Cyber Commission Will Recommend Creation of a Response and Recovery Fund

A major thrust of a congressionally mandated commission will be to make federal funding available for entities reacting to a cyberattack.

At least two recommendations in the Cyberspace Solarium Commission’s long-awaited report will center on “giving the executive branch the authority to declare a cyber state of distress which would then unlock access to a cyber response and recovery fund,” according to Rep. Mike Gallagher, R-Wisc., a co-chair of the commission.

Gallagher spoke with other members of the commission—CEO of Southern Company Tom Fanning, and Samantha Ravich, chairman of the Foundation for the Defense of Democracy’s Center on Cyber and Technology Innovation—at an FDD event today previewing the commission’s 75 recommendations, set for release March 11.

Made up of Republican, Democrat, and Independent members of the House and Senate, as well as the executive branch and private individuals, the commission is seen as having the ability to insert legislative language into the must-pass National Defense Authorization Act that represents a broad consensus. 

Mark Montgomery, the executive director of the commission, told Nextgov the cyber response and recovery fund would be similar to the one currently controlled by the Federal Emergency Management Agency for response to natural disasters. He said exact funding levels would be determined through the appropriations process.

“If there were a no-kidding, catastrophic cyberattack, where there was physical disruption, potentially death, you can imagine a president invoking the emergency authorities that he has in order to unlock a lot of funding and things like that,” Gallagher said. “However, there's a lot going on right now in between that and nothing, for which you might need an in-between authority to unlock additional funding.”

The fund would “try to get at that gap,” Gallagher said, noting, if an election were “hacked and a state election authority needed access to the national guard or something else,” there’s no clear suggestion right now that they would be reimbursed.

“This new mechanism,” he said, “would allow states, local, tribal and territorial governments access to enhanced federal expertise and resources that they currently don't have right now.”

Resources would also flow to private-sector owners of critical infrastructure. 

Fanning, often praised by various government officials for his robust engagement, said the most important thing the commission does is attempt to change the dynamic between the private and public sectors into one that’s more collaborative. 

“You just can't send a crew up to go fix an energy management system,” he told Nextgov when asked about the fund. “The computer systems are so different, clearances are so different, you just can't do it the same way, and you've got to be very careful about thinking about priorities when you start sending scarce resources to help fix a problem.” 

“I think the report will come out right in the right spot with respect to financial support to make sure that happens the right way,” he said. 

Ravich added: “Until this point in time there's been a disconnect between what the government, how they think about the threat and how to prioritize what needs to be done about it, and how the private sector is battling its way in this battlespace with, frankly, not all the tools it needs to be able to protect itself and the citizenry.”