More than a year after a seminal cybersecurity commission presented numerous recommendations for the U.S. to up its cyber game across a range of areas, most of the action items are on track to be, or have been, implemented although others face hurdles and Congress still needs to provide more funding to back up new policies and activities, the Cyberspace Solarium Commission says in a progress report.
Of the 82 recommendations from the March 2020 Cyberspace Solarium Commission report, 22 percent have been implemented, more than 13 percent are nearing implementation, and 44 percent are on track or partially implemented, the commission says in its Aug. 12 2021 Annual Report on Implementation. However, 16 percent of the recommendations have made limited progress and 5 percent face significant barriers to adoption, it says.
Among the key recommendations that have been implemented, the creation of the Office of the National Cyber Director (NCD) and the Senate confirmation in June of Chris Inglis to fill the new role has been an important “accomplishment,” Sen. Angus King (I-Maine), co-chairman of the commission, said Thursday in recorded remarks marking release of the follow-up report.
But King pointed out that how Inglis fulfills the role of the NCD “is really crucial” as the top official overseeing the coordination and implementation of the nation’s cyber strategies and policies.
Rep. Mike Gallagher (R-Wis.). King’s co-chair on the bipartisan commission, cited a legislative provision that was enacted requiring the Biden administration to develop a continuity of the economy plan within two years for how the nation would recover from a major cyber disruption and restore critical economic functions.
In terms of recommendations that still need to be adopted, King highlighted the need to establish and understand the concept of “systemically important critical infrastructure,” adding that private companies are the “target” of cyber-attacks yet they still have a “sort of visceral resistance to close cooperation with the government,” particularly when it comes to sharing information and facing liabilities and potentially compromising proprietary information.
King also said the Cyber Diplomacy Act, which has passed the House but not the Senate, needs to become law to establish the “U.S. as a leader in the international community” for setting standards and norms of behavior or risk ceding leadership to China.
King said the administration also needs to develop a clear and articulated cyber deterrence doctrine. King said that President Biden’s message earlier this year to Russian President Vladimir Putin that U.S. critical infrastructures are off limits to cyber-attacks is a part of a cyber deterrence doctrine but work here needs to be “elevated” and “clearly articulated.”
Gallagher cited the need to adopt the recommendation for a Bureau of Cyber Statistics, which in part would give the insurance industry better data to “price cyber risk.” With better cyber risk models, “I think the cyber insurance market might be able to help shape the behavior of private sector actors,” he said.
The implementation report says that four recommendations that face “significant barriers to implementation” include the establishment in Congress of Permanent Select Committees on Cybersecurity, the designation of responsibilities for cybersecurity services under the Defense Production Act, establishing liability for final goods assemblers, and passage of a national data security and privacy protection law.
Congress still needs to provide funding in some areas to enable the full implementation of some recommendations. For example, the Senate this week agreed to provide $21 million to staff up the Office of the NCD. Now the House must follow suit.
Many of the commission’s recommendations found their way into law through the fiscal year 2021 National Defense Authorization Act, which went into effect in January, and others are being put into effect through presidential executive orders. Now some of these recommendations need to be funded, which is part of the routine appropriations cycle in Congress that is underway, Laura Bate, one of the senior directors on the commission, said on Thursday during a virtual discussion on the rollout of the implementation report.
The continuity of the economy plan still requires funding, the report says.
Based on the budget process so far this year, “there’s a lot still up in the air on this one,” Bate said. She said the House appropriators’ funding increases for the Department of Homeland Security Cybersecurity and Infrastructure Security Agency are “promising” in terms of turning adopted recommendations into “actual action” and now it’s up to the Senate to do the same, she said.
In other areas, funding is less certain, Bate said. She pointed to a cyber education program called the Cybersecurity Education and Training Assistance that was zeroed out in the administration’s budget request for CISA and the same for a new cybersecurity workforce development program at the National Institute of Standards and Technology.