WASHINGTON — A commission created by Congress to develop a more strategic approach to defending against cyberattacks turns out the lights on Tuesday, ending two and a half years of work on policy recommendations, legislative pushes and warnings about malware, ransomware and other threats.
When the Cyberspace Solarium Commission released its first recommendations in March 2020, after a year of research and writing, its members vowed that the panel would work differently from other blue ribbon Washington exercises. Senator Angus King, independent of Maine and a co-chairman of the commission, said the recommendations would not end up dusty on a shelf, like those drawn up by many other well-meaning panels.
The commission’s name was based on the Eisenhower administration’s Project Solarium, which developed new policies for the Cold War. Influential members of the House and Senate Armed Services Committees led the commission, allowing its cybersecurity recommendations to be packaged as legislation included in one of the few policy bills that pass each year: the annual National Defense Authorization Act.
“This is an example of what I think was genius — and I can say that because it wasn’t my idea — instead of just issuing a report with recommendations we handed the congressional committees fully drafted, finished legislation,” Mr. King said.
Congress originally set the commission’s termination for the end of 2020 but extended its work for an additional year. During that time, Mr. King said, about half of the panel’s recommendations have been implemented, most through legislation but some through executive branch actions.
The commission shuts down with notable successes, like the creation of a national cyber director in the White House and measures to strengthen the powers of the Cybersecurity and Infrastructure Security Agency, as well as provisions in this year’s defense bill, including requirements for revised response plans and more exercises and drills for government officials.
Some key initiatives remain unfinished, with details of the legislation to be worked out or arguments over congressional jurisdiction to be untangled.
“We’re cleareyed about the fact that there’s some big things that still need to get done, that did not get done,” said Representative Mike Gallagher, Republican of Wisconsin and the commission’s other co-chairman.
The commission developed a proposal for a bill that would have identified systemically important infrastructure. Businesses — like Colonial Pipeline, which in May was hit by a ransomware attack — that play a crucial role in the economy would be given special assistance to improve their cybersecurity. In return, however, they would have additional security requirements and share additional information with the government.
More hearings with the House Homeland Security Committee will be necessary before that legislation moves forward, as lawmakers wrestle with details of liability protection and how to oversee security of cloud computing providers and other industries.
Mr. Gallagher, who over the last two years emerged as a rising star among members of his party focused on legislating, said he wanted additional measures passed that would have required companies and institutions operating critical infrastructure to report intrusions or attacks to the federal government.
“We believe Congress should authorize the Department of Homeland Security to establish requirements for critical infrastructure entities to report cyberincidents to the federal government,” Mr. Gallagher said. “But we were unable to get that across the finish line.”
The committee also developed proposals for a “joint collaborative environment” on cyberthreats that would increase information sharing between private companies and the government. While government officials say they have taken steps in that direction, private companies say there are still too many barriers to sharing information — and the commission members agree.
Right now, Mr. Gallagher said, the federal government doesn’t have the infrastructure to share data across agencies and with private businesses. The mind-set must also change, he said.
“It’s a question of how do you change the culture of the intelligence community, such that they’re proactively willing to share things with the private sector as opposed to just hoarding information or demanding information,” Mr. Gallagher said.
What to Know About Ransomware Attacks
Some of the legislative proposals — like the establishment of a national cyber director — were fiercely debated, but the panel largely avoided partisan fighting.
“I put more time and energy into this project than anything else I’ve done in the Senate. And I didn’t want to waste that time and energy,” said Mr. King, who caucuses with the Democrats.
Mr. Gallagher and Mr. King said they were hopeful their remaining major legislation could move through Congress next year.
While the commission will end, the lawmakers and other members will continue to work with a new nonprofit group, said Mark Montgomery, the executive director of the commission.
The nonprofit will continue to research those initiatives, and members and their staff will push for congressional action, he said. It will also be a resource for researchers and scholars examining policy problems and solutions, hosting the commission’s report and papers on various topics.
Previous efforts to improve approaches to cybersecurity ran out of steam. But Mr. Montgomery said the nonprofit may be able to maintain momentum, at least for a time, by keeping up the commission’s annual assessment reports.
The nonprofit, Mr. Montgomery said, will also keep a variation of the commission’s name with a new website that will be up and running in the new year.
“I went and bought for $12 cybersolarium.org,” Mr. Montgomery said. “So we are going to have to go from solarium.gov to cybersolarium.org. But that’s 12 bucks I was willing to spend.”