US making progress on cyber defense, but up against some ‘significant hurdles’: Commission report

WASHINGTON — More than two years after the Cyberspace Solarium Commission made recommendations on how the US can bolster its cyber defenses, nearly 85 percent have been implemented or are in progress — but others still face a few “significant hurdles,” according to the commission’s new report. Overall, it’s work lawmakers said have already shown benefits when it comes to pushing back against Russian cyber activity.

The report, published today by Cyberspace Solarium Commission 2.0, paints a picture of some of the significant improvements over the past two years in US cybersecurity: Congress passed the Cyber Incident Reporting Act requiring companies to report cyberattacks and ransomware incidents, lawmakers increased funding for the Cybersecurity and Infrastructure Security Agency (CISA), and the White House appointed a national cyber director.

RELATED: Lawmakers Urge SEC To Propose Mandatory Cybersecurity Reporting Rules

“Collectively, these changes will help deter malign actors in cyberspace and shore up U.S. defenses at home,” according to the report. “They will also make digital interactions safer for stakeholders across industry and around the world… However, this progress cannot be the culmination of the U.S. government’s focus on cybersecurity; it must be the prelude to even further changes.”

As far as malign actors go, the report specifically pointed to a few successes under some of the recommendations that are on track to being implemented, like streamlining the attribution of cyberattacks through the “Cyber Incident Data and Analysis Working Group” and the “Cyber Incident Attribution and Analysis Decision Rubric.” These tools have already sped up attribution in recent years, the report said, including as recently as this February when Russia launched several cyberattacks against Ukraine at the onset of the invasion.

“Within just three days of a distributed denial-of-service (DDoS) attack against the Ukrainian Ministry of Defense, U.S. Deputy National Security Advisor Anne Neuberger accused Russia of perpetrating the attack,” according to the report. “The British government concurred. Subsequently, CISA released an advisory noting the indicators of compromise of the associated attack. The speedy attribution capabilities between the United States and its allies show the potential of this approach.”

Such cyber attacks were to be expected from Russia’s aggressive cyber operators, but Sen. Angus King, I-Maine, co-chair of the Cyberspace Solarium Commission 2.0, said today during an event held by The Foundation of Defense of Democracies (FDD) that he was a little surprised they weren’t more widespread, especially against the US and its allies. One reason, he speculated, was that Putin may be intimidated by the work of the National Security Agency. (The CMC 2.0 is housed within the FDD’s Center on Cyber and Technology Innovation.)

“I believe that we would have seen more of a cyber intrusion into the West, but for Putin is afraid of [Director of US Cyber Command Gen. Paul] Nakasone,” King said. “I think Putin is deterred, frankly, by the capabilities that we have and by what Nakasone and what NSA demonstrated in 2018 in the midterm elections… Now, again, I can’t prove that because they didn’t attack. My belief is that an attack might have been more likely but for the concern of the Russians that they were at risk. And in that case I think deterrence has made a real contribution.”

Overall the report shows that nearly 60 percent of the initial 82 recommendations made by the Cyberspace Solarium Commission in March 2020 have been fully or nearly implemented while more than 25 percent are on track to being implemented. Since the initial recommendations were made, the Cyberspace Solarium Commission 2.0, which was formed when the initial commission reached the planned end of its mandate, has added to the list, bringing the total number up to 116 recommendations. 

The report also categories some recommendations made by the commission as having “significant barriers to implementation. Those recommendations “are not expected to move in the in the immediate future but are ready to be taken up if future crises spur action,” according to the report.

“National cyber resiliency requires long-term investment,” the report says. “Thwarting and punishing malicious cyber actors require persistence. Layered cyber deterrence demands sustained attention.”

King bemoaned how one recommendation in particular — setting up powerful congressional committees on cybersecurity similar to the current intelligence committees — has been so difficult to implement.

“In [1976] they realized that intelligence was spread all over the Congress and they set up committees on intelligence in the Senate and House to consolidate that jurisdiction. I don’t know how they did it, because trying to do that with cyber we have found is virtually impossible,” King said. “Nobody wants to give up their little piece of the jurisdiction.”

However, according to the report, legislative language has been drafted pertaining to that recommendation “and stands ready should a future emergency create the political impetus needed to overcome existing barriers.”

Following another recommendation, White House’s national cyber director Chris Inglis is slated to finalize a national cyber strategy within the next few weeks.

“In addition to having a pen on the national cyber strategy, which is absolutely essential… two other areas where [Inglis has] already had an impact is kind of tackling the cyber workforce issue head on,” Sen. Mike Gallagher, R-Wisc., said at the FDD event. “He’s done a variety of things to practically do outreach on that. Obviously it’s not something that can be solved with a silver bullet solution coming out of the White House or Congress, but also my understanding is he actually has productively worked with the [Office of Management and Budget] in order to kind of really establish guidelines for various funding goals among all the agencies that play on cyber.”