Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Cybersecurity Group Hopes to Push 30 More National Priorities

The Cyberspace Solarium Commission worked with legislators and the Trump administration to get 27 recommendations implemented in policy last year. It's aiming for 30 more in 2021.

More than a year after the Cyberspace Solarium Commission recommended more than 80 policy initiatives to strengthen US cybersecurity, the US government has codified only 27 provisions into law.

The group hopes to change that this year, and cybersecurity experts agree that the time has come. Among the important recommendations that will be pushed in 2021 are a national data protection legislation, federal reporting requirements, and the creation of a Bureau of Cyber Statistics, according to a commissioner and two outside experts.

Related Content:

Cyberspace Solarium Commission Slams US Cybersecurity Readiness

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: A Wrench and a Screwdriver: Critical Infrastructure's Last, Best Lines of Defense?

The fact that the US government does not have a clear picture of cyber threats or how often public and private entities are affected needs to be fixed quickly, Paul Rosenzweig, senior fellow for cybersecurity at the R Street Institute, a conservative public-policy group, said during a session at the RSA Conference on the outstanding priorities from the Cyberspace Solarium Commission (CSC).

"It boggles my mind that 15 years into this cybersecurity crisis, we still don't have an operating picture of how frequently and what sorts of what breaches occur in the United States," he told attendees to the virtual session . "Without a comprehensive breach notification law, we will never get a sense of what is actually happening on the ground."

A number of major cyber incidents have elevated cybersecurity in the national conscious. In December, security firms and the US government revealed that remote-management firm SolarWinds had been breached and its software used to compromise thousands of other firms. In early May, Russia-linked attackers hit oil-and-gas transport network Colonial Pipeline with ransomware, forcing the company to shut down and creating a shortage of gas in the US southeast.

"Cybersecurity has for years been a wonky, abstract concern to most Americans," the CSC co-chairs Sen. Angus S. King Jr. (I-ME) and Representative Michael J. Gallagher (R-WI) stated in a tweet on May 28. "No longer ... as more of us have come to realize from the [Colonial Pipeline] attack the cyber risks to our country are greater than ever.”

Created in August 2018, the Cyberspace Solarium Commission collected a nonpartisan group of lawmakers and experts to come up with policy changes to enhance the United States' cyber posture and ability to defend itself. On March 11, 2020, the CSC announced its findings, recommending that the US government take more than 80 initiatives to create an overlapping policy of cyber resilience and cyber deterrence. More than two dozen recommendations where codified into law as part of the National Defense Authorization Act (NDAA), passed in 2020. 

While another two recommendations have been included in other laws passed since, the group is focusing on move forward with 30 primary recommendations this year, as well as making sure the implementation of already-passed federal legislation delivers on the promise of cybersecurity. 

"The old adage is 'Policy without resources is rhetoric,' so we need to make sure we are funding some of these initiatives as well," Frank Cilluffo, a CSC commissioner and director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security, said during the RSA session. "Cyber goes far beyond national security, so we need to make sure that there are other congressional vehicles, committees, and other approaches to be able to implement other recommendations and provision."

In January, the CSC issued a white paper with a list of 15 priorities for the Biden administration, including the creation of the Office of the National Cyber Director and the issuance of a National Cybersecurity Strategy. The Biden created the office, nominated Chris Inglis to National Cyber Director, and issued an executive order to strengthen the nation's cybersecurity.

Yet many other priorities remain, including a cyber-emergency response fund that would help public agencies survive cyberattacks, the Cyber Diplomacy Act to elevate a member of the Department of State to head cyber-policy discussions with other nations, a cyber response fund (like a national disaster fund), the creation of a supply chain intelligence center to work with the private sector, and a national security investment corporation to fund early research into the nation's priorities.

For the private sector, a federal privacy and data protection statue should be a priority, said Tom Corcoran, head of cybersecurity at Farmers Insurance Group. A single law would help level the playing field and make incident response much faster, he said.

"Companies that operate nationally in the US, every time they have an issue, they have to do a 50-state analysis of what is required of them," he said. "A national law would certainly make companies lives a lot easier."

Finally, among the major priorities is a Joint Collaborative Environment, or JCE, where the private sector and public agencies could share information about attacks and respond much more quickly. Solving the information-sharing problem, however, will still take time, CSC's Cilluffo said. 

"There is a reason that we haven't answered this question for quite some time — it isn't easy," he said. "We need to make sure that we tackle a whole host of issues, including privacy, that are very complex. We can't continue to punt on the second down, we have been punting this ball down the road far too long."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37001
PUBLISHED: 2021-10-28
There is a Register tampering vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow the register value to be modified.
CVE-2021-37002
PUBLISHED: 2021-10-28
There is a Memory out-of-bounds access vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause malicious code to be executed.
CVE-2021-22483
PUBLISHED: 2021-10-28
There is a issue of IP address spoofing in Huawei Smartphone. Successful exploitation of this vulnerability may cause DoS.
CVE-2021-22485
PUBLISHED: 2021-10-28
There is a SSID vulnerability with Wi-Fi network connections in Huawei devices.Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2021-22486
PUBLISHED: 2021-10-28
There is a issue of Unstandardized field names in Huawei Smartphone. Successful exploitation of this vulnerability may affect service confidentiality.