Sweeping Federal Cybersecurity Upgrades Needed to Defend US
A new report says the federal government and the private sector needs to better defend the United States in cyberspace.
The words are straight forward and to the point: “The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace."
The words come via a yearlong bipartisan study (.PDF) of the United States' ability to handle cyber threats published by the Cyberspace Solarium Commission, a group established last year by the president and Congress in hopes of developing a national strategy for defending the country and its interests in cyberspace.
“We must get faster and smarter, improving the government’s ability to organize concurrent, continuous and collaborative efforts to build resilience, respond to cyber threats, and preserve military options that signal a capability and willingness to impose costs on adversaries,” the report, issued Wednesday, reads.
It’s the first public document issued by the group, which borrows its name from President Dwight D. Eisenhower's Project Solarium, a 1953 effort designed to tackle the mounting Soviet threat in the Cold War's infancy.
In light of the country's lack of preparedness, the report is encouraging Congress to make moves in the near term, namely through bills that would reshuffle the roles of government entities, like the Department of Homeland Security's Cybersecurity and Infrastructure Agency to better respond to threats. Currently, the commission posits, government structures "fracture cyber policymaking processes, limit opportunities for government action, and impede cyber operations."
Under the commission’s guidance, CISA would be able to perform continuous threat hunting across government networks, something it believes would allow it to better detect, identify, and mitigate threats to those networks and glean intel on malware, indicators of compromise, tactics, techniques and procedures – and then allow it to share that data.
Entities across the Department of Defense's Information Network should also embrace threat hunting to better ensure the security and resilience of these systems, according to the paper.
The key to CSC's strategy hinges on layered cyber deterrence, something which would shape behavior, deny benefits, and impose costs on attackers who target America through cyberspace.
The group's 182-page report doesn't solely focus on upending how the government tackles cyber threats. There are sections on fighting ransomware attacks, how artificial intelligence and machine learning can augment cybersecurity, how to improve voting systems, how to combat intellectual property theft, and how to make the rollout of 5G systems more secure.
In addition to tweaking the role of CISA, much of the guidance is based around creation.
CSC is encouraging Congress to create a cyber bureau and assistant secretary at the U.S. Department of State to oversee cyber issues, establish a bureau of cyber statistics, a National Cybersecurity Certification and Labeling Authority to support the work of the National Institute of Standards and Technology, or NIST.
Aside from issuing an updated National Cyber Strategy, one of the commission's most pressing asks also revolves around creation. Its stressing that Congress should establish a Permanent Select Committee on Cybersecurity both in the House and Senate that could have "legislative jurisdiction over the broad integration of systemic cybersecurity strategy and policy both within government and the private sector," in addition to oversight responsibilities.
Representative Mike Gallagher, Co-Chairman of the Cyberspace Solarium Commission and Samantha Ravich, a Commissioner of the group, hinted at a lot of these suggestions in a post to Cyberscoop last week, suggesting that Congress should codify the authority of the federal government to declare a "cyber state of distress" and be prepared for when cyberattacks are successful.
"The U.S. has a firm foundation for its resilience efforts. Many of the same processes and mechanisms that have served us well in planning for natural disasters and nuclear war, have laid the groundwork to tackle the key challenges we face today,” the two wrote, “But the U.S.’s success will ultimately depend on its ability to take risks, adapt, and apply old lessons to new problems and a new strategic context. "