With Tonya Riley
The government must dramatically overhaul its outdated and bureaucratic approach to cybersecurity if it hopes to avert a catastrophic attack, a long-awaited commission report coming out this morning warns.
The proposals from the Cyber Solarium Commission — made up of lawmakers, administration officials, industry executives and cybersecurity experts — include putting new executives with broad authorities at the top of cybersecurity policy at the White House and State Department, as my colleague Ellen Nakashima reports.
The commission also wants to wrangle the overlapping cybersecurity authorities among congressional committees — which former senator Claire McCaskill (D-Mo.) once compared to a bowl of spaghetti — into two select cybersecurity committees, one in the House and the other in the Senate. The proposals were shared with The Post before their release.
The group’s goal is to make recommendations similar to those from the 9/11 Commission Report in 2004, but before a major disaster hits in which an adversary could knock out portions of the nation's electrical grid or telecommunications systems, co-chair Sen. Angus King (I-Maine) told me.
“We want to generate action ahead of the catastrophe,” he said. “Cynics say our system can only work after an emergency … but if we have a catastrophe, it may be too late.”
The report also urges a new “declaratory policy” outlining how the United States will punch back against adversaries that hack election systems, government agencies, energy companies, airports and other critical infrastructure.
“Our adversaries have had a free ride so far,” King said. “They haven’t had any real fear of reprisal. We need to make our adversaries think twice before they decide to attack us.”
The commission itself is modeled on a Cold War-era panel convened by President Dwight Eisenhower tasked with developing a long-term strategy for competing with the Soviet Union.
King and co-chair, Rep. Mike Gallagher (R-Wis.) hope to evade the fate of a slew of previous commissions and committees offering grand cybersecurity proposals that made little progress before their reports were largely forgotten.
For starters, about 50 of the report’s 80 recommendations have already been written up as draft bills that the four lawmakers on the commission — which also includes Sen. Ben Sasse (R-Neb.) and Rep. Jim Langevin (D-R.I.) — and their allies plan to introduce soon and start advocating for on Capitol Hill. King wants to package many of the less-controversial proposals into this year’s National Defense Authorization Act, a must-pass bill that frequently becomes a grab bag for tangentially related legislation.
And he’s hopeful that a cavalcade of high-profile breaches, including the Russian hacking of the Democratic National Committee and the Hillary Clinton campaign in 2016 election, will galvanize public action.
“I think there’s a greater sense of urgency than there was even three years ago,” King said. “People are getting a clearer picture of the threat, and the threat is only going to be multiplied in coming years.”
One big barrier, however, could be getting President Trump on board.
The commission included members from DHS, the Pentagon, the intelligence community and the FBI but no one from the White House. And the group hasn't gotten any guarantees from top Trump officials about supporting big changes, including the creation of a new national cyber director at the White House, who would be confirmed by the Senate and control a large staff and budget.
Indeed, Trump’s former national security adviser John Bolton eliminated in 2018 a far less powerful position — a White House cybersecurity coordinator — and Trump has given no indication he wants to reinstate the role.
Trump has also been hostile to focusing attention on Russian hacking threats, which are one of the nation’s key cybersecurity challenges, because he appears to view that discussion as questioning the legitimacy of his 2016 victory.
“The president has to be convinced this is important,” King told me. “This isn’t part of the election of 2016 … We have a responsibility to do something about it and I’m hoping the White House will agree.”
King and Gallagher plan to sell the commission’s major proposals with a schedule full of appearances at think tanks, universities and media interviews in the coming weeks — similar to an effort by 9/11 Commission co-chairs former New Jersey governor Thomas Kean (R) and former congressman Lee Hamilton (D-Ind.).
“I’ve worked too hard on this to not work hard on getting it implemented,” King said. “I’m absolutely convinced this is a disaster waiting to happen and we’ve got to confront it.”
The White House did not respond yesterday to a request for comment.
The proposal to streamline congressional cybersecurity work could also face fierce opposition from committee leaders who are wary of giving up authority.
Other major proposals in the report include:
- A review aimed at increasing the number of troops assigned to U.S. Cyber Command
- Increasing resources for DHS's main cybersecurity division, the Cybersecurity and Infrastructure Security Agency
- Directing CISA to help federal agencies such as the Energy Department and the Environmental Protection Agency ensure companies in their sectors become more secure against hacking
- Increasing funding for the Election Assistance Commission, which helps states and counties protect elections from hacking
- Making permanent a Federal Election Commission ruling that allows cybersecurity companies to offer free and reduced-price services to help secure political campaigns
- Creating a certification authority that would indicate a product has met security standards
- Requiring publicly traded companies to demonstrate to the Securities and Exchange Commission they have conducted cybersecurity risk assessments
PINGED, PATCHED, PWNED
PINGED: U.S. intelligence officials have no evidence yet that Russia is interfering in the 2020 election to benefit a particular candidate, the head of national counterintelligence William Evanina told lawmakers yesterday during a classified briefing, my colleagues Seung Min Kim and Ellen Nakashima report.
That tempers officials' last month assessment that Russia had developed a “preference” for President Trump. The earlier briefing angered Trump when he learned about it, officials told Seung Min and Ellen.
“Evanina told senators that the Russians ‘continue to be broadly engaged in social media activities designed to divide us further, to discredit our electoral system and to disrupt our election,’” my colleagues report.
Absent from the hearing was the intelligence community’s top election threats executive Shelby Pierson, who delivered the previous briefing that drew the president’s ire. Trump's acting director of national intelligence Richard Grenell also declined to appear, which people familiar with the matter told told Seung Min and Ellen was out of concern about addressing sensitive subjects that tend to upset the president.
Trump dismissed the briefing before it even began, tweeting, "It is headed up by corrupt politician Adam ‘Shifty’ Schiff, so I wouldn’t expect too much!"
There is another Russia, Russia, Russia meeting today. It is headed up by corrupt politician Adam “Shifty” Schiff, so I wouldn’t expect too much! @DHS_Wolf— Donald J. Trump (@realDonaldTrump) March 10, 2020
The Democratic House Intelligence Committee chairman from California fired back, writing, “We will insist on the truth, whether you like it or not."
Mr. President, you are wrong. As usual.— Adam Schiff (@RepAdamSchiff) March 10, 2020
Today’s briefing for all House Members focuses on the threat of foreign interference in our election.
The briefers are agency heads and senior officials. They are your own people.
We will insist on the truth, whether you like it or not. https://t.co/bl4HUlPprj
PATCHED: The online dating company Match Group will throw its support behind the controversial EARN IT Act at a Senate Judiciary Committee hearing today, Dan Primack and Margaret Harding McGill at Axios report. Cybersecurity advocates and tech trade groups warn that the bill, which is aimed at combating online child predators, could also deal a serious blow to encryption protections, weakening security for all users.
The endorsement from Match Group – which owns dating apps including Tinder, Match.com, OkCupid and Hinge – makes it an outlier in the tech industry which has largely come out against the bill. “We don’t casually lend our support to this legislation. We do it recognizing there is no cure-all to keeping the internet safe...But, even still, we have to do every bit we can,” Match chief executive Shar Dubey wrote in a memo.
The bipartisan legislation would strip tech companies of liability protections for content that users share on their platforms if they don't comply with government-issued guidelines to prevent online child sexual exploitation. Tech companies fear those requirements will include allowing police backdoor access to encrypted communications.
Match Group is facing a separate House investigation over how its companies handle child predators on their apps.
Elizabeth Banker, deputy general counsel at the tech industry group the Internet Association, will also testify at today’s hearing. She plans to argue that the Earn It Act will weaken cybersecurity and may not be effective at preventing child exploitation.
PWNED: House leaders have reached a bipartisan deal to renew controversial surveillance tools that were set to expire this week, Melania Zanoma at Politico reports. The bill, which expires in just four days, probably will see a vote in the House this week, but could face hurdles in the Senate.
The reauthorization would permanently suspend an intelligence program for warrantless collection of people’s location information from GPS and cellphone data. But it would not limit intelligence agencies’ ability to collect Web browser data, which privacy advocates had pushed for.
It could face criticism from Senate Republicans for not going far enough to restructure the surveillance protocols that President Trump alleges intelligence agencies abused to monitor his campaign.
Privacy hawks, meanwhile, probably will oppose the bill for not doing enough to protect civil liberties. Sen. Ron Wyden (D-Ore.), a strong privacy advocate, said the bill “falls far short of the meaningful protections for Americans’ rights that members from both parties have demanded.”
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- The Cyberspace Solarium Commission will release of its final report and recommendations during a public event on Wednesday at 2:30 p.m.
- The Senate Committee Judiciary will hold a hearing Wednesday on “The EARN IT Act: Holding the Tech Industry Accountable in the Fight Against Online Child Sexual Exploitation” on Wednesday at 10:00 a.m.
- The R Street Institute and The Chertoff Group will hold a coveration on EARN IT Act and Its Broader Implications for Encryption and Cybersecurity on Wednesday at noon.
- The Senate Committee on Homeland Security and Governmental Affairs will meet on Wednesday at 2:30pm to consider several cybersecurity bills.
- House Homeland Security cybersecurity subcommittee holds an open hearing on the CISA budget on Wednesday at 11am.