3 Cyberspace Solarium Commission Recommendations to Watch in NDAA FY21
Progress on H.R. 6395, a.k.a. “National Defense Authorization Act for Fiscal Year 2021” is non-existent. Presently, it a skeleton bill containing basic manpower authorizations and military construction appropriations.
Hopefully, NDAA FY21 will soon include tenets from the March 11, 2020 Report published by the Cyberspace Solarium Commission (CSC), which was established by NDAA FY19 to "develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences." The CSC offers 80 recommendations spread across 6 pillars, in 3 layers, which together create a “Layered Cyber Deterrence” approach.
The layering is generally structured like this:
Pillar 1: Reform the U.S. Govt.'s Structure and Organization for Cyberspace (new National Cyber Strategy – Last one is from 2018, bolster Cybersecurity Infrastructure Security Agency, improve and retain U.S. Govt. Cyber Talent)
Layer 1: Shape Behavior
Pillar 2: Strengthen Norms and Non-Military Tools.
Layer 2: Deny Benefits
Pillar 3: Promote National Resilience.
Pillar 4: Reshape the Cyber Ecosystem.
Pillar 5: Operationalize Cybersecurity Collaboration with the Private Sector.
Layer 3: Impose Costs
Pillar 6: Preserve and Employ the Military Instrument of National Power and All Other Options to Deter Cyber attacks at Any Level.
Noted continuously in the report and reflected in the Fourth and Fifth Pillars is the need to coordinate cybersecurity efforts with the private sector given its control of critical infrastructure. Albeit not novel, the promotion of this partnership suffers from painfully slow growth (Evidence: exposed vulnerability of healthcare networks and certain supply chains during COVID-19 outbreak).
However, these 3 proposed accelerators from the CSC are attention-worthy:
REC 1: Provide supplemental funding to CISA earmarked to aid public and private sectors recovering from significant cyber incidents. CISA already provides free vulnerability assessments, but recovery services to private entities would be a distinct expansion of its current offerings.
PRO: Matching acronyms with CISA, the Cybersecurity Information Sharing Act of 2015 already provides legal benefits to private entities such as FOIA exemptions and limited legal immunity (attorney-client privilege an issue in every state except Louisiana).
CON: CISA already has a recruiting and retention problem. Who would perform these tasks obo CISA? CISA simply cannot compete with private sector salaries within the necessary talent pool if it wants to house this office in the DC Metro Area. Putting aside the Fairfax County Public School’s virtual learning disaster, the DC Metro Area does boast fantastic public schools. However, the housing prices, daycare costs, and commutes required to live in the DC Metro Area outpace government salaries.
REC 2: “Direct and fund CISA to design a process for one-to-three-year exchange assignments of cyber experts from both CISA and the private sector. If successful, this model should be expanded to other agencies as well.”
PRO: Law firms do this with success, often referred to as secondments, in which an associate or partner is “on loan” to a client. The client gets a break on the hourly rate, the law firm gets an inside peak and intel at client operations to better direct their marketing and business relations. Applied here, CISA and the private entity can learn from each and the U.S. Govt. can learn (and ease) the private sectors’ concerns with real-time information sharing (the goal).
CON: The U.S. Govt. will need to impose anti-solicitation provisions in the agreements, or it will lose more personnel to the trappings of the private sector. Further, the U.S. Govt. will need to provide a financial incentive to the private sector to participate, as the risks and burdens primarily sit with it.
REC 3: Pass a national data security and privacy protection law to standardize requirements for the collection and retention of data in hopes of remedying an already splintered digital economy. CSC’s recommends that the legislation should contain 5 elements (Similar to CCPA): 1) minimum standards for data collection, retention, analysis, and third-party sharing; 2) Define personal data, both individually and collectively (using households as a metric); 3) Determine covered entities by various thresholds; 4) timeline for deleting, correcting, or porting personal data at request of the individual; and 5) give FTC enforcement authority through civil penalties. CSC also recommends a national data breach reporting law.
PRO: A good idea (proposed almost every year since 2016 in some form) and will assist businesses engaged in interstate commerce with navigating conflicting state laws and regulations. Also, the FTC has existing infrastructure to pursue penalties for unfair and deceptive practices in the court system and demonstrates continued success in this area through its partnership with the Department of Justice.
CON: In short, “the train already left the station.” Several states heavily invested in creating and passing privacy laws. Any potential federal legislation must be narrow enough to preempt specific state laws or expressly preempt it (which can be politically messy). Additionally, certain states also see breach reporting and privacy laws as a source of revenue from fines and penalties; any federal legislation will need to navigate that process. In the time it will take to craft and pass sweeping legislation, the train may be further from the station.
Personally, I also see data regulation akin to a state police power. But, that is a road too long for a blog post to travel…