More than a year after the Cyberspace Solarium Commission recommended more than 80 policy initiatives to strengthen US cybersecurity, the US government has codified only 27 provisions into law.
The group hopes to change that this year, and cybersecurity experts agree that the time has come. Among the important recommendations that will be pushed in 2021 are a national data protection legislation, federal reporting requirements, and the creation of a Bureau of Cyber Statistics, according to a commissioner and two outside experts.
The fact that the US government does not have a clear picture of cyber threats or how often public and private entities are affected needs to be fixed quickly, Paul Rosenzweig, senior fellow for cybersecurity at the R Street Institute, a conservative public-policy group, said during a session at the RSA Conference on the outstanding priorities from the Cyberspace Solarium Commission (CSC).
"It boggles my mind that 15 years into this cybersecurity crisis, we still don't have an operating picture of how frequently and what sorts of what breaches occur in the United States," he told attendees to the virtual session . "Without a comprehensive breach notification law, we will never get a sense of what is actually happening on the ground."
A number of major cyber incidents have elevated cybersecurity in the national conscious. In December, security firms and the US government revealed that remote-management firm SolarWinds had been breached and its software used to compromise thousands of other firms. In early May, Russia-linked attackers hit oil-and-gas transport network Colonial Pipeline with ransomware, forcing the company to shut down and creating a shortage of gas in the US southeast.
"Cybersecurity has for years been a wonky, abstract concern to most Americans," the CSC co-chairs Sen. Angus S. King Jr. (I-ME) and Representative Michael J. Gallagher (R-WI) stated in a tweet on May 28. "No longer ... as more of us have come to realize from the [Colonial Pipeline] attack the cyber risks to our country are greater than ever.”
Created in August 2018, the Cyberspace Solarium Commission collected a nonpartisan group of lawmakers and experts to come up with policy changes to enhance the United States' cyber posture and ability to defend itself. On March 11, 2020, the CSC announced its findings, recommending that the US government take more than 80 initiatives to create an overlapping policy of cyber resilience and cyber deterrence. More than two dozen recommendations where codified into law as part of the National Defense Authorization Act (NDAA), passed in 2020.
While another two recommendations have been included in other laws passed since, the group is focusing on move forward with 30 primary recommendations this year, as well as making sure the implementation of already-passed federal legislation delivers on the promise of cybersecurity.
"The old adage is 'Policy without resources is rhetoric,' so we need to make sure we are funding some of these initiatives as well," Frank Cilluffo, a CSC commissioner and director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security, said during the RSA session. "Cyber goes far beyond national security, so we need to make sure that there are other congressional vehicles, committees, and other approaches to be able to implement other recommendations and provision."
In January, the CSC issued a white paper with a list of 15 priorities for the Biden administration, including the creation of the Office of the National Cyber Director and the issuance of a National Cybersecurity Strategy. The Biden created the office, nominated Chris Inglis to National Cyber Director, and issued an executive order to strengthen the nation's cybersecurity.
Yet many other priorities remain, including a cyber-emergency response fund that would help public agencies survive cyberattacks, the Cyber Diplomacy Act to elevate a member of the Department of State to head cyber-policy discussions with other nations, a cyber response fund (like a national disaster fund), the creation of a supply chain intelligence center to work with the private sector, and a national security investment corporation to fund early research into the nation's priorities.
For the private sector, a federal privacy and data protection statue should be a priority, said Tom Corcoran, head of cybersecurity at Farmers Insurance Group. A single law would help level the playing field and make incident response much faster, he said.
"Companies that operate nationally in the US, every time they have an issue, they have to do a 50-state analysis of what is required of them," he said. "A national law would certainly make companies lives a lot easier."
Finally, among the major priorities is a Joint Collaborative Environment, or JCE, where the private sector and public agencies could share information about attacks and respond much more quickly. Solving the information-sharing problem, however, will still take time, CSC's Cilluffo said.
"There is a reason that we haven't answered this question for quite some time — it isn't easy," he said. "We need to make sure that we tackle a whole host of issues, including privacy, that are very complex. We can't continue to punt on the second down, we have been punting this ball down the road far too long."