Washington, D.C., December 21, 2020 – With the House and Senate’s passage this month of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (hereafter referred to as the FY21 NDAA), the Cyber Vault has reviewed the enrolled bill to compare it to the recommendations of the bipartisan Cyberspace Solarium Commission. With the Senate’s veto-proof vote of 84 to 13, the bill is expected to become law even if President Trump decides to oppose it.
The Commission originated from a provision in the John S. McCain National Defense Authorization Act for Fiscal Year 2019, and was charged with developing "a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences." With commissioners appointed from both sides of the aisle, and senior advisors and experts drawn from the government, the private sector and academia, the Commission produced a publicly available final report in March 2020, as well as a series of subsequent cybersecurity-focused white papers, which have generally received high praise from the cyber world.
In its final report, the Commission proposed a national strategy of cyber deterrence, which includes three layers: 1) shaping behavior in cyberspace through partnerships and leveraging of non-military instruments; 2) denying benefits to malign actors through election security, critical infrastructure protection and a “Continuity of the Economy Plan,” and 3) imposing costs on bad actors by bolstering U.S. cyber capabilities and capacity.
Source: Final Report of the Cyberspace Solarium Commission, March 2020.
The cyber-provisions of the FY21 NDAA represent the initial steps towards the realization of this layered cyber-deterrence strategy, with target areas ranging from the establishment of new offices, to the assessment of cyber threats in the defense industrial base, to new cyber education initiatives. Solarium Commission co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) applauded the enhanced cybersecurity focus of the bill, specifically the “more than two dozen of our key priorities and recommendations accepted and adopted to protect our national security interests, our economy, and our increasingly-connected way of life.”
Some of the more notable provisions include the establishment of the National Cyber Director and supporting Office of the National Cyber Director (Sec.1752), the creation of a Continuity of the Economy Plan (Sec. 9603), and the formation of a Joint Cyber Planning Office under CISA (Sec.1715) to facilitate the coordination of defensive cybersecurity campaigns across federal agencies and the private sector.
In the table below, we have listed the original Cyberspace Solarium Commission recommendations in the March 2020 final report along with their supporting provisions in the FY21 NDAA, allowing researchers, students and citizens alike to comprehensively review what is arguably the most forward-looking piece of legislation on national cybersecurity in the country’s history.