Ride the Lightning

Congress’ Secret Weapon: The Cyberspace Solarium Commission

January 13, 2022

The Washington Post (sub.req.) reported on January 7 that the Cyberspace Solarium Commission, which was very recently dissolved, was Congress’ secret weapon in upping U.S. cybersecurity capability. It launched in 2019 and dozens of its recommendations have become federal law.

I doubt that many people even recognize the name of this very successful commission. The commission’s 2020 report contained roughly 100 recommendations, many composed in legislative form and ready to be debated.

More than three dozen of Solarium’s recommendations are now law, including creating a new cyber czar in the White House (Chris Inglis) and greatly increasing funding and responsibilities for the Cybersecurity and Infrastructure Security Agency (CISA) which has quickly become a wonderful (and neutral) cybersecurity resource.

Vendor resources tend to be thinly veiled sales pitches. CISA isn’t selling anything – we recommend it all the time as a wonderful and trusted source.

The commissioners included a bipartisan group of legislators, executive branch officials and private sector experts supported by a staff of approximately two dozen lawyers and cyber professionals.

Other wins include new powers Congress granted to CISA, a mandated review of the Pentagon’s cyber manpower needs and a fund to help companies recover when they’re struck with significant cyberattacks that affect national security.

Another win? The State Department is establishing a new cyber bureau focused on developing international cyber rules of the road.

The biggest failure?

They failed in their effort to require companies in critical industries to alert CISA when they’re hacked and to require reports from a broader set of companies when they pay ransoms to hackers, a measure that would greatly improve the government’s understanding of cyber threats.

Other Solarium priorities that haven’t made it into law (yet) include:

• Mandating creation of a government cyber strategy aimed at deterring hacking from U.S. adversaries such as Russia and China
• Creating a new center that would pool cyber threat intelligence from throughout the government and share it with the private sector

They also failed in ending the mishmash of congressional committees that have some responsibility for cybersecurity into two select committees — modeled on the House and Senate Intelligence Committees.

Once lawmakers have power, they are loathe to give it up. It is thought that only a major cyberattack will compel the government to rethink how it handles cybersecurity. On the other hand, it is thought that such a major attack might be coming.

While the Solarium Commission won’t be funded by Congress any longer, a 2.0 version will continue doing some work with a bare-bones staff of four or five people under the direction of its executive director Mark Montgomery. 

Its objectives:

• Compiling an annual report on the status of Solarium recommendations that have been enacted by federal law or policy
• Advising Congress on recommendations that aren’t yet in law
• Doing additional research in a handful of areas identified by the commission, including cyber threats to water and wastewater systems, the maritime and transportation sectors and health care.
• They’ll also look at ways to improve cyber hiring inside the federal government.

Cybersecurity morphs with astonishing speed. There will always be more work to do. I wouldn’t be surprised to see the Commission resurrected.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson