Success Storied: How to Advocate for Tech Policy

Of tech policy groups in recent memory, few have been quite as successful as the Cyberspace Solarium Commission (CSC). Turning policies into reality might not be the flashiest process, but it’s hard to say that CSC hasn’t made a splash. Thanks to its laundry list of cybersecurity recommendations, the United States now has an Office of the National Cyber Director, the U.S. government can subpoena ISPs over vulnerabilities, and the country has a raft of updated cybersecurity protocols.

The CSC has reached the end of its first life. But, already, well over half of its recommendations have been put into U.S. law—a rather impressive strike rate for a group of its kind. Looking at the CSC’s history and its background, there are a few factors that primed it for success—including more than a bit of fortune.

For one, the CSC owes its existence to the will of U.S. lawmakers: It was formed by and included members of the U.S. Congress in 2019. At that time, Donald Trump’s administration had dissolved the predecessor of the Office of the National Cyber Director, and members of Congress fretted over the hole that was left behind. So, they created the CSC to sort out how best to fill it.

The CSC ultimately recommended 82 policies. Of those, somewhere between 50 and 65 were ultimately enacted.

That legislative backing set the commission apart from counterparts that came before it. “They might have had congressional members, but [the CSC] was different, because it was actually written into legislation and funded by the Congress,” says James Lewis, policy expert at the Center for Strategic & International Studies. “In that way, it was a first.”

For another, the CSC had official precedents. It gets its name from Project Solarium, a group founded in 1953 to study U.S. policy toward the Soviet Union. (The White House Solarium, sitting atop the building, is where government officials met to brainstorm the group’s existence). Another, more recent precedent was the National Security Commission of Artificial Intelligence, formed in 2018 to study how American government policy wonks should react to the rising prevalence of AI.

An even larger inspiration may have been the 9/11 Commission, which had been founded by U.S. lawmakers in 2002 to pore over the causes of the previous year’s terrorist attacks. Its eventual report did receive criticism for conflicts of interest and using questionable evidence, and the government’s success in carrying out its recommendations was questionable. But it proved to be immensely influential over its successors—the CSC included.

The CSC recommended a total of 82 policies. Of those, somewhere between 50 and 65 were ultimately enacted, in the estimate of Mark Montgomery, the CSC’s executive director. But the process of actually implementing those recommendations was a delicate one that often needed to maneuver around the realities of U.S. federal lawmaking.

By far, the CSC’s highest-profile policy success was the creation of the National Cyber Director. But when the process began, it wasn’t clear that Donald Trump wouldn’t be reelected. In that course of events, the new director’s office would have had to deal with Trump’s rival wishes. Fortunately for the CSC, the incoming Joe Biden administration was far friendlier to its ideas.

Many of the CSC’s recommendations were added into the pages of 2021’s version of the National Defense Authorization Act, the yearly law that funds the U.S. military and the U.S. Department of Defense. While that ensured those recommendations would pass, it could lead to administrative tangles over who could lead cybersecurity activities.

“I think that one of the problems for the U.S. in general is that, since Congress is a little dysfunctional at times, they tend to tack everything into the National Defense Authorization Act, which makes it a DOD activity, and cybersecurity isn’t a DOD activity,” says Lewis. (It’s generally under the umbrella of a different government department, the Department of Homeland Security.)

“If you try to do this through the prism of DOD, it will make it harder to be successful,” says Lewis.

Now, with the Congress-backed phase of its existence over, the CSC prepares to start a second life as a think tank, under the umbrella of the Foundation for Defense of Democracies. Again, there’s precedent here; previous commissions have often transformed into think tanks after the end of their tenure.

It’s likely that the CSC’s new form won’t have as easy of a time quickly pushing through recommendations en masse. But it may be able to keep watch over the fruits of its labors so far, and it can continue pushing for the rest of its laundry list, such as reinforcing cybersecurity in key sectors like utilities and health care and bringing more people into the cybersecurity workforce.

“If there’s a lot that we can tell needs to be studied and done, maybe they need a new commission,” Montgomery told CyberScoop. “But I think we’re going to spend two years to try to push through on implementation. In hindsight, you need longer to track implementation.”