern about the executive branch not paying sufficient attention to the need for clear strategic thinking."
“If the White House can’t or won’t administer a sound top-level policy, then the next best thing is for Congress to oblige it to do so," he continued."
Sasse's amendment made it through the conference committee process into the final version of the National Defense Authorization Act. The House is likely to vote on the bill in the coming days, before it goes back to the Senate for final approval.
This isn’t the first time lawmakers have sought to squeeze such a strategy out of the Trump administration. The White House in April sent Congress a report on its cyber policy in classified form, as required by a provision in last year's defense spending bill that required it to do so. But Sasse’s legislation signals lawmakers weren’t satisfied with what they got.
“There’s a huge difference between pushing paper and producing real strategy,” Sasse said. “There’s a ton of bureaucrats writing memos in D.C. but all that paper doesn’t add up to a serious cyber strategy. We know that our enemies are already working off of their own playbooks, but we have yet to draft our own.”
Sasse's proposal is one of several provisions senators pushed through this year's NDAA seeking to prod the administration into overhauling the country’s cyberdefense policies. One, for example, calls on the administration to establish a cyberwar doctrine. Another authorizes the president to direct U.S. Cyber Command to “disrupt, defeat and deter” cyberattacks.
To be sure, the administration says it's working hard to fight digital attacks from foreign adversaries. Top national security officials including Secretary of State Mike Pompeo and Homeland Security Secretary Kirstjen Nielsen have spoken publicly in recent weeks about how the administration is ratcheting up its cyberdeterrence efforts. And the administration hit Russia with sanctions this year as punishment for its attacks on the 2016 election and other cyberoffensives -- but only after Congress forced Trump's hand by passing legislation requiring them.
But the recent departure of some of the White House’s cybersecurity leaders has added to concerns that the administration is giving cyberdefense short shrift. Tom Bossert, Trump’s homeland security adviser and cybersecurity czar, was forced out in April amid turnover on the National Security Council, as my colleagues reported. White House cybersecurity coordinator Rob Joyce left soon after, and his position has since been eliminated.
Sasse’s commission proposal could help fill the void they left, Chesney said.
“This might bring things to a head and yield some good ideas along the way, at a time when key parts of the executive branch, the White House in particular, did not appear interested in leading such an effort,” Chesney told me. “A prestigious commission can force the issue, and with luck earn credibility that will transfer into support for its recommendations.”
Then again, it’s just a commission. Nothing it produces would be binding on the Trump administration. And the White House would be free to disregard whatever findings or conclusions it turns up.
But that doesn't mean it should be dismissed it outright, Chesney said.
“It’s easy to mock proposals for a commission, and with good reason. But that doesn’t mean that every one is a bad idea,” he said. “The best-case scenario is that commission earns persuasive authority through the quality of its process, members, and recommendations.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “Trump claimed Tuesday, without evidence, that the Kremlin will support Democrats in the November midterm election, debuting a new line on Russian interference as the uproar over his shifting stances on the issue enters its second week,” The Washington Post's Felicia Sonmez reported. “Trump made the claim in a late-morning tweet eight days after he held a joint news conference in Helsinki with Russian President Vladimir Putin, who acknowledged there that he had wanted Trump to win in 2016.” Trump tweeted that he is “very concerned that Russia will be fighting very hard to have an impact” on the 2018 midterms and will favor Democrats. “Based on the fact that no President has been tougher on Russia than me, they will be pushing very hard for the Democrats,” he wrote on Twitter. “They definitely don’t want Trump!”
I’m very concerned that Russia will be fighting very hard to have an impact on the upcoming Election. Based on the fact that no President has been tougher on Russia than me, they will be pushing very hard for the Democrats. They definitely don’t want Trump!— Donald J. Trump (@realDonaldTrump) July 24, 2018
On Capitol Hill, Senate Majority Leader Mitch McConnell (R-Ky.) warned Moscow against trying to tamper with the midterm elections. “The Russians better quit messing around in our elections,” McConnell told reporters. “I want to make that perfectly clear: The Russians better quit messing around in our elections. They did it the last time. They better not do it again.”
PATCHED: The Department of Homeland Security is approaching the 2018 midterms with the working assumption that Russia will target the November elections, Christopher C. Krebs, undersecretary for the Department of Homeland Security’s National Protection and Programs Directorate, told the House Oversight Committee on Tuesday. “As described in the 2017 intelligence community assessment, we know the Russians engaged in a multifaceted campaign to meddle in the last election, including some influence tactics that they have used for decades,” Krebs told lawmakers in his opening remarks. “Based on this prior demonstration of capability and intent, we are planning and preparing as if they’ll trying again this fall and beyond.”
Krebs also said Russia still carries out “malign influence operations” to sow political discord in the United States but added that U.S. authorities have not yet found any indications that Moscow is trying to infiltrate election systems across the country. “While these recent activities are designed to exacerbate sociopolitical divisions, there does not appear to be an effort at the same scope or scale directed at the midterms that was observed in 2016, nor have we seen Russian cyber operations directly targeting state and local election systems infrastructure,” Krebs said.
New Mexico Secretary of State Maggie Toulouse Oliver said in prepared remarks that voters will be more inclined to turn out on Election Day if they trust the election process. “If people are confident that the voting process is secure, they will be much more likely to participate,” she said in written remarks submitted to the committee. “This is why we need members of this committee, DHS and our other federal partners to share with Americans that our elections are secure and indeed fair.” She added in her statement that “it is important to understand that those systems with the highest risk — online voter registration systems and election-night reporting — are removed from the process of casting a ballot.”
PWNED: Sens. Patrick J. Toomey (R-Pa.) and Chris Van Hollen (D-Md.) want the Treasury Department to enact punitive measures against the 12 Russian military intelligence officers who were indicted in special counsel Robert S. Mueller III's investigation.
In a letter to Treasury Secretary Steven Mnuchin, the two senators noted that the department in March announced penalties against several Russian individuals and organizations over election interference. They urged Mnuchin to levy sanctions on the Russian officers this time. “Vladimir Putin and those acting at his direction meddled in our 2016 presidential election,” Toomey said in a statement. “Accordingly, the Treasury should again exercise the tools it has at its disposal and penalize those identified as carrying out this attack on our country. Putin's attempts to undermine our elections should be continuously met with swift and strong repercussions by Congress and the White House.”
— More cybersecurity news:
— Trump's tweet about Russia left a lot of people scratching their heads:
From Senate Minority Leader Charles E. Schumer (D-N.Y.):
Sen. Edward J. Markey (D-Mass.):
July 16. Reuters: "President Putin, did you want President Trump to win the election and did you direct any of your officials to help him do that?” Putin: "Yes, I did. Yes, I did. Because he talked about bringing the US/Russia relationship back to normal." https://t.co/Z4DvEBo71s— Ed Markey (@SenMarkey) July 24, 2018
From Van Hollen:
Trump has already forgotten that Putin told the world in Helsinki that he was rooting for Trump—and he got what he wanted. But if Trump wants to get tough on Russia and stop them from interfering in the midterms, he should support the #DETERAct that Sen. Rubio and I introduced. https://t.co/MxaLuaJEj7— Chris Van Hollen (@ChrisVanHollen) July 24, 2018
From The Post's Shane Harris:
From Mother Jones's David Corn:
America, witness the delusions of a mad king. https://t.co/H8j9sujfCV— David Corn (@DavidCornDC) July 24, 2018
— A measure in the defense policy bill “would give the president greater power to forgo certain Russia-related penalties,” my colleague Karoun Demirjian reports. “In negotiations on the annual defense authorization bill, House and Senate lawmakers agreed to give the president the power to waive sanctions, without first checking with Congress, against certain entities that still do business with Russia,” she writes. “The move came in response to Defense Secretary Jim Mattis’s request for more latitude to bring countries, such as India, that historically have been dependent on Russian defensive materials in closer alliance with the United States.”
— “The House Homeland Security Committee on Tuesday approved a bill that will codify a key cybersecurity program at the Department of Homeland Security,” the Hill's Olivia Beavers reported. “The bill, introduced by Rep. John Ratcliffe (R-Texas), would give the Secretary of DHS the authority to establish the Continuous Diagnostics Mitigation (CDM) program at DHS, which aims to protect federal networks from cyberattacks.” The committee also approved a bill, titled Securing the Homeland Security Supply Chain Act of 2018 and introduced by Rep. Peter T. King (R-N.Y.), that would give DHS the authority to ban technology contractors that are considered a threat, Nextgov's Joseph Marks reported. “The bill, which would only apply to Homeland Security contracts, would generally require the department to notify contractors before a ban and allow them to protest the ban or make efforts to mitigate the problem,” Marks wrote. “That notification could be skipped if the danger warranted it, however.”
— “Senate Intelligence Committee Chairman Richard Burr told CNN Tuesday he believed there were ‘sound reasons’ for judges to approve the Foreign Intelligence Surveillance Act warrant on former Trump campaign foreign policy adviser Carter Page, in yet another break between the Republican leaders of the House and Senate Intelligence committees,” CNN’s Jeremy Herb and Manu Raju reported. “‘I don't think I ever expressed that I thought the FISA application came up short,’ Burr said when asked about [a] House Republican memo alleging FBI and Justice Department abuses of the FISA process. ‘There (were) sound reasons as to why judges issued the FISA.’”
— More cybersecurity news from the public sector:
- House Homeland Security subcommittee hearing on “federal cybersecurity risk determination.”
- Two House Oversight subcommittees hold a hearing titled “GAO high risk focus: cybersecurity.”
- The Brookings Institution hosts a panel discussion on online privacy tomorrow.
What was said on the Trump-Cohen tape:
Novichok survivor speaks:
Flash floods hit central Pennsylvania: