Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Cybersecurity Group Hopes to Push 30 More National Priorities

The Cyberspace Solarium Commission worked with legislators and the Trump administration to get 27 recommendations implemented in policy last year. It's aiming for 30 more in 2021.

More than a year after the Cyberspace Solarium Commission recommended more than 80 policy initiatives to strengthen US cybersecurity, the US government has codified only 27 provisions into law.

The group hopes to change that this year, and cybersecurity experts agree that the time has come. Among the important recommendations that will be pushed in 2021 are a national data protection legislation, federal reporting requirements, and the creation of a Bureau of Cyber Statistics, according to a commissioner and two outside experts.

Related Content:

Cyberspace Solarium Commission Slams US Cybersecurity Readiness

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: A Wrench and a Screwdriver: Critical Infrastructure's Last, Best Lines of Defense?

The fact that the US government does not have a clear picture of cyber threats or how often public and private entities are affected needs to be fixed quickly, Paul Rosenzweig, senior fellow for cybersecurity at the R Street Institute, a conservative public-policy group, said during a session at the RSA Conference on the outstanding priorities from the Cyberspace Solarium Commission (CSC).

"It boggles my mind that 15 years into this cybersecurity crisis, we still don't have an operating picture of how frequently and what sorts of what breaches occur in the United States," he told attendees to the virtual session . "Without a comprehensive breach notification law, we will never get a sense of what is actually happening on the ground."

A number of major cyber incidents have elevated cybersecurity in the national conscious. In December, security firms and the US government revealed that remote-management firm SolarWinds had been breached and its software used to compromise thousands of other firms. In early May, Russia-linked attackers hit oil-and-gas transport network Colonial Pipeline with ransomware, forcing the company to shut down and creating a shortage of gas in the US southeast.

"Cybersecurity has for years been a wonky, abstract concern to most Americans," the CSC co-chairs Sen. Angus S. King Jr. (I-ME) and Representative Michael J. Gallagher (R-WI) stated in a tweet on May 28. "No longer ... as more of us have come to realize from the [Colonial Pipeline] attack the cyber risks to our country are greater than ever.”

Created in August 2018, the Cyberspace Solarium Commission collected a nonpartisan group of lawmakers and experts to come up with policy changes to enhance the United States' cyber posture and ability to defend itself. On March 11, 2020, the CSC announced its findings, recommending that the US government take more than 80 initiatives to create an overlapping policy of cyber resilience and cyber deterrence. More than two dozen recommendations where codified into law as part of the National Defense Authorization Act (NDAA), passed in 2020. 

While another two recommendations have been included in other laws passed since, the group is focusing on move forward with 30 primary recommendations this year, as well as making sure the implementation of already-passed federal legislation delivers on the promise of cybersecurity. 

"The old adage is 'Policy without resources is rhetoric,' so we need to make sure we are funding some of these initiatives as well," Frank Cilluffo, a CSC commissioner and director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security, said during the RSA session. "Cyber goes far beyond national security, so we need to make sure that there are other congressional vehicles, committees, and other approaches to be able to implement other recommendations and provision."

In January, the CSC issued a white paper with a list of 15 priorities for the Biden administration, including the creation of the Office of the National Cyber Director and the issuance of a National Cybersecurity Strategy. The Biden created the office, nominated Chris Inglis to National Cyber Director, and issued an executive order to strengthen the nation's cybersecurity.

Yet many other priorities remain, including a cyber-emergency response fund that would help public agencies survive cyberattacks, the Cyber Diplomacy Act to elevate a member of the Department of State to head cyber-policy discussions with other nations, a cyber response fund (like a national disaster fund), the creation of a supply chain intelligence center to work with the private sector, and a national security investment corporation to fund early research into the nation's priorities.

For the private sector, a federal privacy and data protection statue should be a priority, said Tom Corcoran, head of cybersecurity at Farmers Insurance Group. A single law would help level the playing field and make incident response much faster, he said.

"Companies that operate nationally in the US, every time they have an issue, they have to do a 50-state analysis of what is required of them," he said. "A national law would certainly make companies lives a lot easier."

Finally, among the major priorities is a Joint Collaborative Environment, or JCE, where the private sector and public agencies could share information about attacks and respond much more quickly. Solving the information-sharing problem, however, will still take time, CSC's Cilluffo said. 

"There is a reason that we haven't answered this question for quite some time — it isn't easy," he said. "We need to make sure that we tackle a whole host of issues, including privacy, that are very complex. We can't continue to punt on the second down, we have been punting this ball down the road far too long."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31618
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...