The Cyberspace Solarium Commission has released its second annual report evaluating how Congress, agencies and the White House are implementing recommendations from the 2020 landmark report and subsequent white papers on important cyber topics.
The report highlights the cyber incident reporting law, increased investments in CISA’s budget, establishing the National Cyber Director, launch of the State Department cyber bureau and CISA’s Joint Cyber Defense Collaborative as major wins, while acknowledging that the progress should not be “the culmination of the U.S. government’s focus on cybersecurity.”
Instead, it says, this work “must be the prelude to even further changes.”
The Foundation for Defense of Democracies holds an event today on behalf of the Solarium Commission to unveil the report and host a conversation with co-chairs Sen. Angus King (I-ME) and Rep. Mike Gallagher (R-WI), who will reflect on their work and the path forward on cyber policy.
The original Solarium Commission sunset in December 2021, and a new iteration housed at FDD -- C2C 2.0 -- is leading efforts to keep track of the recommendations.
King and Gallagher emphasize in the report’s executive summary how “implementation is not the same as success.” The lawmakers say, “Lasting improvements in national cyber resilience will take sustained attention, investment, and agility to address the ever-shifting threat landscape. … Even as we issue this progress report, we know that assessing implementation is not enough.”
The summary continues, “We urge readers to consider this report as a mid-course check, laying a path for the many stakeholders in government and industry charged with a task that we cannot afford to fail — protecting our national cybersecurity.”
From the recommendations in the landmark 2020 report, the 2022 implementation review finds 48 of the Solarium recommendations are implemented or “nearing implementation.” Another 22 are “on track,” while progress is “limited” on 10 proposals and “significant barriers” remain on two recommendations.
The two recommendations facing “significant barriers” are creating new select committees in the House and Senate for cybersecurity, and establishing “liability for final goods assemblers.”
The commission was able to get 27 recommendations from the 2020 report into the fiscal 2021 NDAA and an additional 12 into last year’s defense policy bill. The 2021 infrastructure law included six recommendations from the commission and 11 proposals went into the CHIPS and Science Act.
On CISA’s funding, the report notes fiscal 2022 spending bill increased CISA’s budget by $568.68 million, but it says, “CISA will need to grow its staff and programming rapidly to meet its new mandate and expanded resources.”
It continues, “Notably, though, CISA will need to grow its staff and programming rapidly to meet its new mandate and expanded resources. Doing so will require significant improvements to basic business processes like human resources and procurement.”
The report provides an update on “continuity of economy planning,” an important part of the original Solarium publication that was included in the fiscal 2021 NDAA. It says:
This recommendation was implemented by FY21 NDAA Section 9603, which authorized the development of a COTE plan. However, successfully carrying out such a plan will require a clear indication of which department or agency will lead it, and the effort will likely require additional funding. The FY22 appropriations report did provide an increase of $200,000 above the president’s budget request for CISA to develop a COTE plan.
However, effective execution of Section 9603 will require a significantly greater scope of effort than the funding provided indicates. In particular, the legislation calls on CISA to create a plan every three years, requiring ongoing analysis of a diverse range of issues at a very granular level. Funding the personnel needed for this effort will be key to effective implementation. In the spring of 2022, the White House tasked CISA with leading the effort, some 15 months after the law was initially passed.
The commission’s recommendation to codify “systemically important critical infrastructure” is “on track,” according to the report. A revamp of their proposal from Rep. Jim Langevin (D-RI), a Solarium member, is in the House version of the fiscal 2023 NDAA. Major industry groups oppose the Langevin amendment and have sent letters to Senate leadership asking them to drop the measure from the NDAA.
The report says, “Commissioners, staff, and partners on the Hill engaged at length to advocate for this proposal’s inclusion in the FY22 NDAA, including gathering extensive input from government stakeholders and industry groups and proposing an alternative implementation plan for the proposal.”
“Over the course of the drafting process, Commission and legislative staff worked on adding greater detail, particularly to elements of the bill that dealt with the added benefits and burdens that Systemically Important Critical Infrastructure entities would receive. In particular, sections specifying intelligence support to the private sector and regulatory requirements matured significantly through revisions,” the report says.
“Appropriate language is currently included in the House version of the FY23 NDAA, and this remains a top priority for the congressional commissioners and other lawmakers,” according to the report.
Langevin was also able to get a separate provision into the House version of the fiscal 2023 NDAA to create a “Joint Collaborative Environment for Sharing and Fusing Threat Information,” which is considered a critical proposal from the 2020 landmark report.
However, the latest report says the JCE provision “requires jurisdictional relief from many congressional committees. Because the chair and ranking member of each committee of jurisdiction must agree to grant jurisdictional relief for the proposal to be included in the NDAA, these cross-jurisdictional proposals are especially challenging. Overcoming these challenges and supporting the proposal is a key priority for the congressional commissioners.”
The commission sees a path forward for the JCE outside of specific authorizing legislation through the 2021 cyber executive order. According to the report, the EO calls for “improvements to information sharing between federal departments and agencies.”
The report says the commission’s recommendation to increase support for supply chain risk management efforts is fully implemented through legislation in the fiscal 2022 NDAA and the CHIPS and Science Act. This includes a provision calling for public-private collaboration on guidance to address lifecycle security risks for software products and the creation of a voluntary National Supply Chain Database.
The report elaborates further on recommendations from a commission white paper released in 2020 on building a trusted information and communications technology supply chain.
In the original 2020 report, the commission makes a recommendation to amend the Sarbanes-Oxley Act to include cyber reporting requirements for publicly traded companies. The implementation report says legislation may be required but that a March proposed rule from the Securities and Exchange Commission will accomplish the intent of the CSC recommendation if implemented.
The rule would require companies to disclose cyber incidents and report on the roles of management and the board of directors on cybersecurity policy. It is strongly opposed by industry groups.
The report also reviews progress on implementing proposals for Sector Risk Management Agencies, sanctions and trade enforcement actions, workforce, tabletop exercises, and new cyber policies targeted at the Defense Department. -- Sara Friedman (email@example.com)