June 15, 2020

Cyberspace Solarium Commission Report Highlights Tribal Cybersecurity Needs, Updates for COVID-19

Holland & Knight Alert
Kayla Gebeck Carroll | Marissa C. Serafino


  • The Cyberspace Solarium Commission (CSC) issued a report entitled, "A Warning for Tomorrow," making more than 80 recommendations to Congress for new policies to protect tribal, local, state and federal governments as well as the private sector and private citizens from cyberattacks.
  • The CSC has updated its report with a pandemic annex (Pannex) to reflect vulnerabilities further exposed by COVID-19.
  • The Pannex includes a request for Congress to establish a grant program to modernize digital infrastructure in the next COVID-19 relief package.

In 2018, Congress established the Cyberspace Solarium Commission (CSC) through the enactment of the John S. McCain National Defense Authorization Act (Pub. L. 115-232) to "develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences."

On March 11, 2020, CSC published its report entitled, "A Warning for Tomorrow," which makes more than 80 recommendations on new policies and legislation that Congress should enact to protect tribal, local, state and federal government data from cyberattacks. Many of the CSC's original recommendations are expected to be passed in this year's National Defense Authorization Act (NDAA). Subsequently, on June 2, 2020, the CSC released a pandemic annex (Pannex) to add four new recommendations and amend some original recommendations to account for COVID-19, such as urging Congress to establish a digitization grant program for tribal, local, state and territorial governments in the next COVID-19 relief package.

U.S. House of Representatives Homeland Security Committee leaders, state and local governments, technology coalitions and Indian Country also are urging Congress to include cybersecurity funding in the next COVID-19 relief package. Specifically, the National Congress of American Indians (NCAI) has urged Congress to establish a 10 percent set-aside for tribal governments in cybersecurity funding available for state and local governments, as well as to require the U.S. Department of Homeland Security (DHS) to submit an annual report to Congress outlining the cybersecurity needs of Indian Country. (See Holland & Knight's previous alert, "Tribal Governments Advocate for Cybersecurity Funding in Next COVID-19 Package," June 2, 2020.)

Tribal Mentions in CSC's Report

While all of the recommendations impact tribal services and business in some way, nine recommendations specifically mention the needs of tribal governments:

  • Recommendation 3.1.2: Establish a national cybersecurity assistance fund to ensure consistent and timely funding for initiatives that underpin national resilience. Grants provided to tribal governments require a 10 percent match, which would be increased annually by 10 percent until 50 percent matching funds are required.
  • Recommendation 3.3: Establish a Cyber Response and Recovery fund to assist tribal governments in responding to or preemptively preparing for cyberattacks.
  • Recommendation 3.3.3: Revise the National Cyber Incident Response Plan to include sector-specific information and better integrate response plans prepared by tribal governments.
  • Recommendation 3.3.4: Expand and coordinate cross-sector cyber exercises, gaming and simulation for tribal governments.
  • Recommendation 3.4: Establish a grant program through the Election Assistance Commission (EAC) to enable tribal governments "to implement voter-verifiable, auditable voting systems, including by replacing outdated voting equipment, building local capacity, and adopting a paper-based backbone."
  • Recommendation 3.5: Establish a grant program through the U.S. Department of Education to enable tribal education agencies to promote digital literacy, civics education and public awareness.
  • Recommendation 4.5.1: Incentivize the use of secure cloud services for tribal governments and their businesses.
  • Recommendation 5.1.2: Strengthen and codify processes for identifying broader private-sector cybersecurity intelligence needs and priorities. This recommendation requires identifying intelligence gaps, priorities and needs of tribal entities.
  • Recommendation 5.2: Establish and fund for the sharing and fusing of threat information, insight and other relevant data across the federal government and the public and private sector. This recommendation further requests government-sponsored network sensors or network-monitoring programs for tribal, local, state and territorial governments.

Modification to CSC Recommendations

The Pannex proposed to modify its original Recommendation 4.5.1 regarding secure cloud services, which directed Congress to authorize a study on cybersecurity threats to tribal, local, state and federal governments and to identify what federal assistance is needed. Given the urgency of this issue during COVID-19, the CSC modified its recommendation to eliminate the study and instead urge Congress to establish two tranches of grant programs to modernize digital infrastructure in the next COVID-19 relief package. The first tranche of payments would be used to incentivize or subsidize the cost to state, local, tribal and territorial governments associated with migrating to cloud infrastructure. The second tranche would focus on creating digital services and would be made available to state, local, tribal and territorial governments based on a competitive application process. Additionally, the Pannex has directed Congress to work with the U.S. Department of Homeland Security, the U.S. Department of Commerce and industry to identify a security standard, "which the security of cloud services can be measured and which may have to be met to demonstrate eligibility for the grant program." More generally, the Pannex's new recommendations include passing an Internet of Things (IoT) Security Law and establishing a Social Media Data and Threat Analysis Center.

For more information on advocating for increased cybersecurity resources in the next COVID package and/or ensuring that your tribe's data is secure during these challenging times, please contact Kayla Gebeck or Marissa Serafino.

DISCLAIMER: Please note that the situation surrounding COVID-19 is evolving and that the subject matter discussed in these publications may change on a daily basis. Please contact your responsible Holland & Knight lawyer or the author of this alert for timely advice.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.

Related Insights