Just how much progress has the U.S. made to improve its cybersecurity defenses, programs and policies in the last two years? The Cyberspace Solarium Commission (CSC) 2.0’s annual report answers the question.
Of the dozens of recommendations the CSC initially submitted two years ago, some 85% either have been implemented, nearing implementation or on track for completion, the CSC’s report concluded.
A Closer Look at Cyberspace Solarium Commission 2.0
The CSC was formed in 2019 and composed of Congressional members, former government officials and private sector executives tasked with forming a strategy to defend the nation against cyber attacks. The latest report, published by the Cyberspace Solarium Commission 2.0, chronicles the progress of more than 100 projects federal government agencies have undertaken based on the CSC’s recommendations. Over the course of three years, the has CSC developed 116 recommendations in total.
The original report in March 2020 had 82 recommendations. Of that number, nearly 60% are fully implemented or nearing implementation, and more than 25% are on track to implementation. Of the remainder, 3% face “significant barriers” and 12% have made only limited progress.
The CSC’s initial recommendations in 2020 called for:
- A new national cyber director to function as the president’s chief cybersecurity advisor
- A Department of Defense conducted assessment of the nation’s vulnerability to hacks of its nuclear control systems
- A new Bureau of Cybersecurity and Emerging Technologies run by an assistant secretary of state tasked with developing and reinforcing “international norms” in cyberspace
Federal Government's Cybersecurity Accomplishments
Some of the key issues that have been addressed either by legislation or executive appointment, include:
- Congress passed the Cyber Incident Reporting Act, which requires critical infrastructure companies to report cyberattacks and ransomware incidents.
- Lawmakers have increased funding for government cybersecurity efforts for the Cybersecurity and Infrastructure Security Agency (CISA) whose budget has grown by more than 25% from $2 billion for FY20 to $2.59 billion for FY22 appropriation.
- The White House now has a national cyber director to lead the coordination of cybersecurity strategy and policy implementation across the government.
- The State Department has a bureau and an ambassador charged with leading America’s international engagement on cyberspace challenges.
- The executive branch has established the Joint Cyber Defense Collaborative at CISA.
Pillars of Cyber Protection
The CSC’s March 2020 report presents the progress of 82 recommendations towards implementation separated into six thematic pillars:
- Pillar 1. Reform the U.S. Government’s Structure and Organization for Cyberspace. Eleven recommendations: 3 implemented, 4 nearing completion, 3 on track, 1 significant barriers.
- Pillar 2. Strengthen Norms and Non-military Tools. Eight recommendations: Two implemented, 4 nearing completion, 2 on track.
- Pillar 3. Promote National Resilience. Fifteen recommendations: 4 implemented, 4 nearing completion, 3 on track, 4 progress delayed, .
- Pillar 4. Reshape the Cyber Ecosystem Toward Greater Security. Twenty-two recommendations: Four implemented, 6 nearing completion, 8 on track, 3 progress delayed, 1 significant barriers.
- Pillar 5. Operationalize Cybersecurity Collaboration With the Private Sector. Twelve recommendations: 6 implemented, 1 nearing completion, 3 on track, 2 progress delayed.
- Pillar 6. Preserve and Employ the Military Instrument of Power. Fourteen recommendations: 6 implemented, 4 nearing completion, 3 on track, 1 progress delayed.
While significant overall progress, “implementation is not the same as success,” co-chairs Sen. Angus King (I-ME) and Rep. Mike Gallagher (R-WI) write in the report:
“Lasting improvements in national cyber resilience will take sustained attention, investment, and agility to address the ever-shifting threat landscape. Even as we issue this progress report, we know that assessing implementation is not enough. We urge readers to consider this report as a mid-course check, laying a path for the many stakeholders in government and industry charged with a task that we cannot afford to fail protecting our national cybersecurity.”