Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

Cybersecurity Group Hopes to Push 30 More National Priorities

The Cyberspace Solarium Commission worked with legislators and the Trump administration to get 27 recommendations implemented in policy last year. It's aiming for 30 more in 2021.

More than a year after the Cyberspace Solarium Commission recommended more than 80 policy initiatives to strengthen US cybersecurity, the US government has codified only 27 provisions into law.

The group hopes to change that this year, and cybersecurity experts agree that the time has come. Among the important recommendations that will be pushed in 2021 are a national data protection legislation, federal reporting requirements, and the creation of a Bureau of Cyber Statistics, according to a commissioner and two outside experts.

Related Content:

Cyberspace Solarium Commission Slams US Cybersecurity Readiness

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: A Wrench and a Screwdriver: Critical Infrastructure's Last, Best Lines of Defense?

The fact that the US government does not have a clear picture of cyber threats or how often public and private entities are affected needs to be fixed quickly, Paul Rosenzweig, senior fellow for cybersecurity at the R Street Institute, a conservative public-policy group, said during a session at the RSA Conference on the outstanding priorities from the Cyberspace Solarium Commission (CSC).

"It boggles my mind that 15 years into this cybersecurity crisis, we still don't have an operating picture of how frequently and what sorts of what breaches occur in the United States," he told attendees to the virtual session . "Without a comprehensive breach notification law, we will never get a sense of what is actually happening on the ground."

A number of major cyber incidents have elevated cybersecurity in the national conscious. In December, security firms and the US government revealed that remote-management firm SolarWinds had been breached and its software used to compromise thousands of other firms. In early May, Russia-linked attackers hit oil-and-gas transport network Colonial Pipeline with ransomware, forcing the company to shut down and creating a shortage of gas in the US southeast.

"Cybersecurity has for years been a wonky, abstract concern to most Americans," the CSC co-chairs Sen. Angus S. King Jr. (I-ME) and Representative Michael J. Gallagher (R-WI) stated in a tweet on May 28. "No longer ... as more of us have come to realize from the [Colonial Pipeline] attack the cyber risks to our country are greater than ever.”

Created in August 2018, the Cyberspace Solarium Commission collected a nonpartisan group of lawmakers and experts to come up with policy changes to enhance the United States' cyber posture and ability to defend itself. On March 11, 2020, the CSC announced its findings, recommending that the US government take more than 80 initiatives to create an overlapping policy of cyber resilience and cyber deterrence. More than two dozen recommendations where codified into law as part of the National Defense Authorization Act (NDAA), passed in 2020. 

While another two recommendations have been included in other laws passed since, the group is focusing on move forward with 30 primary recommendations this year, as well as making sure the implementation of already-passed federal legislation delivers on the promise of cybersecurity. 

"The old adage is 'Policy without resources is rhetoric,' so we need to make sure we are funding some of these initiatives as well," Frank Cilluffo, a CSC commissioner and director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security, said during the RSA session. "Cyber goes far beyond national security, so we need to make sure that there are other congressional vehicles, committees, and other approaches to be able to implement other recommendations and provision."

In January, the CSC issued a white paper with a list of 15 priorities for the Biden administration, including the creation of the Office of the National Cyber Director and the issuance of a National Cybersecurity Strategy. The Biden created the office, nominated Chris Inglis to National Cyber Director, and issued an executive order to strengthen the nation's cybersecurity.

Yet many other priorities remain, including a cyber-emergency response fund that would help public agencies survive cyberattacks, the Cyber Diplomacy Act to elevate a member of the Department of State to head cyber-policy discussions with other nations, a cyber response fund (like a national disaster fund), the creation of a supply chain intelligence center to work with the private sector, and a national security investment corporation to fund early research into the nation's priorities.

For the private sector, a federal privacy and data protection statue should be a priority, said Tom Corcoran, head of cybersecurity at Farmers Insurance Group. A single law would help level the playing field and make incident response much faster, he said.

"Companies that operate nationally in the US, every time they have an issue, they have to do a 50-state analysis of what is required of them," he said. "A national law would certainly make companies lives a lot easier."

Finally, among the major priorities is a Joint Collaborative Environment, or JCE, where the private sector and public agencies could share information about attacks and respond much more quickly. Solving the information-sharing problem, however, will still take time, CSC's Cilluffo said. 

"There is a reason that we haven't answered this question for quite some time — it isn't easy," he said. "We need to make sure that we tackle a whole host of issues, including privacy, that are very complex. We can't continue to punt on the second down, we have been punting this ball down the road far too long."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-01
Versions of the package mt7688-wiscan before 0.8.3 are vulnerable to Command Injection due to improper input sanitization in the 'wiscan.scan' function.
PUBLISHED: 2023-02-01
Dell BIOS contains a heap buffer overflow vulnerability. A local attacker with admin privileges could potentially exploit this vulnerability to perform an arbitrary write to SMRAM during SMM.
PUBLISHED: 2023-02-01
Dell Rugged Control Center, versions prior to 4.5, contain an Improper Input Validation in the Service EndPoint. A Local Low Privilege attacker could potentially exploit this vulnerability, leading to an Escalation of privileges.
PUBLISHED: 2023-02-01
Dell Command | Update, Dell Update, and Alienware Update versions prior to 4.7 contain a Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in download operation component. A local malicious user could potentially exploit this vulnerability leading to the disclo...
PUBLISHED: 2023-02-01
Dell Command | Update, Dell Update, and Alienware Update versions prior to 4.7 contain a improper verification of cryptographic signature in get applicable driver component. A local malicious user could potentially exploit this vulnerability leading to malicious payload execution.