Senate Commerce Committee Is Cooking Up a Bill to Support Cyber Grand Challenges

SAN FRANCISCO—Legislation laying out the specifics of prize competitions meant to engage all of society in answering cybersecurity’s biggest and most difficult questions is emerging from the Senate Commerce Committee, according to an industry representative working on the effort. 

“There’s draft legislation to put resources behind it,” said John Davis, vice president and federal chief security officer for Palo Alto Networks, at the RSA cybersecurity conference Wednesday.

Davis spoke along with Bradford Willke, the Cybersecurity and Infrastructure Security Agency’s acting director of stakeholder engagement and cyber infrastructure resilience, and others during a panel discussion on “Next Steps for the Cyber-Moonshot.” 

The cybersecurity moonshot refers to a report the president’s National Security Telecommunications Advisory Committee approved at the end of 2018 outlining an ambitious plan for making the internet safe and secure within a decade. 

The initiative was supposed to evoke the inspiration of the 1960’s effort that landed Americans on the moon, with a big part of the plan calling for President Trump to make a major announcement akin to President John F. Kennedy’s before a special session of Congress. That never happened, and neither did the institutional infrastructure the report recommended establishing in order to mobilize the astronomical levels of investment the report recommends.

But the president’s advisers—leaders of the information and communications technology industry—have said from the beginning they wouldn’t let the initiative become just another report on the NSTAC shelf. They are now working directly with Congress to establish cyber grand challenges, a key feature of the report.

After the panel discussion, Davis told Nextgov Senate Commerce Committee leadership has drafted legislation to support the effort.

Another industry source familiar with the work, though not authorized to speak on it, said the draft, unsurprisingly, empowers the Secretary of Commerce “to lead and execute the cyber grand challenges,” in conjunction with the Department of Homeland Security and other relevant departments and agencies. 

Panelists said they are still working out the details of what the reward for winning the grand challenge, or challenges, will be, but Willke told reporters, “someone’s gonna get a prize somehow.”

He referred to the President’s Cup model for cyber workforce development—federal workers can win as much as $25,000 in challenges— but said his sense was that it’s not about the money.

“We haven’t heard that the monetary prize is the real net incentive here,” Willke said. “I think there are things like being able to take a victory lap on things like getting ransomware off the map.”

The panelists said the competition was about democratizing input for solutions and giving nontraditional stakeholders a voice. They cited the case of a wedding dress designer, responding to a similar grand challenge, who answered the call to design a hazmat suit that could withstand extreme temperatures and allow for social interactions during the Ebola crisis, for example. 

The panelists said cyber moonshot proponents have spent 2019 “socializing” the idea of the grand challenges through a series of workshops, with two potential categories emerging for 2020: raising awareness and changing the economics of cybersecurity.

Willke elaborated a little on the second.

“It sounds simple to convene partners to do the right thing, but look what's happening a couple floors down,” he said, referring to the exhibition floor full of cybersecurity vendors. 

“Trying to convene people who on the surface level are trying to compete for the same mind share, the same scarce resources,” is anything but simple, he said.