The massive increase of online interaction, both public and private, caused by the coronavirus pandemic inevitably increases cyber risk. That’s why the recent report to Congress by the Cyberspace Solarium Commission is especially timely. Established at the direction of Congress, the commission has provided a comprehensive look at the cybersecurity challenges our nation faces, and called for numerous actions and strategy changes.
Many of the report’s roughly 75 recommendations for how the United States can better protect and defend against cyberattacks are worthy of consideration. But this laundry list may be too much to handle as the administration and Congress will likely be able to address only a few recommendations this year that could help mitigate the pandemic’s impacts vis-à-vis cybersecurity. Some of the more complex and contentious issues could instead be discussed after the Coronavirus crisis has eased, as we work to stabilize the economy and develop a cybersecurity road map for the future.
Following are some specific commission recommendations that caught my eye regarding more effective cyber threat information sharing and response, improving the executive and legislative branches’ ability to handle cyber policy issues, and a possible new strategic approach for cyber deterrence.
Cyber threat information sharing
Current cyber threat information sharing initiatives are not effective for many organizations. They may not have access to participate in threat sharing, the cyber threat data primarily goes in one direction (from industry to the government), and the data that is shared with industry often isn’t relevant or it takes too much time to determine if it is relevant enough to take appropriate action. These problems could be targeted as Congress fleshes out the details on the commission’s recommendation to establish and fund a Joint Collaborative Environment.
The commission describes this proposal as creating a common and interoperable cloud-based environment for the sharing and fusing of threat information, insight, and other relevant data across the federal government and between the public and private sectors. Paired with another commission proposal for a Cyber Response and Recovery Fund, this could provide more effective preventive actions and mitigation. Many organizations will be struggling financially for months or longer as a result of the pandemic, and these initiatives could help them. If Congress agrees, it could fund them through upcoming economic stabilization legislation.
Cyber policy recommendations
In addition, the commission made several cybersecurity policy recommendations that could be beneficial from a long-term governing perspective, and Congress could act on them sometime later this year or next. These include:
- Further empowering and defining the mission of DHS’ Cybersecurity and Infrastructure Security Agency (CISA). This agency has been in flux, and legislative direction could help it better determine and focus on its responsibilities for managing cyber risks to critical infrastructure.
- Creating a Senate-confirmed national cyber director post within the White House, and select cybersecurity committees in the House and Senate. This would provide greater coordination of cybersecurity policy and a clear point of contact for advising the President, and give more focused congressional attention to cybersecurity matters.
- Supporting initiatives to diversify and strengthen the federal cyber workforce. This is a long-standing need, as the government must attract the best cyber defenders and warriors to face the threats posed by nation-state and other adversaries. The commission’s recommendations should be part of that discussion.
- Clarifying the cyber capabilities and strengthen the interoperability of the National Guard – This would be help the Guard’s efforts in support of U.S. Cyber Command and in dealing with cybersecurity challenges within their respective states.
Layered cyber deterrence
Finally, the report says the government and private sector “must defend themselves and strike back with speed and agility” against cyber attacks, but it also acknowledges that “this is difficult because the government is not optimized to be quick or agile.” That’s why the commission’s recommendation of a “layered cyber deterrence” strategy must be taken seriously. The commission believes the layered deterrence strategy combines “enhanced resilience with enhanced attribution capabilities and a clearer signaling strategy with collective action by our partners and allies.” Many current cybersecurity technology strategies are dated and largely ineffective, and we can’t keep doing the same things and expect different results. We need to shift the focus to more automated and agile respond and recover strategies. The congressional Armed Services Committees should give this idea serious thought.
The commission’s report is a solid compilation of cybersecurity objectives, with a comprehensive list of recommended policies to achieve them. But there have been other similar reports in the past, which have largely sat on the shelf. What’s different about this one?
Simple. Congress asked for this report, it was objective and non-partisan, initial congressional reaction (before the pandemic took center stage) was positive, and about one-third of its recommendations can be swiftly implemented by the Administration without legislation. And for the other recommendations, the commission has taken a stab at drafting legislative language for Congress to work with, and some of them could be considered in the context of the annual National Defense Authorization Act or other upcoming bills. Given how Congress’s legislative window will be stretched thin in the months ahead, this could give the proposals a head start in the process.
The Cyberspace Solarium Commission’s recommendations could be helpful in dealing with problems caused by how we are operating during the Coronavirus pandemic, and could serve as a road map for future actions to improve how government deals with cybersecurity issues. It shouldn’t get put on a shelf and forgotten like past reports.
Robert DuPree is manager of government affairs at Telos Corporation. He is responsible for monitoring, analyzing and reporting on legislative and political developments in the U.S. Congress and the executive branch that might impact operations and future planning, particularly with respect to the federal budget, appropriations process, national defense and cybersecurity.