Recently, the non-profit bipartisan Cyberspace Solarium Commission (CSC) provided the incoming presidential administration and Congress with ten new cyber policy recommendations. In 2020, the CSC issued a report highlighting numerous recommendations over six strategic pillars to enhance cyber resiliency by creating layered deterrence. Impressively, since then, the new CSC report found that approximately 80% have been fully implemented or are otherwise close to being implemented, with an additional 12% “on track.” In addition to encouraging the completion of the unfinished implementation from the first plan, the second iteration of recommendations places emphasis on continued strengthening the capabilities of DHS’ Cybersecurity and Infrastructure Security Agency, developing certifications for cloud security and cybersecurity insurance, building societal resilience against cyber-enabled information operations, and even establishing cybersecurity roles for the National Guard, to name a few.
The CSC 2.0 emerged in 2022 from the original 2019 CSC, a congressionally mandated body committed to developing a strategy to enhance U.S. cybersecurity. Certainly, there are arguments to be made that the original CSC was a success. Getting any significant percentage of things done on a long list of “to dos” especially at the government level is noteworthy. Though what is inherently missing in this accomplishment is an accounting of how this implementation has created a more resilient cybersecurity ecosystem in the United States. It would be beneficial to see what the cybersecurity landscape looked like before these recommendations were implemented, and what it looks like now for a more comprehensive cause-effect understanding of why these recommendations were made in the first place. In other words, how have these implemented changes enhanced a specific area, and are there any attack deterrent metrics that reflect that improvement?
Nonetheless, the United States is about to elect a new president, and although cyber has not topped the major issue of voters, the new president will have to address cybersecurity at some point. Unfortunately, there has been little talk by either candidate on the issue, which leaves us with what one former president did during his tenure, and what the other did during her tenure in the current administration. Much of the CSC’s initial implementation occurred during Biden’s presidency, suggesting that a future Harris administration could follow the game plan already in place. While this may change, there has been no articulation on the part of Harris of changing things up. Therefore, chances are she will just continue what’s been done. During his presidency, Trump did put forth his own cybersecurity strategy and sign a few cybersecurity-related executive orders. Chances are that the continued implementation of the initial CSC and the future implementation of 2.0 will largely be determined by how they fit into each candidate’s strategic and policy plans. In either case, one thing is clear: United States’ cybersecurity must be a continuous process, and not just a list of things to be checked off and forgotten.
And while voluntary industry participation in maintaining minimum government cybersecurity guidelines does not appear to have achieved the desired goal, government mandates borders on the type of digital authoritarianism if mishandled. For example, government cybersecurity mandates combined with legislation (banning certain technology manufacturers ostensibly creates fewer options and perhaps, preferred options from a government perspective) can create a favorable environment for centralized control. In a positive light, this could enhance security, streamline incident response, and increase cyber resiliency. It can also empower the government for more influence and control over what technology is allowed to be used by the private sector, something seen in states like China and Russia. That is not to say that will happen, only that it could, and in today’s environment that has seen Internet freedoms decline in the United States (e.g., recent Senate report on how CISA colluded with “big tech” to play a role in censorship) this concern needs to be immediately addressed and assuaged.
Undoubtedly, the CSC has advanced the United States’ cybersecurity interests. Still, one of the challenges it potentially creates is increasing the number of players involved in cybersecurity, perhaps further muddying an already confusing cybersecurity ecosystem in the United States. The government consistently produces cyber strategies, implements reforms, and creates bodies that the cyber footprint across the bureaucracy. And while it can be argued that every agency has a role to play in cyber given its reliance on the technology, shared interest in adversaries and vulnerabilities, and the need to secure it within its own parameters, there seems to be an abundance of overlapping and duplicate missions, which ultimately create a sense of confusion rather than clarity, regardless of the amount of interagency “coordination or cooperation.”
A Time article highlights this problem citing the numerous government entities involved in cybersecurity, as well as the standalone intelligence centers that track ongoing cyber threats, calling into question who ultimately is the peak in this very large pyramid. Add to this mix the potential creation of a dedicated cyber force, increased National Guard cyber roles as per CSC 2.0, and the establishment of House Permanent Select and Senate Select Committees on Cybersecurity, and things do not get clearer. A clear-cut reorganization of how this monolithic apparatus operates is very much needed but may be too large of a beast and require more than a four-year administration tenure to break down and rebuild with any success.
So, the new administration – whoever that may be – has some things to consider. The fact that neither candidate has made cyber a focus of their political platforms suggests that they will turn to those advisors they have chosen to address the issue. This may be good for the CSC 1.0 and 2.0 in that it provides both candidates a ready-made plan to follow, and a scapegoat to point to if continued implementation doesn’t yield any noticeable returns in America’s cybersecurity posture. Because in the end, it will be the results that matter – not the fact that 100% of recommendations have been achieved, but what they did to actually improve the country’s cybersecurity posture. And that can be measured by the reduction of attacks against critical infrastructures, the speed with which mitigation occurred against cybercrime activity, and the number of times adversaries were deterred. That’s the type of success that the public can understand, and after so many years and money invested in government-led cybersecurity efforts, it so desperately deserves.