Lawmakers who sit on the recently formed Cyberspace Solarium Commission hope that a new report to be released early this year will provide ample guidance to prompt the U.S. government to shape up its cybersecurity game and push both the public and private sector to become more agile and responsive to potential threats.
The Cyberspace Solarium Coalition is made up of 14 members from federal agencies, Congress and the private sector and was established as part of the FY ’19 National Defense Authorization Act to bolster the U.S. response to current and future cybersecurity threats and develop a roadmap to more comprehensive and proactive protection.
The commissions initial report is expected to be released within the next couple of months, but co-chairs Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) shared some initial findings and expected recommendations at a Jan. 7 event at the Council on Foreign Relations in Washington, D.C.
The report should include about 75 new recommendations organized along six pillars of effort, said Gallagher, a Marine Corps combat veteran who serves on the House Armed Services Intelligence and Emerging Threats Subcommittee.
“We all agree that deterrence in cyber, while difficult, is possible and indeed doable by the federal government, but is going to require the federal government to act with much more speed and agility than it is currently acting with,” he said. The recommendations will hopefully help push an organization traditionally ill-equipped to function with speed and agility – the U.S. government – to do just that.
“How do you enhance and empower the agencies we have right now?” Gallagher said. He lauded recent efforts to expand the authorities of U.S. Cyber Command to perform persistent engagement, and urged for an enhanced role to be carved out for the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security.
The recommendations will also address ways the federal government can incentivize private companies to be more proactive in their cybersecurity approaches as well as more transparent and responsive in reporting issues, Gallagher noted.
King, who serves as the ranking member of the Senate Armed Services Airland Subcommittee and also sits on the Senate Intelligence Committee, noted that the inclusion of industry is crucial because “80 percent of the target surface is in the private sector.”
“It’s not just a typical Army versus Army [situation]; it’s how do we defend the electric system in the southwest,” King said Tuesday.
“Everybody is overconfident” in the private sector when assessing their company’s ability to handle a cyber threat, King added. “One of the things that we have to really work on is, how do we ensure that they are at some minimum level of cyber security?”
That comes down to ensuring measures as basic as proper cyber hygiene training are in place, all the way up to potentially installing an insurance-like system that rates companies based on their threat levels and imposes premiums on high-risk entities.
“If there was a vigorous insurance market for cyber disruption, the insurance market would enforce the hygiene,” King noted.
The U.S. government should also have red-teaming capabilities available to test companies’ cybersecurity models, he added.
The Defense Department will play an active role in developing and enforcing new cyber norms, the lawmakers noted.
“Our starting point is the recognition that deterrence, particularly below the threshold of military force, is constantly failing,” Gallagher said. “The military needs to be in the business of empowering the private sector to develop more resilience to do the deterrence by denial … but also to develop a strategy that allows us to do deterrence by punishment.”
The question of connectivity and the increased impact of a 5G network on global supply chains will also be addressed in the report. Gallagher said the goal is assess whether “we are doing enough to ensure that our supply chains are free from the threat of espionage activity” from China, or whether the United States should take steps to disaggregate parts of its economy to contain potential nefarious actions.