Dive Brief:
- The U.S. has made significant progress improving its cybersecurity posture, implementing about 80% of the recommendations the Cyberspace Solarium Commission detailed in 2020, according to a report released Thursday. But more work is still required to shore up additional efforts related to critical infrastructure and economic security.
- Among the key remaining priorities is a push to identify the "minimum security burdens" of critical infrastructure entities that have a "disproportionate impact on U.S. national security," the report said. The commission called on the next administration to detail intelligence and information-sharing benefits, alongside security burdens, to these “systemically important entities.”
- The U.S. needs to develop an economic continuity plan that would operate as an incident response and resilience plan in case of a catastrophic cyber event or other crisis, the commission said. Federal authorities also need to codify a joint collective plan for sharing threat information between government, private industry and international intelligence partners.
Dive Insight:
The report comes at a critical time for the federal government. The Biden administration has already begun to roll out the initial phase of the national cybersecurity strategy. The initial plans have focused on strengthening key sectors, including schools, water utilities and healthcare.
Sen. Angus King, speaking at a panel discussion in Washington D.C. last week, said a major focus of CSC 2.0 has been to strengthen the level of collaboration between the government and the private sector.
The vast majority of the nation’s critical infrastructure is owned or controlled by the private sector, and in order for the U.S. to be able to collect and share critical threat information, they need to gain the trust of industry stakeholders.
King said accomplishing that is a top priority, but he recognized that getting the private sector to fully trust government authorities would not be an easy accomplishment.
“And what we’re trying to do is something that’s somewhat against history,” said King, co-chair of CSC 2.0. “We’re trying to get the private sector to trust the U.S. government.”
King noted there were similar tensions during the early years of the Cybersecurity and Infrastructure Security Agency, where state officials did not trust the agency.
Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Technologies, emphasized the need to set priorities on which are the most systemically important entities, like key ports and transportation systems and boost their resilience.
“It’s good to fix the entire cyber ecosystem, that would be fantastic, but that’s like boiling the ocean,” Montgomery said.
The report notes that other important work still remains, for example discussions with various stakeholders have begun on a potential federal backstop for catastrophic cyber insurance. White House and U.S. Treasury officials told Cybersecurity Dive earlier this month they were working on a plan to address catastrophic risk