Getting Cyberspace Solarium Commission proposals on creating a cyber statistics bureau and codifying “systemically important critical infrastructure” into law is proving to be challenging due to committee jurisdictional issues, according to commission co-chair Sen. Angus King (I-ME), who says he is working with lawmakers to advance legislation.
Solarium member Rep. Jim Langevin (D-RI) was successful in getting his SICI proposal into the House version of the fiscal 2023 National Defense Authorization Act, but was unable to get an amendment to create the Office of Cyber Statistics at CISA into the House bill. Neither proposal is in the Senate version of the NDAA, which was released in July and hasn’t been considered on the chamber floor.
“We are hoping we can do the Bureau of Cyber Statistics in the national defense act but it is not there now. It is more a matter a congressional jurisdiction than it is policy as far as I can tell, but we are trying to get through that and hope to get through it before the end of the year,” King told reporters Thursday following a panel on what’s next for the commission at the Billington Cybersecurity Summit.
Sen. Angus King (I-ME)
The commission’s “SICI” proposal has faced challenges amid CISA’s effort to move forward with the concept without express authorization from Congress. Langevin changed his SICI proposal to align with CISA’s “systemically important entities” work, but it has encountered pushback from the banking and software sectors.
King said he isn’t aware of confusion among lawmakers on Langevin’s SIE measure “but everything is harder than you expect [in Congress]. Things that I thought were pretty easy and ought to be easily done turn out to be more complex but we are going to stay after these issues.”
King said the commission has made significant progress getting several Solarium proposals into law that faced jurisdictional hurdles in Congress, specifically pointing to the creation of the National Cyber Director.
The senator is continuing to push for advancement of the House-passed Cyber Diplomacy Act to codify the State Department’s new cyber bureau that launched in April. The Senate Foreign Relations Committee will hold a business meeting on Sept. 12 to vote on the nomination of Nate Fick to serve as ambassador at large for cyber and digital policy and oversee the new bureau.
King said, “Things that I thought would be non-controversial are for reasons that usually don’t have much to do with the policy, that have more to do with committee jurisdiction.” The diplomacy bill is “solely within the jurisdiction of the Foreign Relations Committee,” King said.
Ideally, King said lawmakers should pass the bill and get Fick confirmed by the end of the year.
“I’m talking to my colleagues privately on the committee urging them to move fast because this is not a leisurely kind of issue. It’s a serious issue that we need to deal with, the sooner the better. Nate Fick is eminently well qualified, not in the least because he is from Maine, he is a very capable guy [and] getting in there sooner rather than later would be beneficial,” King said.
The Billington panel featured King, Cyberspace Solarium Commission 2.0 executive director Mark Montgomery, and former top DHS cyber official Suzanne Spaulding, who also served on the commission. Former CISA cyber leader Bryan Ware moderated the discussion.
The commission put out six white papers following the release of its landmark 2020 report expanding on their recommendations. Spaulding emphasized the importance of the countering disinformation report and its legislative proposal to create a civics education task force.
Civics education is a priority for Spaulding and she has continued advocating for the issue in her current role as senior adviser for homeland security and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies.
During the panel, King said he wants to get the Solarium proposal to create a “joint collaborative environment” into law soon. The measure was approved in the House NDAA but not included in the Senate version.
The JCE comes out of a need for the government to do a “better job in rapidly declassifying threat information,” obtaining it “willingly” from the private sector, and sharing data back quickly so it has value to industry, Montgomery said.
Montgomery pointed to NSA’s Integrated Cyber Center and CISA’s Joint Cyber Defense Collaborative as initiatives that have moved the government toward the JCE concept and argued for focused appropriations to continue the work under a JCE umbrella.
Beefing up cybersecurity practices in the water sector is a priority for Montgomery. The Foundation for Defense of Democracies, which houses the Solarium Commission’s work products and is leading efforts to implement its proposals, released legislative proposals in April aimed at improving water sector cybersecurity.
When asked whether the legislation could get passed this year, King said, “We are going to try. The problem with water is there are 70,000 water companies and some of them have pretty sophisticated security arrangements but a lot of them don’t.”
Regulating the water sector is “tricky,” King said, because water systems are largely owned by the private sector. He said, “The challenge of federal regulation, which might make perfect sense for a water system serving a million people, is unimplementable for a water system serving 10,000, and that’s the challenge, to find a way to strengthen these systems without creating a one size fits all regulatory system.”
Montgomery noted that Congress will be dealing with several issues in the water sector when it takes on updating the American Water Infrastructure Act next year that are not tied to cybersecurity, including drought, climate change and rising sea water, and it could be hard for lawmakers to spend time addressing it. -- Sara Friedman (sfriedman@iwpnews.com)