The Biden administration is making headway with cybersecurity improvements, with 57% of the Cyberspace Solarium Commission's (CSC) recommendations on track or near complete implementation, according to the CSC's annual report, published Thursday.
The administration adopted 22% of the measures, such as incentivizing IT security via federal acquisitions regulations, requiring threat hunting on defense industrial base networks, and empowering appropriate agencies to serve subpoenas for threat and asset response.
As the federal government weeds through cybersecurity issues — some existing for years — the CSC is highlighting security challenges, showing potential paths toward success. And success in cybersecurity is seldom easily measured.
Some of the CSC's recommendations are up against major roadblocks to adoption, with implementation unlikely "without significant shifts in opinion from major stakeholders," the report said.
The government has been slow to clarify liability for federally directed mitigation and response, establish liability for final goods assemblers, and enact a federal data security and privacy protection law. "Implementation may not be possible without significant shifts in opinion from major stakeholders," the report said.
One of CSC's major accomplishments is the increased power given to the Cybersecurity and Infrastructure Security Agency (CISA). In the last year, CISA received $650 million as part of the American Rescue Plan Act and $35 million to invest in risk management as part of the Infrastructure Investment and Jobs Act (INVEST).
CSC's foundation
Established by the National Defense Authorization Act (NDAA) in FY2019, the CSC was established to help create a national strategic approach to cybersecurity and defense. The CSC worked from 2019 to 2020 and offered 82 original recommendations in the initial March 2020 report and published supplementary recommendations during the pandemic.
While the CSC worked with government and private industry stakeholders to develop its recommendations, it's ultimately up to governing bodies to implement the measures. One challenge the CSC has is measuring the effectiveness of its recommendations post implementation.
"One of the most important accomplishments" of the CSC was the establishment of a national cyber director (NCD) in the FY2021 NDAA, said Sen. Angus King, I-Maine, and co-chair of the CSC, during a CSC webcast Thursday. Chris Inglis was sworn in in June and the office was allocated $21 million in funding in last week's INVEST Act passed by the Senate.
"We've set up a vision for the national cyber director; how Chris implements it, particularly as the first director, is really crucial," said King. The report notes that beyond the implementation of the NCD, determining the role's "successful impact" will be dependent on how future presidents enable and empower the NCD's office.
One of the recommendations in progress, considered "on track," is the establishment of a Bureau of Cyber Statistics, kin to the Bureau of Labor Statistics. Such an organization would aid insurance providers in how they assess risk.
While there is legislation in the works to establish a cyber statistics bureau, there are unanswered questions, including whether the Department of Commerce is the appropriate agency to oversee it, according to Robert Morgus, senior director of the Task Force Two within the CSC, during the webcast. Lawmakers would have to determine how a cyber statistics department would gather its information without a federal incident reporting law and how it would scale and store the data.
Establishing a national incident reporting law has been a slow process. While breach notification laws are common at the state level, the security community is still figuring out how to disclose other types of cyberattacks. So far, at least three incident reporting bills have been introduced:
- Sen. Susan Collins, R-Maine, Sen. Mark Warner, D-Va., and Sen. Marco Rubio, R-Fla., proposed legislation to require federal agencies and critical infrastructure operators to report an incident within 24 hours of discovery.
- Sen. Gary Peters, D-Mich., and Sen. Rob Portman, R-Ohio, proposed legislation that was incorporated into the infrastructure bill that would give the Department of Homeland Security the authority to declare a "significant incident."
- Rep. Yvette Clark, D-N.Y., introduced legislation, which passed the House, that would improve coordination and reporting at all levels of government.
Measuring impact
Because the CSC was reauthorized through December 2021, it has time to introduce more potential recommendations into the NDAA. The CSC has more than 50 legislative proposals, however, between the Senate and the House, there are dozens of committees and subcommittees dealing with cyber-related issues, which often leaves holes in continuity, according to Morgus.
"That's very difficult to navigate if you're trying to sort of get things done on cybersecurity," Morgus said. "The big challenge there is there are stakeholders in the form of members and staff that want to keep that jurisdiction over cyber issues."
About 21% of the recommendations are either facing "significant barriers" or have made limited progress. Some of them are "break-glass" measures designed specifically for catastrophes, said Morgus.
One of those recommendations — liability for final goods assemblers — is the CSC's way of addressing the "age-old software vendor liability discussion," Morgus said. It requires stakeholders to define negligence, which would determine how liable a vendor is for negligently producing a technology that leads to a cyber incident.
Some of the major limitations in the government's recent cybersecurity initiatives is a lack of incentives for private industry.
"Companies need that liability protection" so they are comfortable and compelled to participate in an information sharing ecosystem, said Kiersten Todt, managing director at the Cyber Readiness Institute, during the webcast. "We've had a sector-specific approach to cybersecurity for a long time. And there's a reason for that. That's how we've organized our thinking" into ISACs and ISAOs.
While sector-specific cyber functions and requirements should continue, the government is now emphasizing cross-sector collaboration in real-time data collection. Companies want to address an old adage, said Todt. "Don't tell me I've been shot, tell me where the shooter is so I can get myself out of the way."