The Cyberspace Solarium Commission has seen more than three-quarters of its recommendations picked up for implementation. But with cyber threats to U.S. critical infrastructure on the rise, the four-year-old panel is pushing for renewed action on cybersecurity in the next administration and Congress.
The Cyber Solarium Commission 2.0, now housed at the Foundation for Defense of Democracies, issued its 2024 annual report today. Of the cyber solarium’s original 75 recommendations from March 2020, the report finds that 80% have either been implemented or are nearing implementation.
Some key recommendations to come to fruition include the establishment of a national cyber director at the White House; the passage of a national cyber incident reporting law; and the creation of a Bureau of Cyberspace and Digital Policy at the State Department.
But members of the cyber solarium say more action is needed in the years ahead to thwart threats like “Volt Typhoon” and other intrusions into critical infrastructure.
“Having the threat named should help us in Congress and in the private sector come together now to really get that collaboration we need,” Mark Montgomery, executive director of the CSC 2.0, said during an event on Capitol Hill today.
The cyber solarium’s top recommendation is to identify both the “benefits and burdens” of so-called “systemically important entities.” The Cybersecurity and Infrastructure Security Agency is already identifying those critical infrastructure organizations that qualify as an “SIE” due to their importance to critical U.S. systems.
But the commission argues the government should also identify minimum cybersecurity requirements, as well as information-sharing benefits, for those organizations deemed an “SIE.”
“What do those entities have to do to maintain a certain level of cybersecurity to deter the adversary?” Montgomery explained. “And then what do we as a government do? What information do we need to share? How fast can we get them threat information?”
Sen. Angus King (I-Maine), one of the co-chairman of the original commission, highlighted the recommendation to develop a strong Continuity of the Economy (COTE) plan in the event of a major cyber disruption.
“How do we react if the worst happens? And if you don’t have a plan, it’s going to be chaos,” King said. “And so I think that’s incredibly important.”
Tom Fanning, CEO of Southern Company and an original Solarium commissioner, highlighted another priority recommendation for CISA to strengthen its nascent “Joint Collaborative Environment” (JCE).
The commission is recommending that the JCE serve as an “advanced integrative platform that would facilitate real-time sharing and analysis of cyber threat intelligence among government agencies, private sector entities, and international partners.”
Fanning said the JCE will help underpin the other work CISA and the federal government do with the private critical infrastructure, especially during a major cyber event.
“It can’t be phone a friend during a time of crisis,” Fanning said. “We have to set something up.”
Challenges in cybersecurity legislation and governance
Montgomery said he’s optimistic about the outlook for cyber policy in the executive branch, regardless of who wins the presidential election. But he’s more concerned about the potential for an ineffective Congress.
“You can have a bipartisan issue in a nonfunctional Congress, and it’s hard to get things done,” Montgomery said.
He also said the national defense authorization act has been a less effective vehicle for passing cyber policy since the House adopted more restrictive rules around the NDAA two years ago.
“House and Senate leadership understand that cybersecurity is not antisubmarine warfare, air defense, tank warfare,” Montgomery said. “It is a national security issue that stretches across multiple committees of jurisdiction, but still requires the NDAA to give it that persistent annual update.”
Still, many of the cyber solarium’s outstanding recommendations, the 2024 report finds, are either “on track” or “progress limited/delayed.”
Ironically for a congressionally created commission, the only recommendation that “faces significant barriers to implementation” is a congressional action: the creation of House Permanent Select and Senate Select Committees on Cybersecurity.
“You know where that went? Nowhere,” King said. “You’ve got so many committees that have pieces of this jurisdiction.”
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.