After the Cyberspace Solarium Commission’s Successful Run, What’s Left to Do?

On September 19, 2024, U.S. Senator Angus King (D-ME); Rear Admiral (retired) Mark Montgomery, Senior Director and Senior Fellow of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation; and former Southern Company Executive Chairman Tom Fanning announced the release of the 2024 Cyberspace Solarium Commission (CSC) 2.0 Annual Report on Implementation (Annual Report). All three played key roles in the CSC 1.0, which released a report with 82 policy recommendations in 2020, 80% of which have been enacted into law, implemented by the federal government, or are on track to be implemented.

The Annual Report provides insights into potential cybersecurity legislation that may be taken up during the congressional lame duck session or next session of Congress, or by the current or next administration.

Key Takeaways

• King, Fanning, and Montgomery emphasized the failure of multiple administrations to carry out a policy of deterrence through cost imposition on U.S. adversaries for bad behavior.
• The Annual Report provides 10 recommendations for the incoming administration and Congress, focusing on the most pivotal remaining policy priorities. The Annual Report reacts to recent developments related to these recommendations to deliver an updated narrative and perspective.
• The recommendation on the designation of Systemically Important Entities (SIE), which is particularly controversial among many critical infrastructure sectors, remains the CSC’s top priority.
• Although Senator King is the only current member of Congress who is still serving as a Solarium Commissioner, Senator King and RADM Montgomery seemed to be confident that the recommendations would garner support from leadership and members of the House and Senate Homeland Security committees.
• According to Senator King, the Solarium Commission will continue to produce and refine recommendations and welcomes input from the private sector.

Top 10 Recommendations

1. Designate Benefits and Burdens for Systemically Important Entities (2020 CSC Rec. 5.1): This recommendation to identify Systemically Important Entities (SIE) for benefits that would help improve their cybersecurity and burdens of demonstrating a cybersecurity baseline was initiated by the Cybersecurity and Infrastructure Security Agency (CISA) without congressional legislation followed by National Security Memorandum-22 on critical infrastructure security and resilience, which requires CISA to identify SIE taking into account cross-sector dependencies. King, Montgomery, and Fanning all agreed that SIE is the top-priority recommendation. Each echoed the Annual Report’s identification of intelligence and information sharing as benefits, which they said need to be vastly improved. Tom Fanning explained an entity may be SIE but there may be parts that are not critical to national security. He said the private sector needs to work with the National Risk Management Center (within CISA) to determine SIE “at the asset level.”
2. Conduct Robust Continuity of the Economy Planning (COTE) (2020 CSC Rec. 3.2): COTE was enacted into law through the 2021 National Defense Authorization Act (NDAA) requiring the development of a plan to restore critical economic functions in the event of a significant cyber disruption or other disaster. CISA began outreach to critical infrastructure sectors to begin this process by identifying sector needs and dependencies, but the Administration’s report to Congress “dismissed the need for additional COTS planning.” According to the Annual Report, the Administration’s report failed to recognize “gaps in current federal incident response capabilities and failed to grapple with the ways the private sector must participate in the development and implementation of the plan.” Fanning and Montgomery prioritized this recommendation as second.
3. Codify Joint Collaborative Environment (JCE) for Threat Information Sharing (2020 CSC Rec. 5.2): Although CISA has created what it calls the JCE, it doesn’t have the capabilities and level of intelligence sharing envisioned by the CSC. According to the Annual Report, the JCE needs to be codified and funded by Congress to allow for an advanced platform for information sharing and analysis where government agencies and private sector entities collaborate. Senator King said he prioritizes the JCE over COTE, but it is a close call for him.
4. Strengthen an Integrated Cyber Center within CISA (2020 CSC Rec. 5.3): The Annual Report prioritizes “establishing an integrated cyber center (ICC) within CISA … to achiev[e] a unified national defense against cyber threats.” The ICC would centralize “expertise and capabilities within CISA” while “empowering it as the nation’s civilian cyber defense agency.” Other federal agencies would contribute skills to this hub for information sharing. This recommendation has evolved since the 2020 CSC report.
5. Develop Cloud Security Certification (2020 CSC Rec. 4.5): Although FedRAMP standardized security assessments, this recommendation is for explicitly enforced cybersecurity standards through a security certification. Additionally, the Annual Report recommends either classifying "cloud services as a stand-alone critical infrastructure sector or, at least, as a unique sub-sector within the information technology sector."
6. Establish a Bureau of Cyber Statistics (2020 CSC Rec. 4.3): The 2020 report recommended that this Bureau be established within the U.S. Department of Commerce. However, the Annual Report recognizes that CISA’s information collection and analysis role under the Cybersecurity Incident Reporting for Critical Infrastructure Act may be more useful to leverage than a bureau at Commerce.
7. Establish Liability for Final Goods Assemblers (2020 CSC Rec. 4.2): The Annual Report recognizes the complementary efforts to this recommendation that are underway, with the Office of the National Cyber Director’s work on a software liability framework and the FCC’s IoT Cyber Trust Mark program. It observes that implementing liability requirements will require “legislative action and a flexible regulatory framework … [which] should define manufacturers’ responsibilities, conditions for liability, and penalties for non-compliance.”
8. Develop Cybersecurity Insurance Certifications (2020 CSC Rec. 4.4): This recommendation for a federally funded research and development center (FFRDC) would “help insurers find ways to offer better coverage that meets various sector-specific needs.”
9. Establish National Guard Cybersecurity Roles (2020 CSC Rec. 3.3.6): The Annual Report recommends that Congress and the next administration leverage the National Guard for cyber response and clarify its responsibilities during cyber incidents.
10. Build Societal Resilience Against Cyber-Enabled Information Operations (2020 CSC Rec. 3.5): The Annual Report recommends enhancing public awareness through digital literacy and education campaigns.

The recommendations in the Annual Report reflect important policy questions facing the United States. Some aspects of the recommendations could appear in the 2025 NDAA during conference negotiations or may be taken up by the next administration or Congress. However, several of the recommendations encountered opposition during consideration of previous NDAAs (e.g., SIE and JCE), which may be indicative of chances going forward.