The new Cyberspace Solarium Commission released its highly anticipated report this week that recommends the U.S. revamp its defenses against cyberthreats. It offers more than 75 recommendations for revitalizing U.S. cybersecurity, with a special emphasis on election security heading into November.
See Also: Deception-Based Threat Detection: Shifting Power to the Defenders
Among the key recommendations are: creation of an updated U.S. national cyber strategy; formation of new permanent select committees on cybersecurity in both the House and the Senate; and appointment of a Senate-confirmed national cyber director (see: White House Axes Top Cybersecurity Job).
The commission, which was mandated under the 2019 National Defense Authorization Act, is co-chaired by Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis. It also includes Trump Administration officials. Its mission is to develop “a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences,” according to the report.
The report lists China, Russia, Iran and North Korea as major threats to cybersecurity in the U.S., pointing at intellectual property theft carried out by Chinese operators and the election meddling carried out by Russian actors that has damaged public trust in the integrity of American elections (see: 2020 Election Security: Sizing Up Preparedness).
The report puts much of its emphasis on election security and how other countries are attempting to manipulate the vote through hacking and disinformation (see: CISA’s Krebs: 2016 US Elections Were Cyber ‘Sputnik’ Moment).
“If we don’t get election security right, deterrence will fail and future generations will look back with longing and regret on the once powerful American Republic and wonder how we screwed the whole thing up,” King and Gallagher note in the report.
One of the major findings of the report is that the U.S. government is currently in a poor position to act with the speed and agility required to secure itself against fast-developing cyberthreats. The country is being weighed down by a “labyrinth of outdated rules, laws and regulations that limit America’s ability to defend cyberspace,” the report states.
Calling for collaboration between the public and private sector, the report says: “The United States now operates in a cyber landscape that requires a level of data security, resilience and trustworthiness that neither the U.S. government nor the private sector alone is currently equipped to provide.”
The report outlines three key components to a layered cyber defense:
- Shape behavior: The U.S. needs to build a coalition of partners and allies and work with them to secure its interests in cyberspace.
- Deny benefits: Public and private sector collaboration is needed to promote national resilience and to deny benefits to adversaries.
- Impose costs: The U.S. must be in a position to retaliate against threat actors to deter future malicious behavior.
The report calls for a “defend forward” strategy of proactively countering cyberthreats. “This posture signals to adversaries that the U.S. government will respond to cyberattacks, even those below the level of armed conflict that do not cause physical destruction or death, with all the tools at its disposal and consistent with international law,” the report says.
More Than 75 Recommendations
The commission’s report offers over 75 recommendations, which are categorized into six main groups or “pillars.” These include:
- Reform the U.S. government’s structure and organization for cyberspace: The report calls for an updated U.S. national cyber strategy; new permanent select committees on cybersecurity in both the House and the Senate; a Senate-confirmed national cyber director who will advise the president on cybersecurity-related issues and lead policy as well as strategy; the recruitment and development of better cyber talent; and the strengthening of the U.S. Cybersecurity and Infrastructure Security Agency, which is part of Homeland Security.
- Enforce cyber norms with nonmilitary tools: The commission recommends building a coalition of allies who would help the U.S. enforce current cyber norms by using nonmilitary tools, such as law enforcement actions, sanctions, diplomacy and information sharing. The report also suggests that Congress create an assistant secretary of state position to carry out this role.
- Promote national resilience: The report notes that U.S. needs to be prepared to quickly respond to and recover from an attack. So the commission recommends that Congress should ensure that CISA and other agencies be given funding to ensure rapid recovery.
- Reshape the cyber ecosystem: The federal government must explore legislation, regulation and executive action along with investments in all sectors, the report concludes. It also recommends the creation of a certification agency for cyber products, such as cloud security and cyber insurance, and a law establishing that the manufacturers of these products are liable for incidents that exploit known or unpatched vulnerabilities. The report also calls for a national data security and privacy protection law along with a bureau on cyber statistics to guide further policymaking.
- Implement cybersecurity collaboration with the private sector: The federal government must aid the private sector in cybersecurity efforts by building a more collaborative environment and by ensuring that important critical infrastructure is always supported by the U.S. government, according to the report.
- Eliminate weapons vulnerabilities: Finally, the federal government, especially the military, must do more to eliminate vulnerabilities, including those that could damage weapons systems or nuclear control systems.