[Pages S3927-S3928]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                  NATIONAL DEFENSE AUTHORIZATION BILL

  Mr. SASSE. Mr. President, I rise to draw attention to one 
particularly important element of the National Defense Authorization 
Act, which sits before this body.
  First, it is worth noting that--despite the bizarre dysfunction of 
the last couple of days around here--the NDAA is usually a time each 
year when the Senate looks like an actual deliberative body. We look 
like an actual legislature.
  Most of the typical bickering and made-for-TV sound bites get set 
aside this week or two every year as we focus on the first purpose of 
the Federal Government, which is to provide for the common defense.
  The NDAA reveals our shared commitment to the men and women in 
uniform who serve our country so well. This legislation aims to 
scrutinize and annually reprioritize among the many important tasks 
that are going on in the Pentagon and in the broader Department of 
Defense.
  If we are going to call on the men and women in the armed services 
who defend our freedoms to stand ready to defend us and to go into 
battle when necessary, we must equip them with the right tools to be 
able to get their job done. That is what this legislation is about each 
year, but it is not enough to simply be about defending against 
traditional enemies and traditional threats. We also need to use this 
annual occasion to pause and deeply look at new and emerging threats we 
face.
  When you ask national security and intelligence experts in private 
and in public what keeps them up at night, as I do multiple times every 
week--I ask this question of people in the SCIF. You find something 
strange in this city. You have an agreement. Public and private sector 
experts, legislative and executive branch folks, career folks, 
political folks, whether Republican or Democratic, have widespread 
agreement that the long-term domain challenge we face is that America 
is woefully unprepared for the age of cyber war.
  Thirty years ago, when the digital age was still in its infancy and 
the first computer viruses and bugs were created, the United States did 
not have a cyber doctrine to defend our interests. That was 
understandable in 1986 because these were new threats. It doesn't make 
any sense in 2018, and yet it is still true. We don't really have any 
coherent doctrine to defend our interests. This is inexcusable.
  We are, today, overwhelmingly the most advanced digital economy and 
digital society in the world. Thus, we are, almost inevitably, the No. 
1 target globally for cyber crime, but our adversaries are attacking us 
not merely as targets of opportunity, they are also attacking us 
because they sense our passivity.
  State and nonstate actors alike are becoming regularly more brazen. 
Year over year, from 2012 to 2013, to 2014, to 2015, and to the 
present, we see this brazen action coming from China, Russia, Iran, 
North Korea, and lots of jihadi nonstate actors. Yet we still do not 
have a cyber doctrine to guide our planning process, we don't have a 
cyber doctrine to guide our actions, and we are unprepared for the 
warfare of 2020, 2025, and 2030.
  How can this be? How can we lack a strategic plan, not merely to 
respond to the attacks against U.S. public and private sector networks 
but also to go a step further and deter them in real time? Why do we 
lack this plan?
  Since joining this body in January of 2015, alongside the Presiding 
Officer, I have pushed for a strategic plan that clearly articulates 
how we will defend ourselves against the new threats in this cyber 
space. Unfortunately, this call has fallen on deaf ears in both the 
legislature and the executive branch, both Democratic and Republican 
administrations. There is far too little urgency. When you speak with 
generals, when you speak with CIA station chiefs around the world, 
nobody disputes this. Everyone knows we are unprepared, and we are 
underinvested in this domain. Yet no one is really in charge.
  Fortunately, we are taking a major step in this NDAA to address this 
deficit in our war planning. While no one piece of legislation and no 
single proposal can possibly address all of our cyber deficits, there 
is, nonetheless, some very good news in this NDAA for both the public 
as a whole and those of us who are losing sleep about our cyber 
underpreparedness.
  The legislation we are debating today, and will vote on in some form 
tomorrow, includes a proposal to bring American national security into 
the 21st century by establishing a Cyberspace Solarium Commission. This 
Commission is modeled after President Dwight Eisenhower's 1953 Project 
Solarium. At that time, as the Soviet Union was on the cusp of 
achieving a devastating thermonuclear weapon, Ike recognized that our 
Nation needed a clear strategy. We needed to be able to defend 
ourselves and our allies against the expanding Soviet threat. This is 
where both the historian and the strategist in me gets excited.
  Never one to lack a plan, Eisenhower sequestered three different 
teams of experts at the National War College for 6 weeks. He tasked 
them with articulating a menu of large-scale, strategic frameworks for 
the age of nuclear confrontation. The result of Ike's competitive 
effort was a new national security directive, NSC 162/2, that charted a 
course that would successfully guide U.S. policy and bureaucratic 
development over many decades of the Cold War.
  We desperately need similar strategic clarity today. The threats to 
American security are actually even more dynamic and unpredictable than 
in those early years of the Cold War. Then there were giant 
technological and scale barriers to becoming a nuclear power; whereas, 
today, launching a cyber attack that has global reach requires only 
some coding capability, a laptop, and an internet connection.

[[Page S3928]]

  This new group, the Cyberspace Solarium Commission, will be made up 
of 13 members, putting cyber and national security experts, along with 
many Silicon Valley types, in the same room to debate, to think 
through, and to propose a comprehensive path forward to guide our cyber 
policy.
  One of the reasons Ike's Solarium Commission worked so well was 
because there was urgency and focus. Under this Cyberspace Solarium 
Commission, there will be a deadline for the delivery of a 
comprehensive plan with blue sky freedom to reenvision all current 
bureaucracies and organizations across our cyber plan and response 
units within 1 year.
  By September 1, 2019, this Commission would be delivering to both the 
President's Cabinet and to the defense and intelligence committees of 
the Congress a comprehensive plan to guide cyber security policymaking 
going forward.
  We cannot continue to stand idly by waiting for a massive cyber 
attack to occur and then figure out how we will use that as a catalyst 
to begin future planning. We should be planning and prioritizing before 
the crisis. For 30 years, we haven't yet developed or committed to a 
serious strategy. Now is the time to act, and this NDAA represents one 
of the best innovations we have had; that we can set up this national 
Cyberspace Solarium Commission to report back, within 1 year, a 
comprehensive plan.
  Thank you.

                          ____________________