IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cyberspace Solarium Commission Reports on Recent Progress

CSC officials said the U.S. has, is close to, or is on track to implement 75 percent of the recommendations it published in March 2020 for protecting the nation from significant cyber attacks.

LauraBate-.png
The Cyberspace Solarium Commission announced an update regarding progress on adopting its recommendations.
The federal government has implemented 22 percent of the recommendations outlined by the Cyberspace Solarium Commission (CSC) in its March 2020 report. Another 57 percent of the 82 recommended measures are either close to enactment or “on track,” according an annual update the CSC presented today. The CSC’s report sought to provide advise on how to protect the U.S. from hard-hitting cyber attacks.

Getting traction on 75 percent of the goals is promising progress, said CSC senior director Laura Bate, during the Aug. 12 webinar. Members particularly praised the creation of a national cyber director and recent moves to strengthen the Cybersecurity and Infrastructure Security Agency (CISA).

The annual progress report also celebrates the fact that initiatives to develop a continuity of the economy plan and Joint Cyber Planning Office were included in the FY21 National Defense Authorization Act (NDAA), a bill that authorizes Department of Defense spending.

But the achievements still leave other important goals unfulfilled, including measures intended to better deter international cyber attacks and prompt the private sector to improve its defenses, said several members during the webinar.

Bate also cautioned that there is a difference between fulfilling the letter and the spirit of the CSC’s recommendations.

“Progress in implementing those recommendations is not the same thing as progress in improving American cybersecurity,” she said. “What we have outlined here in this report is a good beginning, but it will take sustained attention, investment and collaboration to make a potential benefit to cybersecurity itself real.”

Some recommendations seemed to advance initially and then stall, with the federal government authorizing but not funding them. One example is the Cybersecurity Education Training Assistance Program (CETAP) grant, which supports K-12 cybersecurity education. The FY21 NDAA authorized CETAP, but President Biden’s FY22 budget request proposal did not include money for it, the report states. The federal budget remains to be finalized, however, leaving some questions open about what funding allotments will ultimately be.

The cybersecurity landscape is also rapidly changing — in some cases with positive surprises. CISA’s recent creation of a Joint Cyber Defense Collaborative occurred in the time between the CSC update report’s completion and its presentation, Bate noted.

CYBER INSURANCE


One of the next key areas that should be addressed is the cyber insurance market, according to CSC senior director Robert Morgus, who said that insurers can play an important role in influencing private companies’ cyber behaviors.

Insurers have been struggling to determine how to price cyber coverage in ways that turn profit without blocking out too many clients. Limited historical data and fast-evolving threats have left many insurers uncertain about how to assess the level of risk their clients represent.

Morgus said that the CSC’s long-desired Bureau of Cyber Statistics, if established, could help provide that data to inform insurers’ risk models and pricing decisions. Other unfilled recommendations would also support the space by creating more training and certification offerings for cyber insurance underwriters and claims adjusters.

Policy questions are one challenge standing in the way of creating such a bureau, Morgus noted. Legislators still need to determine which department would house the entity, where it would source its data and the full extent of its responsibilities.

INTERNATIONAL SCENE


Sen. Angus King, CSC co-chair, said the U.S. also needs to take more robust efforts toward shaping and collaborating in the international cyber scene.

Ransomware and other cyber attacks are often launched by international perpetrators, and it will take international coordination and strong action to reduce this threat, he said during pre-recorded remarks.

President Biden has made early moves, including warning Russia against attacking 16 critical infrastructure areas and, the CSC progress report notes, by establishing a cybersecurity working group with several other nations in March 2021.

But King said the U.S. must also outline clear deterrent strategies against those who violate its cyber rules and push to achieve internationally recognized cyber norms, which will ensure that those who break these standards for fair conduct will “be an international pariah, not just an opponent of the U.S.”

He also urged the U.S. to get more involved in global cyber industry so it will not miss the chance to influence the rules and standards shaping technology used worldwide - something other countries like China may be well positioned to do.
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.