Since the Cyber Solarium Commission (CSC) first released its watershed recommendations for the government to overhaul its cybersecurity strategy in 2020, more than half (60 percent) of these recommendations have now been fully implemented or are nearing implementation, according to a new progress report released this week.
The annual implementation report points to significant developments made by the U.S. government as it overhauls the procedures and resources needed to tackle ongoing cybersecurity challenges. In a Wednesday briefing, Sen. Angus King (I-Maine), co-chair of CSC 2.0 (a project charged with continuing the work of the CSC), said he felt the government had certainly made progress over the past five years, pointing beyond the implementation of recommendations to a “much higher level of understanding of how urgent this problem is in Congress.”
“I do think we’re better off on a number of levels, in part because of the implementation of a number of these recommendations; for example the creation of the National Cyber Director, the development of a national cyber strategy… the development of a Bureau of Cyber in the Department of State, so a lot of progress,” said King during the event, “Assessing America’s Cyber Resiliency,” hosted by CSC 2.0 and the Foundation for Defense of Democracies (FDD).
The U.S. Cyberspace Solarium Commission (CSC) was created by Congress in the 2019 National Defense Authorization act to make recommendations for how the U.S. should approach its cybersecurity strategy. While Congress had directed the CSC to be sunset at the end of 2021, the commissioners upheld the work under the CSC 2.0 project in order to continually monitor and assess the implementation of different recommendations.
In an original report in March 2020, the commission made 82 recommendations for the government, which revolved around reforming the government’s structure and organization as it relates to its cybersecurity strategy, operationalizing federal collaboration with the private sector and more. Almost 60 percent of these recommendations are now fully implemented or nearing implementation, and more than 25 percent are on track to implementation, according to the Wednesday report.
The annual report referred to several significant changes made at the government level for cybersecurity, including critical legislation - like the Cyber Incident Reporting Act - becoming law. The level of funding for government cybersecurity efforts has also increased, especially for the Cybersecurity and Infrastructure Security Agency (CISA), with funding climbing 25 percent in Fiscal Year 2022.
“The reality is this is a problem that’s not going to go away and that will get worse."
Another win was the implementation of the National Cyber Director (NCD) to spearhead the charge on coordinating security efforts and strategy across government agencies. King said there will still be tensions around who is in charge of what when it comes to cybersecurity across different agencies, but director Chris Inglis has made key relationships with CISA and other agencies, as well as several measures to tackle challenges in the cyber workforce.
“The best sign of success was the fact that the president gave Chris [Inglis] the pen on writing the new cyber strategy, which will be done in a matter of weeks or months,” said King. “It wasn’t easy to get the White House to accept this new position, but it happened. That’s an indication that this office is having an impact.”
While many recommendations are listed as being "on track," some have faced roadblocks in their implementation. One recommendation that King said remains “unfinished business” is the codification of a proposal for “Systemically Important Critical Infrastructure,” which would help identify U.S. critical systems, give them special federal government security support and increase the responsibility needed for additional security requirements. However, the proposal has been met with private sector pushback, particularly from the software and banking industries, with organizations in these sectors saying they are already awash in regulation.
“We’re trying to strike that balance between the federal government saying ‘hey, private sector we need everyone in the C-Suite to understand why cyber is important, but we also don’t want to get the regulatory framework wrong,’” said Rep. Mike Gallagher (R-Wis.), co-chair of CSC 2.0, on Wednesday.
Other hurdles have existed in progressing the Bureau of Cyber Statistics, a provision introduced as part of the Defense of United States Infrastructure Act that would establish an agency for collecting and analyzing data related to cyber incidents and cybercrime, and sharing that data with federal agencies, the private sector and the public.
While the 2020 report had 82 recommendations, that number has since increased to 116. King said that while progress has been made, incidents like the Colonial Pipeline hack serve as “periodic reminders” that work is far from over in the implementation and evaluation of recommendations for shaping the government’s security strategy.
“The reality is this is a problem that’s not going to go away and that will get worse,” said King. “There’s plenty left to do, and there’s always a danger of relaxing and saying we’ve done all these things.”