The U.S. Cyberspace Solarium Commission released Thursday its 2021 implementation report that found that of 82 original recommendations made by the Commission in March last year, about 35 percent have been implemented or are nearing implementation, and an additional approximately 44 percent are on track to implementation. In addition, several recommendations from the Commission’s subsequent white papers are also moving towards implementation.
Recent months have been plagued with repeated cybersecurity attacks on the nation’s critical infrastructure community, including the SolarWinds supply chain attack, the hack of a Florida water treatment facility, the ransomware attack on Colonial Pipeline, and at the world’s largest food producer JBS. Such incidents suggest that more work remains.
While the Commission’s strategic approach of layered cyber deterrence has remained a valuable framework for evaluating possible U.S. actions to defend against attacks of significant consequence, understanding its larger impact will require more time and better mechanisms for measuring improvements in national cybersecurity, the Commission’s report said. In the meantime, individual recommendations that anchor that strategic approach are well on their way to implementation.
The ‘2021 Annual Report on Implementation’ tracks the Commission’s recommendations in authorizing legislation, appropriations, executive orders, and other policy actions. The report emphasizes the distinction between success and implementation, noting that lasting progress is an ongoing, iterative process, and outlines steps for future action to ensure the lasting momentum of changes made today. Further authorizing legislation or executive action is needed to implement some Commission recommendations, and appropriations are needed to support authorized policies, plans, and procedures.
The Commission’s report provided a strategic approach to and assessment of the cyber threat landscape. In some cases, the accuracy of the Commission’s analysis is obvious, as the drumbeat of significant cyberattacks undeniably increased as expected, though it certainly did not predict that the COVID-19 pandemic would create a new opportunity for such attacks, the report added.
Another unanticipated dynamic proved to be the increased focus on cybersecurity issues and certain Cyberspace Solarium Commission recommendations that resulted from the SolarWinds hack, Microsoft Exchange Server hack, and the Colonial Pipeline ransomware attack, according to the Commission’s report. The SolarWinds incident renewed calls for national breach notification and incident reporting laws. Similarly, the pandemic underscored the need for certain cybersecurity reforms that can aid both the federal government and SLTT governments in delivering digital services to American citizens.
The American Rescue Plan Act included US$650 million for the Cybersecurity and Infrastructure Security Agency (CISA), in recognition of the crucial role that cybersecurity plays at a time when the COVID-19 pandemic has forced Americans to shift economic, educational, and social activities online.
“Over the past year, this commission has helped the country take considerable steps to strengthen its cyber defenses. But as recent cyberattacks have made clear, our work is not yet done,” Cyberspace Solarium Commission co-chair Representative Mike Gallagher, said in a press statement. “This report outlines our progress and the steps we still need to take to ensure Americans’ lives and livelihoods are better protected online.”
“We have been in the fortunate position to connect good ideas, legislation, and implementation over the past several months,” said Cyberspace Solarium Commission’s co-chair Senator Angus King. “Across the public and private sectors, in federal departments and agencies, and especially among our colleagues here on the Hill, we are deeply grateful to all the leaders in cybersecurity who rolled up their sleeves and turned ideas into action this past year.”
Following the SolarWinds supply chain attacks, there have been renewed calls for federal breach notification and incident reporting laws that underscored the importance of recommendations that the Cyberspace Solarium Commission made in its final report. Nevertheless, in retrospect it appears that the Commission could have devoted more explicit attention to the issue of software supply chain security in its final report or its white paper on supply chain security, which was published in October 2020, just months before news broke about the SolarWinds incident, the report added.
The SolarWinds incident highlighted the importance of software supply chain security. Although a speculative evaluation suggests that some Cyberspace Solarium Commission recommendations might have helped mitigate the consequences of the event as it unfolded, many of those recommendations were not implemented until it occurred, while others still remain unimplemented.
On the response side, certain recommendations, such as the codification of a Cyber State of Distress, would have granted the federal government additional response and recovery funds to assist state, local, tribal, and territorial (SLTT) governments and private-sector companies, according to the Commission’s report.
In other cases, evaluating the Commission’s work is more difficult. While the Commission’s strategic approach of layered cyber deterrence has remained a valuable framework for evaluating possible U.S. actions to defend against attacks of significant consequence, understanding its larger impact will require additional time and better mechanisms for measuring improvements in national cybersecurity. In the meantime, individual recommendations that anchor that strategic approach are well on their way to implementation, the report said.
Earlier this week, the U.S. Senate passed a bipartisan infrastructure bill that would help boost infrastructure resiliency in the country, already plagued by several cybersecurity incidents affecting its critical infrastructure sector. The Senate allocated over $1.9 billion in cybersecurity funds, as part of the roughly $1 trillion bipartisan infrastructure bill. The funds will go toward securing critical infrastructure, helping vulnerable organizations defend themselves and providing funding for a key federal cyber office and other initiatives.