Cyberspace Solarium Commission Offers Progress AssessmentReport: Government Making Cybersecurity Progress, But More Work Needs to Be Done
While the U.S. government is making strides in improving the nation's cybersecurity, it needs to do more to protect critical infrastructure from attacks and create public-private partnerships to improve national security, the Cyberspace Solarium Commission notes in a report published Thursday.
The report is designed to track the progress the federal government has made in implementing the 82 recommendations the commission issued in March 2020, when it published its initial report on improving the nation's cybersecurity.
While the commission notes that several major steps, such as the creation of the position of national cyber director within the White House, have been taken, it points to several critical areas in which Congress and the federal government still have plenty of work to do.
The to-do list includes codifying the concept of "systemically important critical infrastructure" in federal law so it can be prioritized for protection, creating public-private partnerships to share threat intelligence and passing laws, such as the Cyber Diplomacy Act, that would establish a cyber-focused office within the U.S. State Department.
"The commission … recognizes that in order to determine where we go next in cybersecurity, we must be clear-eyed about what is not working," Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis., who served as co-chairs of the commission, write in the report's introduction.
"And we understand that many of the remaining recommendations are not low-hanging fruit; we need to keep climbing to get many of them done. Many critical recommendations are not implemented yet, but that does not mean we intend to write them off as a loss and move on."
Gallagher said that the commission's goal was to create an overall strategic cybersecurity vision for the U.S., and recent cyber incidents, such as several large-scale ransomware attacks, demonstrate the need for an overall security plan for the nation.
Of the 82 recommendations that the commission published in its initial report, about 22% have been implemented, while another 13% are near implementation and 44% are on track to be implemented, according to the new report. The report also notes that about 16% of the recommendations have only seen limited progress, while about 5% are categorized as having "significant barriers" to implementation.
In assessing the progress made over the last 18 months, the report says that establishing the national cyber director position was one of the significant achievements during that time. In June, the Senate approved John "Chris" Inglis, who also served on the commission, to fill this role.
The report also notes that another major area of progress was strengthening and improving the mission of the U.S. Cybersecurity and Infrastructure Security Agency. For example, provisions in the 2021 National Defense Authorization Act spell out qualifications for the job of CISA director and require that CISA conduct threat hunting exercises on federal networks (see: Defense Funding Measure Includes 77 Cybersecurity Provisions).
CISA Improvements Critical
While the establishment of the national cyber director's position is important, Phil Reitinger, the president and CEO of the Global Cyber Alliance, says the CISA improvements offer more concrete means of improving the nation's cybersecurity.
"The most important result of the Solarium report is strengthening the authorities of CISA, including subpoena power and threat hunting. Now those powers need to be matched with budgetary upgrades so CISA continues to develop the capabilities to match the threat," says Reitinger, who formerly served as the director of the National Cyber Security Center within the Department of Homeland Security.
The report also notes the White House has made progress on developing a national cyber strategy, which was another major recommendation of the commission. President Joe Biden's executive order on cybersecurity and other measures show that this strategy is in development, the report notes.
"The consequences of the SolarWinds compromise continue to unfold, even as major vulnerabilities are exploited in Microsoft Exchange servers and as ransomware usage explodes, shutting down major critical infrastructure," the report states. "The administration should be commended for responding to these exigent circumstances - a monumental task - and progress in the response is evident in the May 12, 2021, executive order on improving the nation's cybersecurity."
The new report also notes that legislation that would help implement other recommendations in the commission's report is pending in Congress. That includes the Cyber Diplomacy Act, which was approved in the House earlier this year but awaits passage in the Senate.
"One of the leading recommendations of the Cyberspace Solarium Commission was the recognition that cyber operations lie in the gray zone of international conflict, and we want to have a person at the State Department with a bureau underneath that person that will help us to have a strong presence on the international stage," Rep. Jim Langevin, D-R.I, who helped draft the legislation, previously told Information Security Media Group (see: Government Cybersecurity Summit: A Preview).
While the commission report estimates that about 75% of all recommendations have either been implemented or will be implemented, there are several areas in which little or no progress has been made.
These include establishing permanent select committees on cybersecurity in the House and Senate as well as passing a national data security and privacy protection law. The report notes that both of these initiatives have significant barriers to being implemented.
The commission also states that more needs to be done to help codify a definition of systemically important critical infrastructure in federal law. The report finds that little progress has been made in this area, although legislation has been proposed. Earlier this month, King and other senators introduced the Defense of United States Infrastructure Act, which would address this issue.
"The commission expects to focus in the coming months on supporting a legislative proposal that would require the secretary of Homeland Security to define a process for designating entities as systemically important critical infrastructure, with coordination from sector risk management agencies and relevant regulatory authorities," the report notes. "Entities so designated would be subject to higher security standards; they would also receive increased intelligence and protection to prevent disruption or compromise."