WASHINGTON, DC –  Today, U.S. Senator Angus King (I-Maine) – joined by Cyberspace Solarium Commission (CSC) Co-Chair Representative Mike Gallagher (R-Wis.) and CSC Commissioner and former Deputy Director of the National Security Agency Chris Inglis, testified before the Senate Armed Services Subcommittee on Cyber to present the CSC’s recommendations to establish a comprehensive, forward-looking cybersecurity strategy for the United States. The final report, issued on March 11, lays out more than 80 recommendations to improve the security of U.S. critical infrastructure and provides a strategic approach of layered cyber deterrence to defend the United States against cyberattacks of significant consequences. The Cyberspace Solarium Commission’s final report can be read in full HERE.

“What are the basic principles of the report? They can be summarized in three words: reorganization, resilience, and response,” stated Senator King in his opening statement, laying out key objectives of the final report (beginning at 2:58). “Reorganization I think we’re going to talk a lot about today; how are we organized in order to meet this challenge? Secondly, resilience. How do we build better defenses so that cyberattacks are ineffective? And that that in itself can be a deterrent if our adversaries decide it’s simply not worth it. The final is response. How do we develop a deterrence strategy that will actually work particularly for attacks below the level of the threshold of the use of force.

“We haven’t had a catastrophic cyberattack – probably because of the deterrence we’ve already had in place. The problem is we’re being attacked in lower level ways continuously – whether it’s the theft of intellectual property, whether it’s the theft of the [Office of Personnel Management] records of millions of American citizens, [or] whether it’s the attack on our election in 2016. That’s the area where we remain vulnerable and we haven’t developed a deterrent policy.”

+++

Senator King continued to make a case for the creation of a National Cyber Director position in the White House:

“Mr Chairman I would say that our proposal is the anti-silo. The problem is now, as I’ve mentioned, we’ve got cyberactivities in planning and work going on throughout the federal government, and the whole idea is to bring some coherence and coordination to that… We view this as a bringing together of a coherent organization with someone at the top that has oversight and situational awareness of what’s going on in all these different agencies.

***Video HERE***

“Different agencies have different responsibilities… other agencies that have cyber responsibilities are FERC, the EPA, the Department of Energy, I mean, it’s just so broad and what we’re talking about is having an office – and not a big office, we talked about the possibility of creating a new department but we thought that was too bureaucratic, too heavy-handed and that it would take too long. This is a position that there are really two models for the position we’re talking about. One is the cyber advisor in the Department of Defense. I think that’s an almost exact analogy because it was created because there was too many moving parts in the Department of Defense, there needed to be a coordinator. The other [models were] the US Trade Representative, Office of Management and Budget, the drug office, and…[the] Office of Science and Technology. And these are all presidential appointed, senate confirmed, and it provides them with the status and the ability to have some authority, and budget review authority is part of it, over the range of cyber-involved agencies in the federal government.”

***Video HERE***

+++

In addition to a National Cyber Director position, Senator King pushed for the creation of an Assistant Secretary of State for Cyber to facilitate international collaboration:

“One [aspect] I want to touch on very quickly – one of our major recommendations is for the creation of an Assistant Secretary of State for Cyber because international norms and expectations are an important part of this discussion and if we’re not at that table we can lose when they are talking about standards. This is a place where we have lost some ground.

***Video HERE***

+++ 

Noting that the private sector operates 85% of critical infrastructure, Senator King advocated for increased coordination between the federal and private sectors:

“85 percent of the target space in cyber is in the private sector… and that’s where we have to really develop relationships. This is a whole new way of thinking. One of the things we talk about is the intelligence - being able to share with the private sector what they’re learning about cyberattacks on data systems and power plants.”

+++

When asked to identify which sector was at a highest risk for attack, Senator King responded that each sector must be aware and bolster their cyberdefenses:

“I can’t identify one sector [of particular risk], but one that doesn’t get enough attention is water. Our water system, there’s something like 50,000 different water companies in the United States, and they’re vulnerabilities there; all of our financial system, our telecommunications system, of course electrical energy - and this is ongoing. We’ve talked to utility executives for example: one of whom told us his system was attacked 3,000,000 times a day. 3 million times a day.

That gives you the range…hundreds of thousands times a day. So, this is an ongoing threat – not only from state actors, but from malign actors who are doing ransomware, sometimes they are just garden variety crooks, but they are also people that want to undermine our society. I can’t give you one specific target that we most worried about. I think our worry was that we just didn’t feel that the country was prepared for what could, and likely will, happen.”

***Video HERE***

+++

Last month, Senator King and Representative Gallagher announced the release of the CSC’s Fiscal Year 2021 legislative proposals that in tandem with the final report, offer bipartisan solutions to better defend the nation’s critical infrastructure from cyberattacks of significant consequence. In June, the Cyberspace Solarium Commission released fresh observations rooted in the pandemic’s impact as they related to the security of cyberspace, both in terms of the unique cybersecurity challenges it creates, but also what it can teach the United States about how to better prepare for a major cyber disruption. Click HERE to read the CSC white paper, “Cybersecurity Lessons Learned from the Pandemic.”

The Cyberspace Solarium Commission was established by statute in the 2019 National Defense Authorization Act (NDAA), and officially launched in April 2019. The Commissioners convened nearly every Monday that Congress was in session for a year, and its staff conducted more than 400 engagements, drawing upon the expertise of corporate leaders, federal, state and local officials, academics, and cybersecurity experts. The meetings and the ensuing report sought to understand America’s posture in cyberspace and identify opportunities to improve our national preparedness to defend ourselves against cyberattacks.

The CSC was established in the spirit of the original Project Solarium convened by President Dwight D. Eisenhower in 1953. The original Solarium was created to develop a consensus strategy to counter the Soviet Union as it was threatening the United States and its allies in the early days of the Cold War. This work contributed to the strategies that guided the United States through the Cold War ending with the fall of the Berlin Wall and the collapse of the Soviet Union. The newest iteration of the Solarium seeks to create a path forward that will guide the United States through a new age of warfare.