U.S. Cybersecurity Stance Shows (Some) Improvement: Report
Roughly 80 percent of the 82 recommendations contained in the U.S. Cyberspace Solarium Commission’s (CSC) report issued in March, 2020 intended to fortify the nation’s cyber profile, are either already in effect, nearly completed or on track for adoption.
Chief among those suggestions was creating the position of national cyber director at the White House and strengthening the Department of Homeland Security’s cyber wing, the Cybersecurity and Infrastructure Security Agency (CISA). Both recommendations have been adopted, with Chris Inglis’ confirmation to the new post and new stewardship, staffing, funding and extended duties at CISA.
The CSC is composed of Congressional lawmakers, federal officials and industry leaders. It’s co-chaired by Sen. Angus King (I-ME) and Rep. Mike Gallagher (R-WI).
U.S. Cyberspace Annual Report Findings
So far progress in fulfilling the CSC’s recommendations stems from the “diligent efforts of cybersecurity and policy professionals in Congress, the executive branch, and beyond,” the group said in its 2021 Annual Report on Implementation, which tracks the Commission’s guidance in authorizing legislation, appropriations, executive orders, and other policy actions. Notable progress notwithstanding, much work remains to be done to meet the challenges ahead to best secure the nation’s assets from cyber attackers, particularly in the wake of the SolarWinds, Colonial Pipeline and JBS ransomware attacks, officials said.
“These changes are just beginning, and the threat remains every bit as real this year,” the report said. “As a country, we all—businesses, government, civil society, and individuals—need to act with more speed and agility when it comes to securing cyberspace. That means investing in enterprise cybersecurity before attacks happen, developing a clear cyber strategy, sharing threat information at the speed of data, ensuring that our teachers have the tools they need to kindle a spark of interest that will one day lead a student to a cyber job, and so much more.”
As a side note, such is the CSC’s influence that of the 77 cybersecurity articles in the $740 billion 2021 National Defense Authorization Act (NDAA), fully 27 were drawn from CSC’s recommendations in the initial report. Among the CSC’s recommendations included in the NDAA are:
- Codify Sector Risk Management Agencies.
- Establish a Continuity of the Economy plan.
- Establish a Joint Cyber Planning Office.
- Require a force structure assessment of the Cyber Mission Force.
Of note, included in President Biden’s $2 trillion infrastructure bill is the CSC-recommended Cyber Response and Recovery Fund.
U.S. Cybersecurity: Six Areas of Focus
As for the report itself, the Commission evaluates progress to implement its recommendations in six key areas, or what it calls pillars:
- Reform the U.S. government’s structure and organization for cyberspace. Of 11 recommendations in that section, eight have been implemented, nearing implementation or on track for adoption.
- Strengthen norms and non-military tools. Of the eight in that section, six are in, almost in or close.
- Promote national resilience. Of the 15 in that pillar, 12 are done, nearly done or still cooking.
- Reshape the cyber ecosystem toward greater security. Of those 22, 18 are either done, almost done or soon to be done.
- Operationalize cybersecurity collaboration with the private sector. Of the 12 recommendations, only one–pass a national cyber incident reporting law–isn’t close in although legislation has been proposed and Inglis and CISA director Jen Easterly support it.
- Preserve and employ the military instrument of power. Of those 14 recommendations, four have seen no movement ahead.
Co-chair King said that the U.S. must be “clear-eyed” about what’s not working to determine “where we go next in cybersecurity.” Although many of the remaining recommendations won’t be easy to adopt, “we need to keep climbing to get them done,” he said. “This has been an extraordinarily successful project so far if we implement all of the recommendations that have now been put into law,” said King. “Our job now is to be sure that we keep after…all those others who are on the front lines and give them the support and the authorities that they need to protect the country.”
U.S. Cyberspace Solarium Commission: February 2021 Guidance
In February 2021, the CSC released new guidance to help the Biden Administration strengthen the nation’s cyber defense profile. The report, fittingly entitled Transition Book for the Incoming Biden Administration, features a road map containing possible early policy achievements, near term priorities for action, and areas where the White House can work with Congress to promote a positive legislative agenda.
Since then, President Biden has taken multiple steps to strengthen and protect U.S. infrastructure from cyber attacks, and to improve communications and coordinated cyber response across the U.S. government and private industry. His efforts include an executive order on cybersecurity that could push IT service providers to further strengthen their cyber practices.