A bipartisan commission that unveiled its plan to reduce the risk of a devastating cyberattack on the scale of the September 11, 2001, terror attacks should be worried about another threat: Washington.
Those who worked on the government response to 9/11 predict that today's policymakers aren't ready to take on ambitious changes - and there's no sense of urgency with the public fixated on other crises, from the coronavirus pandemic to the economy.
This could be a huge challenge for the Cyberspace Solarium Commission, which seeks to shore up potential government and intelligence blind spots to avert a mass casualty attack before it happens.
"I don't want to say they can't get the job done, but we had things going for us that they don't that made our job much easier," former congressman Lee Hamilton, D-Ind., who co-chaired the 9/11 Commission, said. "The whole country's attention was turned to the events of 9/11 and the response to it. . .Cybersecurity is a very important issue, but they won't have that public focus."
Michael Chertoff, the second director of the Department of Homeland Security, which was created in the wake of the 9/11 attacks, warned that "there's always more impetus when you've experienced a disastrous event."
The comments reflect a struggle that has dogged cybersecurity advocates for years. A major cyberattack targeting parts of the electrical grid or transportation systems could be devastating for the nation but it's tough to focus money and energy on a threat that hasn't happened yet.
Major digital attacks that have occurred, meanwhile, such as Russian efforts to upend the 2016 election and Chinese-linked theft of U.S. security clearance information have prompted limited changes that don't address the full scope of the dangers.
"After 9/11 we learned a lot about warning signals that weren't spotted," Sen. Angus King, I-Maine, co-chair of the Solarium Commission along with Rep. Mike Gallagher, R-Wis., said. "In this case, the signals are gigantic neon signs. This is the longest windup for a punch in the history of the world. We know it's coming but we just don't know how or when."
Solarium commissioners have struggled to implement the boldest changes among their dozens of recommendations.
The most prominent of those is creating a new White House czar to oversee cybersecurity policy across the government. Rep. Jim Langevin, D-R.I., a Solarium Commission member, introduced a bipartisan House bill that would create the position. But a Senate version is stalled, largely because of White House opposition.
Another top recommendation would streamline the dozens of congressional committees and subcommittees that deal with cybersecurity to just one committee each in the House and Senate. That could be nearly impossible to implement because of congressional turf battles, officials who worked on the 9/11 response predicted.
Indeed, despite years of efforts, DHS's anti-terrorism work is similarly overseen by numerous congressional panels.
"At DHS we continually begged Congress to reduce the number of committees that had jurisdiction over the department, and that [begging] continues to happen and it continues to not be successful," the first DHS secretary and former Republican governor Tom Ridge told me.
Commissioners have had better success with smaller recommendations.
Several of those may be included in a major defense policy bill that is working its way through Congress.
They include beefing up the role of the Department of Homeland Security's top cybersecurity official and requiring cybersecurity risk assessments from publicly traded companies.
The Solarium Commission was based on an Eisenhower-era commission focused on how best to counter the Soviet Union. In addition to lawmakers, its members include top industry executives and former government officials who've been stumping for the report's recommendations since its March release.
The commission's efforts are also challenged because cybersecurity is, in many ways, a far more complex problem than terrorism.
Within government, cybersecurity responsibilities are spread across dozens of agencies, including the defense, homeland security, commerce and state departments. And any one of dozens of U.S. industries could be the target for a devastating cyberattack, including finance, energy, telecommunications and health care.
"There's some analogy to 9/11 but the scope of what you're dealing with with cyberthreats is much more comprehensive," Chertoff said. "There are many more kinds of harm that can occur in cyberspace and it requires a much more integrated approach."
Commissioners may be helped, though, by the sense of urgency created by the coronavirus pandemic.
The pandemic began upending American life and prompting quarantine orders just weeks after the Solarium report came out. But as government and the public struggle to manage the virus it may drive home the importance of tackling big challenges before it's too late.
Commissioners also released an additional set of recommendations last month focused on new digital vulnerabilities created by the pandemic, including a large share of the nation working from home.
"One serious lesson out of the pandemic is the importance of having a plan in advance," Chertoff said.
Hacking has also become so pervasive that it could prompt government to take the issue more seriously.
"All the actions I've taken over the years have been to prevent a cyber 9/11 from happening," Langevin, a co-founder of the Congressional Cybersecurity Caucus, told me. "I felt like a lone voice in the wilderness initially, but people's awareness has been raised. Ask anyone who's had their credit card numbers or medical records stolen, and they understand this is an issue."
The pervasiveness of cybersecurity also separates it from the pre-9/11 era when terrorism wasn't top of mind for most Americans.
"One observation from the 9/11 Commission that's embedded in my head is when they talked about a failure of imagination," Ridge said. "This [Solarium Commission] report is saying that based on everything we know we can't plead surprise anymore. And before we have a cataclysmic cyber event we'd better get our act together."
The Washington Post