Democracies often aren’t great at planning; that’s the cruel efficiency of authoritarian governments. But in a welcome change, Congress took the initiative more than a year ago to create a group to revamp cyber policy that would cut across political and bureaucratic lines — drawing in members of Congress from both parties; representatives of defense and intelligence agencies; and top private-sector experts.
This rare exercise in preparedness was known as the Cyberspace Solarium Commission. The name evoked President Dwight D. Eisenhower’s 1953 “Solarium Project” that developed a “New Look” approach to the Soviet Union. Two policymakers dubbed it “the best example of long-term strategic planning in the history of the American presidency.”
The Cyberspace Solarium Commission’s two co-chairs were Sen. Angus King, a Maine independent, and Rep. Mike Gallagher, a Wisconsin Republican and Marine combat veteran in Iraq. The panel had 12 other members, including the FBI director, the deputy defense secretary, the acting deputy director of national intelligence and the acting deputy secretary of homeland security. The executive branch members helped craft the report but didn’t formally endorse it.
With The Post’s blessing, I moderated the presentation of the group’s report Wednesday, interviewing the two co-chairs and eight of the panelists onstage. I also attended one of the commission’s roughly 30 meetings and met with executive director Mark Montgomery and his staff at their headquarters in Crystal City, Va. My takeaway is that this kind of nonpartisan crisis planning is what the American people want and need from their government, especially in this period of public anxiety and division.
The group’s marquee recommendations were for clearer leadership and accountability at the top. To coordinate planning across the walled gardens of the federal government, it proposed a national cyber director, attached to the White House but confirmable by the Senate, who could drive policy in an emergency. We can see the need for such a policy czar in the Trump administration’s chaotic ad hoc response to the coronavirus. We weren’t ready for a pandemic, just as we aren’t ready for a cyberattack.
Because the biggest risks in a cyberattack would be to the civilian economy, the commission designated the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead. Personally, I would have preferred a new agency, free from the bureaucratic clutter and political turf wars of DHS. But the organization chart matters less than CISA’s leadership under Director Christopher Krebs, who was Microsoft’s director of cybersecurity policy and has solid experience.
The commission made smart recommendations for some new tools: a bureau of cyber statistics to gather threat data; an assistant secretary of state for cyber policy to oversee global rules and standards in cyberspace; new cybersecurity certification requirements for companies so that boards of directors and insurance firms have better yardsticks to measure preparedness.
Surviving a cyberattack is about resilience, and the commission proposed a series of measures: A “continuity of the economy” initiative would clarify how banking, food supply, power and other essentials would survive a digital assault. To aid private firms, and state and local governments, there would be a “Cyber State of Distress” and a “Cyber Response and Recovery Fund.”
The group made more than 75 recommendations in all, many to be pre-packaged as draft legislation. One of the hardest tasks will be getting Congress’s own act together. Nearly 80 committees and subcommittees now have oversight of aspects of cyber policy. The commission proposed creating new cybersecurity committees in each chamber that would have primary jurisdiction. Something similar happened 40 years ago with the creation of the intelligence committees. The coming turf war will be brutal, but that’s the price of preparation for cyberwar.
King and Gallagher said in introducing this commission’s work: “We are doing a 9/11 report to prevent a 9/11 in the future.” We can see, right now, in the jittery response to the coronavirus, the cost of being unprepared.
Here’s a chance to get it right. It’s Sept. 10 in cyberspace. Congress united to create the commission. Now it needs to enact the laws.