The Cyber Solarium Commission, a working group of lawmakers and cybersecurity experts, released its first report last year. In total, 27 of its recommendations passed into law as part of the Defense Authorization Act. And yet, Solarium commissioner Frank Cilluffo said there’s still a lot more work to do for the second round.
“This year we obviously recognize that cyber goes far beyond national security,” he told an audience at the RSA Conference Tuesday.
Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security and former special adviser on homeland security for President George W. Bush, rattled off a list of priorities from the Solarium report that either had not been taken up by lawmakers or had stalled.
Among them: a commission proposal for Joint Collaborative Environments, which would serve as an intelligence sharing and fusion meeting point for public sector and private sector groups.
“You’ll see a lot of emphasis this year on translating the nouns into the verbs in terms of public-private partnerships,” he said.
Ciluffo also lobbied for recommendations to create a formal designation for “systemically critical infrastructure” – that is, the most critical of critical infrastructure – as well as a “cyber state of distress” to allow allocation of federal resources after a cyber incident. He also mentioned the Cyber Diplomacy Act, which would re-institute a top cyber-diplomacy post at the Department of State that was eliminated under President Donald Trump.
“This is not about seeding our national interest,” he said about the Cyber Diplomacy Act. “It’s actually about empowering it so we can work with our allies to be able to better push back on Huawei or ZTE or Kaspersky.”
The Cyber Solarium Commission was modeled in part on the Project Solarium, Eisenhower’s nuclear deterrence strategy group. The 2020 cyber spin-off was headed by Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis., who did his dissertation on the nuclear initiative. The Cyber Solarium had a lot of success, most notably creating the national cyber director position for the executive branch.
Ciluffo appeared at the RSA Conference on a panel to discuss the Solarium Commission. Fellow panelist Paul Rosenzweig, of the R-Street institute but not of the Commission, said his primary hope for legislation from the Solarium recommendations was for a Bureau of Cyber Statistics to aid in data-driven decision making.
“We can tell you qualitatively what we think works. We can talk about how it’s better to have passwords than not, or that two-factor authentication or multi-factor authentication is good. But we can’t tell you how good,” he said. “If I gave you $5 million, and said, ‘spend this on improving the security of an enterprise,’ the average CISO couldn’t actually put numbers to a proposal to decide whether or not to do threat hunting or better training of employees.”