New NDAA pushes more cyber amendments, national director

Find opportunities — and win them.

Much of the Cyberspace Solarium Commission's agenda is being pushed into this year's defense authorization process, including its crown jewel idea of a national cyber director.

NOTE: This article first appeared on FCW.com.

Following the release of the Cyberspace Solarium Commission report earlier this year, members of the group almost immediately identified the annual National Defense Authorization Act as a prime vehicle to implement much of their agenda. As the defense authorization process enters its final stages, they’re doing all they can to deliver on that prediction.

Markups of the House and Senate versions already have a number of Solarium provisions baked in, and members have introduced dozens of proposed amendments that draw from recommendations in the report. Solarium co-chair Sen. Angus King (I-Maine) has sponsored or co-sponsored 18 additional amendments, while on the House side Rep. Jim Langevin (D-R.I.) has been involved in submitting at least 16 Solarium-related amendments to the Rules Committee.

King expressed cautious optimism about the prospects for the raft of later amendments, saying “we’re making progress” and noting that a number of proposals enjoy broad or bipartisan support. In some cases, legislators have drawn inspiration from multiple recommendations in the report to place cyber initiatives in appropriations language.

Following the report’s release, the commission has worked to make it as easy as possible for this Congress or future ones to do just that. This week staff released an annex with over 50 ready-made legislative proposals drawn from the report -- complete with draft bill language – and distributed them to relevant congressional committees and subcommittees.

“While some of recommendations set forth in the March 2020 report require action by the executive branch; private-sector corporations; State, local, tribal and territorial governments; and ordinary American citizens, we hope these legislative proposals will expedite the implementation process and better prepare the nation to protect itself in cyberspace,” wrote executive director Mark Montgomery.

Still, much depends on how this year’s defense authorization plays out. The commission could have many of its critical recommendations adopted into law or see them stripped out or voted down, forcing commission members back to the drawing board in a year where presidential politics and a still-raging pandemic is expected to limit the remaining congressional calendar. Some proponents expect the results to be a mixed bag, with provisions strengthening the Cybersecurity and Infrastructure Security Agency and promoting continuity of the economy expected to receive the strongest support.

“Whatever we can’t do in this defense bill we’ll continue to try to move in individual pieces of legislation or in the defense bill next year, but I think we’re already well on the way,” King told reporters in a June 30 briefing.

Cyber leadership starts at the top

The most notable idea Solarium backers are still hoping to see included is establishing a Senate-confirmed National Cyber Director in the White House. Langevin has submitted an NDAA amendment to the House Rules Committee that would create the position, and Rep. Carolyn Maloney (D-N.Y.), who chairs the House Oversight Committee, will hold a hearing on a standalone version of the legislation this week.

“A challenge as complex and pervasive as cybersecurity requires that our government be strategic, organized, and ready,” Maloney plans to say in her opening statement at the hearing, according to an excerpt shared with FCW. “Democrats and Republicans agree we need a National Cyber Director to ensure we are fully prepared for, and coordinated in, our response to cyberattacks as our nation fights this silent war.” 

On the Senate side, Homeland Security and Governmental Affairs Committee Chair Ron Johnson (R-Wis.) has also come out in favor the legislation, and King told reporters in June that the Senate Armed Services Subcommittee on Cybersecurity chaired by Sen. Mike Rounds (R-S.D.) is planning its own hearing on the topic in July.

King and Langevin said their understanding is that the White House opposes the idea, though both told FCW they’re still in the dark regarding what specifically the administration objects to in the bill outside of general concerns about maintaining executive branch prerogatives. A bipartisan group of legislators are planning to reach out to the administration soon to further flesh out potential areas of compromise.

One argument Langevin intends to make in that meeting is that it would give the Trump administration an opportunity to go bold in an area where his predecessor took a more cautious approach.

“[President] Obama couldn’t get this done -- [his team] didn’t really want it or think they needed it,” said Langevin in an interview. “I’m hoping President Trump sees it differently, just like with Space Force, he’ll see the importance of creating the first-ever national cyber director.”

Two areas where Langevin believes the lack of a cyber director has hurt the United States: coordinating the federal government’s collective efforts to help states secure election infrastructure, and shaping international discourse on cyber issues at the United Nations.

Last year, the U.N. passed a resolution sponsored by Russia to establish an open-ended intergovernmental council and convention on cybercrime. While the proposal would ostensibly be focused on developing a global response to the problem, more than 30 digital and human rights groups warned that the language in the resolution is so broad it could allow Russia and other repressive governments to criminalize “ordinary online behavior” such as political organizing and encryption -- all with the blessing of the international community.

“We really got our lunch eaten at the U.N. by the Russians on their cybercrime treaty proposal. We didn’t have someone with the right policy authority there debating, arguing and working with our allies to point out the pitfalls…the ramifications,” Langevin said.

Langevin drew a direct line to that outcome from the elimination of the White House and State Department cyber coordinator positions under the Trump administration, saying “no one really noticed what was going on” because the U.S. did not have a robust structure in place to oversee digital security policies.

 “This is the problem with not doing a deep dive and not having the cyber expertise present at these international bodies,” he said. “Enemies and adversaries are going to look to take advantage of policy forums like this where they can argue a point of view…that maybe sounds good on the surface but when you look at the other side what their real intent it, it could really limit or infringe upon privacy, civil liberties, even the safety of individuals.”