Cyberspace Solarium Commission calls for sustained investment in defense

Despite having taken “significant steps” to strengthen the country's defenses against digital threats, the progress must be a "prelude" to further changes, the Cyberspace Solarium Commission urged Wednesday.

“Even as we issue this progress report, we know that assessing implementation is not enough,” commission co-chairs Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wisc.) wrote in the panel’s second annual assessment report.

“Lasting improvements in national cyber resilience will take sustained attention, investment, and agility to address the ever-shifting threat landscape,” they added.

The report follows several actions taken by the executive branch and Capitol Hill to bolster the country’s cyber resiliency in the wake of major ransomware attacks, including on Colonial Pipeline, meat processor JBS and software company Kaseya, as well as the massive SolarWinds breach carried out by Russian hackers. 

Most notably, landmark cyber incident legislation became law, and just last week the first U.S. cyber ambassador was confirmed.

The commission made 116 policy recommendations in its original report and published six follow-on white papers. Of those, 33 have been implemented; 30 are close to implementation; 31 are “on track” in some fashion; 20 have experienced limited progress; and two suggestions, less than 2% of the overall figure, face “significant barriers” to becoming reality, according to the latest report.

Presidential directives and the National Defense Authorization Act (NDAA) have become major vehicles for executing the group’s ideas, with the House version of this year’s bill containing a pair of key Solarium proposals. 

The first would designate “systemically important entities” status to the most vital U.S. critical infrastructure, requiring operators to enact strong digital security standards and share threat intelligence with the government in return for increased federal support. 

However, last week, a coalition of industry groups sent a letter opposing the idea, arguing it would create “programmatic redundancies” and that the information gleaned through the effort could lead to an “elevated risk of exploitation by America’s foreign adversaries.”

The second would create a “Cyber Threat Environment Collaboration Program,” a portal intended to increase data sharing among members of the Cybersecurity and Infrastructure Security Agency’s growing Joint Cyber Defense Collaborative — the organization’s public-private coordination hub that was relied on during the Log4j crisis.

The Senate draft of the policy roadmap doesn’t contain either provision. Senate Majority Leader Chuck Schumer (D-N.Y.) on Tuesday said the chamber would be in session next month and would take up its draft of the must-pass legislation then.

Yet two recommendations have faced so much pushback that the commission sees little hope of them being implemented anytime soon: creating congressional committees devoted to cybersecurity; and establishing liability of “final goods assemblers” of software and hardware for breaches and hacks resulting from the exploitation of known or unpatched vulnerabilities.

“We urge readers to consider this report as a mid-course check, laying a path for the many stakeholders in government and industry charged with a task that we cannot afford to fail — protecting our national cybersecurity,” wrote King and Gallagher.