SASC Pushes Cyber Overhaul In New NDAA

 

ALBUQUERQUE: Sen. Angus King, co-chair of the Cyberspace Solarium Commission, thinks a cyber threat could be as dangerous — or worse — than the COVID-19 pandemic. The Senate Armed Services Committee is listening and has incorporated 11 of the commission’s recommendations in the 2021 NDAA, with another  18 ready to be introduced as amendments.

“If you had said a year ago, the entire country’s going to be shut down; millions of people are going to be out of work; the stock market is going to collapse; the government is going to have to spend trillions of dollars in a few months to keep the economy going; people would have said that’s science fiction, that’s a nightmare. Well, we’ve lived it,” King said

“This pandemic only strengthens the argument for preparing for what we call a cyber pandemic, which we might well face,” he added. “This is the longest wind up for a punch in the history of the world. We better be ready.”

At the start of June, the Solarium Commission released a new white paper explicitly drawing parallels between threats in the cyber domain and the pandemic, and emphasizing the importance of recommendations already made by the commission.

Chief among these is creation of a National Cyber Director, tasked with coordinating the federal government’s response and serving as a singular focal point for industry to bring concerns to the executive branch.

“Right now, the responsibility for cyber is, I can’t remember how many — seven or eight committees at least — and it’s also scattered throughout the federal government in terms of different agencies,” said King. “The fact that it’s so fractured both on the executive side and on the legislative side means that it’s very difficult to develop a coherent, coordinated response.”

While the SASC NDAA draft does not immediately create the position of a National Cyber Director, it does call for an independent assessment on the feasibility and advisability of establishing one. One complication is that the White House appears opposed to the creation of such a position, continuing a long and frustrating battle between Congress and the Executive Branch that predates this administration and has prompted much criticism from cyber operators.

“I don’t understand the White House’s reluctance because I think this is a favor to them,” said King. “It gives the president, any president, whoever the president is, a point of accountability and authority and direct, overarching control over the government’s response in a situation like this, and I think that’s a clear need.”

Coordination of response to attacks on networks and through computers is a trans-national issue as much as a domestic challenge. To put in place a deterrence regime in cyberspace, the United States would need to coordinate with allies and other nations to establish the kinds of norms and rules that should guide such threats and retaliations.

To that end, the Solarium calls for the creation of a new Assistant Secretary of State that could help develop those norms and standards, and be the point person for the United States in managing this coordination.

King held off on saying the goals of these norms was to establish some kind of “extended deterrence” for cyberspace, with the collective punch-back ability of allies obliged to hit back in the event of an attack on one, saying that this specifically needs to be a matter of national cooperation and consensus.

Coordinating a cyber strategy within the United States, and putting specific people in charge of it, is a major first step to having a response ready to go, when and if a direct threat strikes at the United States from inside its networked infrastructure.