If the U.S. Cyberspace Solarium commission’s recommendations gain traction, they could lay the groundwork for closer coordination of cybersecurity initiatives
For the last year, the U.S. Cyberspace Solarium Commission has been hard at work on a study of the country’s cybersecurity vulnerabilities and capabilities. On March 11, it published the study – all 182 pages of it, complete with extensive footnotes, a glossary, a three-and-a-half-page list of specific policy recommendations – and a call for a realignment in relations between the public sector and private sector.
Despite its length and level of detail, the is very engaging. It’s written in straightforward, narrative language that will be accessible to lay readers as well as cybersecurity professionals. But the subject matter –the risks that connectivity can pose to military forces, government agencies at all levels, public utilities, financial institutions, privately owned businesses, community organizations, and other crucial components of functioning democracies – is sobering.
Public-private relationships may change
If the Cyberspace Solarium commission’s recommendations gain traction in Washington, they may lead to changes in the relationship between the public sector and the private sector.
Historically, there has been a significant degree of separation between these two sectors. Governments introduce and enforce measures to restrict or guide the actions of private businesses, but they do not issue marching orders. Likewise, private businesses seek to influence the government’s actions through lobbying and other means, but they generally do not have the ability to move the levers of power on their own (At the same time, though, they do hold around 85% of the assets that are likely to be targeted in cyberattacks.)
In other words, the two sectors do interact, but they are not intertwined in the sinister ways that stir the imagination of political extremists and conspiracy theorists. But there is room for closer coordination between the two sides – and that’s exactly what the study recommends.
Private-sector interests must be considered
One of the five “big ideas” referenced in the Chairmen’s Letter section of the study references the need to reconcile the fact that cybersecurity breaches can threaten national security and other public-sector concerns with the fact that so many cybersecurity targets are in private-sector hands.
The study also puts forth a strategy for realigning relations between the public sector and private sector. It calls on the private sector to take action to support the government’s cybersecurity objectives and on the public sector to support private businesses.
“[Deterrence] will require private-sector entities to step up and strengthen their security posture,” it reads. “Most of our critical infrastructure is owned by the private sector … But we need C-suite executives to take cyber seriously since they are on the front lines. With support from the federal government, private-sector entities must be able to act with speed and agility to stop cyberattackers from breaking out in their networks and the larger array of networks on which the nation relies.”
Personnel requirements are likely to expand
In theory, this is a sensible plan. It acknowledges that the public and private sectors have their own interests to uphold and calls on the two sectors to cooperate wherever and whenever those interests overlap.
In practice, achieving these ends may require both sides to make some significant operational changes. Private-sector entities facing cybersecurity challenges should work to ensure that they have the capacity to coordinate their work with public-sector agencies, either by establishing cybersecurity divisions or expanding their existing divisions to oversee coordination and compliance with government guidelines and regulations.
In concrete terms, this may involve actions such as hiring a new employee to handle compliance with federal cybersecurity reporting requirements in line with proposed amendments to the Sarbanes-Oxley Act. Likewise, it may entail revising business plans and budgets to make provisions for such hires.
Likewise, federal agencies should consider adding new staff members to facilitate communication with manufacturers, service providers, utilities, and other private-sector entities, as well as state and local governments. Taking such steps would help ensure that policymakers have a clearer idea of the private sector’s concerns and priorities. It would also provide a forum for businesses to share the information they have about specific cybersecurity issues.
In concrete terms, this could take the form of creating new government structures within the legislative and executive branches to address cybersecurity challenges, as outlined in the study. It might also involve establishing new public-private partnerships.
More training, not just more hires
It is too soon to say whether any of the recommendations made by the commission will lead to action. Facilitating this kind of realignment in relations between the public sector and private sector is not likely to be easy or fast.
Nevertheless, if the process begins, it ought to be paired with efforts to expand the pool of qualified cybersecurity professionals – a pool that is already around 561,000 workers short of full in North America alone, according to the 2019 edition of the Cybersecurity Workforce Study from (ISC)2.