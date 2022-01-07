The commission, which launched in 2019 and formally dissolved last week, was like Congress’ secret weapon, with dozens of its recommendations becoming federal law.
As an unprecedented wave of cyberattacks slammed federal agencies, local governments, and critical industries — and pressure mounted for the government to respond — the congressionally-led commission was prepared with roughly 100 recommendations from its 2020 report, many of them already written up in legislative form and ready to be debated.
“The urgency of the issue was really underlined by the attacks that occurred from the time we began our work to the time it was completed,” Sen. Angus King (I-Maine), who co-chaired the commission, told me. “It was easy to get our colleagues to pay attention on this issue.”
The tally: More than three dozen of Solarium’s recommendations have been turned into law, including creating a new cyber czar in the White House and surging funding and authorities to the Cybersecurity and Infrastructure Security Agency (CISA).
The mission: King frequently described the Solarium Commission as similar to the 9/11 Commission but aimed at preventing a devastating cyberattack rather than responding after one happened. But the commission took its initial inspiration from Project Solarium, a Cold War-era panel led by President Dwight Eisenhower that focused on containing the expansion of the Soviet Union.
The commissioners included a bipartisan cadre of lawmakers, executive branch officials and private sector experts supported by a staff of roughly two dozen lawyers and cyber pros.
I spoke with King and Solarium’s other co-chair, Rep. Mike Gallagher (R-Wis.), this week about the commission’s big wins, where they fell short and where government stands now in its epic struggle to make the nation safer against hacking.
The wins
The establishing of a national cyber director topped the list for both lawmakers. That role is currently filled by Chris Inglis, a longtime NSA official who was a Solarium commissioner before his appointment.
Other wins include new powers Congress granted to CISA, a mandated review of the Pentagon’s cyber manpower needs and a fund to help companies recover when they’re struck with significant cyberattacks that affect national security.
The State Department is in the process of establishing a new cyber bureau focused on developing international cyber rules of the road — another Solarium recommendation.
Where they fell short
The big swing-and-a-miss was an effort to require companies in critical industries to alert CISA when they’re hacked and to require reports from a broader set of companies when they pay ransoms to hackers, a measure that would vastly improve the government’s understanding of cyber threats.
A version of that bill nearly made it into a must-pass defense policy measure at the end of last year but got cut out amid Senate bickering.
“That was very disappointing because we were so close,” Gallagher said. He’s hopeful that a version of it will become law sometime in the next year.
Other big Solarium priorities that haven’t made it into law include:
- Mandating creation of a government cyber strategy aimed at deterring hacking from U.S. adversaries such as Russia and China
- Creating a new center that would pool cyber threat intelligence from throughout the government and share it with the private sector
One big roadblock
The most pie-in-the-sky recommendation in the Solarium Commission’s 2020 report was to wrangle the mishmash of congressional committees that have some responsibility for cybersecurity into two select committees — modeled on the House and Senate Intelligence Committees.
That recommendation was unlikely to go anywhere given lawmakers’ typical refusal to give up any power once they have it. Gallagher speculated it will be a decade or more before Congress will seriously consider the proposal.
King suggested it will only be possible in the wake of a major attack that forces the government to completely rethink how it handles cybersecurity. However, given the serious cyber vulnerabilities in pipelines, electric utilities, water plants and other critical sectors, such an attack is far from unlikely, he warned.
“It’s hard to overstate the vulnerability of our country to a devastating cyberattack,” he said. “The only limit to the danger is your imagination.”
Unfinished business
While the Solarium Commission won’t be funded by Congress any longer, a 2.0 version will continue doing some work with a bare-bones staff of four or five people under the direction of its executive director Mark Montgomery.
The big objectives:
- Compiling an annual report on the status of Solarium recommendations that have been enacted by federal law or policy
- Advising Congress on recommendations that aren’t yet in law
- Doing additional research in a handful of areas identified by the commission, including cyber threats to water and wastewater systems, the maritime and transportation sectors and health care.
- They’ll also look at ways to improve cyber hiring inside the federal government.
Montgomery is soliciting private donations to fund the work which he expects will last about two years, he told me. He declined to share donors’ names at this point because he said he’s not sure all the paperwork is complete but said they’re all from U.S.-based foundations and individuals.
The keys
The company behind the controversial Maricopa County, Ariz., election audit is breaking up
The company named Cyber Ninjas has let go all of its employees and is going out of business, CEO Doug Logan told the Arizona Republic’s Jen Fifield:
The news came during a courtroom hearing where an Arizona judge decided to force the company to pay $50,000 for every day it doesn’t turn over records from the election review, the Arizona Republic’s Ryan Randazzo reports. The Republic is seeking the records under state open records law. Maricopa Superior Court Judge John Hannah’s fine — 50 times what the newspaper had asked for — came months after he ordered the company to turn over the records.
Going out of business won’t get Cyber Ninjas off the hook for sharing the records, Hannah said. He accused the company of trying “to leave the Cyber Ninjas entity as an empty piñata for all of us to swing at” and said “the court is not going to accept the assertion that Cyber Ninjas is an empty shell and that nobody is responsible for seeing that it complies.”
More bad news for the Ninjas: Cyber Ninjas’s attorney John Wilenchik asked to be removed from the case and said he’s not getting paid. Hannah refused.
Wisconsin officials are in talks to extend a partisan election review
Wisconsin Assembly Speaker Robin Vos (R) is negotiating to extend the partisan review led by former state Supreme Court Justice Michael Gableman by at least two months, the Milwaukee Journal Sentinel’s Molly Beck reports. Gableman has been conducting the investigation since August despite court rulings that found no evidence of fraud.
“Assembly Republicans hired Gableman in June 2021 and gave him a taxpayer-funded budget of $676,000,” Beck writes. The move came less than a day after former President Trump blasted state Republican officials for not doing enough to support his baseless election fraud claims.
Vos said this week he continues to keep Trump updated on the review’s progress.” He wants to have Gableman’s report by the end of February so he can use it to craft legislation, he told television station WISN.
Gableman's review has been beset by blunders. Some of his subpoenas had incorrect information, and his team used an insecure email account to tell clerks to preserve records, leading some to categorize it as spam, Elise Viebeck reported.
India's ruling party may have used an app to manipulate social media and hijack WhatsApp accounts
Indian publication the Wire spent two years investigating the Tek Fog app. They said it had India’s ruling Bharatiya Janata Party's “footprints,” but didn't definitively tie it to the party. The Wire reports that the app was able to:
- Let users direct armies of accounts to amplify posts, making it easier to harass and shout down opponents
- Hijack WhatsApp accounts to send messages to hacked users’ contacts
The BJP has previously been accused of social media harassment of its opponents.
The app was used “on a daily basis to manipulate public discourse, harass and intimidate independent voices, and perpetuate a partisan information environment in India,” the Wire’s Ayushman Kaul and Devesh Kumar report.
Devang Dave, an election manager for the BJP who was named in the story but who the outlet didn’t directly tie to the app, called the revelations defamatory and threatened to take legal action against the news organization:
An outline for challenging the 2020 election results that was shared within the Trump White House doesn't make much sense, Cybereason’s Maggie MacAlpine writes. The now-infamous PowerPoint was shared with White House Chief of Staff Mark Meadows and with lawmakers to highlight different ways the results could be overturned. (MacAlpine was a co-founder of the DEF CON Voting Village.)
Daybook
- The House Oversight and Reform Committee holds a hearing on proposed changes to the Federal Information Security Modernization Act on Tuesday at 10 a.m.
- Damian Collins, who chairs the U.K. Parliament’s Joint Committee on the Draft Online Safety Bill, discusses disinformation at a Washington Post Live event with former Rep. Will Hurd, a Republican who represented Texas, on Tuesday at 11 a.m.
- The Senate Intelligence Committee holds a hearing on President Biden’s nomination of Kenneth Wainstein to be the Department of Homeland Security’s Undersecretary for Intelligence and Analysis on Wednesday at 2 p.m.
- Rep. Yvette D. Clarke (D-N.Y.), Rep. John Katko (R-N.Y.), the Department of Homeland Security’s Undersecretary for Policy Robert Silvers, and FBI Assistant Director Bryan Vorndran discuss 2022’s cybersecurity priorities at a Silverado Policy Accelerator event on Thursday at 9 a.m.
