Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Cybersecurity Group Hopes to Push 30 More National Priorities

The Cyberspace Solarium Commission worked with legislators and the Trump administration to get 27 recommendations implemented in policy last year. It's aiming for 30 more in 2021.

More than a year after the Cyberspace Solarium Commission recommended more than 80 policy initiatives to strengthen US cybersecurity, the US government has codified only 27 provisions into law.

The group hopes to change that this year, and cybersecurity experts agree that the time has come. Among the important recommendations that will be pushed in 2021 are a national data protection legislation, federal reporting requirements, and the creation of a Bureau of Cyber Statistics, according to a commissioner and two outside experts.

Related Content:

Cyberspace Solarium Commission Slams US Cybersecurity Readiness

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: A Wrench and a Screwdriver: Critical Infrastructure's Last, Best Lines of Defense?

The fact that the US government does not have a clear picture of cyber threats or how often public and private entities are affected needs to be fixed quickly, Paul Rosenzweig, senior fellow for cybersecurity at the R Street Institute, a conservative public-policy group, said during a session at the RSA Conference on the outstanding priorities from the Cyberspace Solarium Commission (CSC).

"It boggles my mind that 15 years into this cybersecurity crisis, we still don't have an operating picture of how frequently and what sorts of what breaches occur in the United States," he told attendees to the virtual session . "Without a comprehensive breach notification law, we will never get a sense of what is actually happening on the ground."

A number of major cyber incidents have elevated cybersecurity in the national conscious. In December, security firms and the US government revealed that remote-management firm SolarWinds had been breached and its software used to compromise thousands of other firms. In early May, Russia-linked attackers hit oil-and-gas transport network Colonial Pipeline with ransomware, forcing the company to shut down and creating a shortage of gas in the US southeast.

"Cybersecurity has for years been a wonky, abstract concern to most Americans," the CSC co-chairs Sen. Angus S. King Jr. (I-ME) and Representative Michael J. Gallagher (R-WI) stated in a tweet on May 28. "No longer ... as more of us have come to realize from the [Colonial Pipeline] attack the cyber risks to our country are greater than ever.”

Created in August 2018, the Cyberspace Solarium Commission collected a nonpartisan group of lawmakers and experts to come up with policy changes to enhance the United States' cyber posture and ability to defend itself. On March 11, 2020, the CSC announced its findings, recommending that the US government take more than 80 initiatives to create an overlapping policy of cyber resilience and cyber deterrence. More than two dozen recommendations where codified into law as part of the National Defense Authorization Act (NDAA), passed in 2020. 

While another two recommendations have been included in other laws passed since, the group is focusing on move forward with 30 primary recommendations this year, as well as making sure the implementation of already-passed federal legislation delivers on the promise of cybersecurity. 

"The old adage is 'Policy without resources is rhetoric,' so we need to make sure we are funding some of these initiatives as well," Frank Cilluffo, a CSC commissioner and director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security, said during the RSA session. "Cyber goes far beyond national security, so we need to make sure that there are other congressional vehicles, committees, and other approaches to be able to implement other recommendations and provision."

In January, the CSC issued a white paper with a list of 15 priorities for the Biden administration, including the creation of the Office of the National Cyber Director and the issuance of a National Cybersecurity Strategy. The Biden created the office, nominated Chris Inglis to National Cyber Director, and issued an executive order to strengthen the nation's cybersecurity.

Yet many other priorities remain, including a cyber-emergency response fund that would help public agencies survive cyberattacks, the Cyber Diplomacy Act to elevate a member of the Department of State to head cyber-policy discussions with other nations, a cyber response fund (like a national disaster fund), the creation of a supply chain intelligence center to work with the private sector, and a national security investment corporation to fund early research into the nation's priorities.

For the private sector, a federal privacy and data protection statue should be a priority, said Tom Corcoran, head of cybersecurity at Farmers Insurance Group. A single law would help level the playing field and make incident response much faster, he said.

"Companies that operate nationally in the US, every time they have an issue, they have to do a 50-state analysis of what is required of them," he said. "A national law would certainly make companies lives a lot easier."

Finally, among the major priorities is a Joint Collaborative Environment, or JCE, where the private sector and public agencies could share information about attacks and respond much more quickly. Solving the information-sharing problem, however, will still take time, CSC's Cilluffo said. 

"There is a reason that we haven't answered this question for quite some time — it isn't easy," he said. "We need to make sure that we tackle a whole host of issues, including privacy, that are very complex. We can't continue to punt on the second down, we have been punting this ball down the road far too long."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-29376
PUBLISHED: 2022-05-23
Xampp for Windows v8.1.4 and below was discovered to contain insecure permissions for its install directory, allowing attackers to execute arbitrary code via overwriting binaries located in the directory.
CVE-2022-30015
PUBLISHED: 2022-05-23
In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.
CVE-2022-28999
PUBLISHED: 2022-05-23
Insecure permissions in the install directories and binaries of Dev-CPP v4.9.9.2 allows attackers to execute arbitrary code via overwriting the binary devcpp.exe.
CVE-2022-29002
PUBLISHED: 2022-05-23
A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add.
CVE-2022-31489
PUBLISHED: 2022-05-23
Inout Blockchain AltExchanger 1.2.1 allows index.php/home/about inoutio_language cookie SQL injection.