The Cyberspace Solarium Commission released its Annual Implementation Report August 12 showing significant progress on recommendations that have been implemented, are nearing implementation, or are on track for implementation, but also showing some work that remains undone.
According to the report, 22 percent of the commission’s 82 original recommendations had been implemented at the time of publishing, while another 13.4 percent are nearing implementation, and 43.9 percent are on track for implementation. Progress on implementation of 13.9 percent of recommendations has been limited, and the remaining 4.9 percent of recommendations have seen significant barriers to implementation.
The commission’s co-chairs and a pair of senior directors walked through the report’s findings, some successes, and areas for improvement at an August 12 webinar.
“I think one of the things that I’ve learned since the commission report is the problem is more urgent than we thought,” Commission Co-Chair Sen. Angus King, I-Maine, said. “This job is not done, and it will never be done because the adversaries are always … coming up with new ways to attack us and we’ve got to be able to adjust and then reflect that, that real sense of urgency about this.”
Successes and Room to Grow
Even with an increased sense of urgency around the issue of the nation’s cybersecurity, Sen. King and fellow co-chair Rep. Mike Gallagher, R-Wis., were able to point to a number of implementation successes over the past year.
Among them were the implementation, appointment, and confirmation of National Cyber Director Chris Inglis, as well as related bills to funding and staffing his office. Others include establishing Sector Risk Management Agencies among the Federal agencies responsible for oversight of the 16 critical infrastructure sectors, Sen. King and Rep. Gallagher said.
As far as areas that need more progress, the lawmakers pointed to passage in the House earlier this year of the Cyber Diplomacy Act – which would help establish how the nation engages in cybersecurity at the international level – and the need for a Bureau of Cyber Statistics as two main areas where U.S. cybersecurity can still improve. They also pointed to the continuing need for a clearly defined national cyber deterrence policy.
“Our report contains more than just concrete recommendations,” Rep. Gallagher said. “It contains the strategy and a vision for National Cyber Security. So, as we move forward, and we think about the commission’s success, one thing that remains to be seen is whether the strategy of layered cyber deterrence actually influences the way the administration thinks about the issue.”
‘Significant Barriers to Implementation’
Laura Bate, a senior director at the commission and one of the report’s authors, said progress on the commission’s recommendations was determined by the passage and progress of legislation, appropriations, or executive orders related to the recommendation; public statements; and other actions as they relate to foreign policy.
Bate made sure to note that while 4.9 percent of the commission’s recommendations are currently listed as facing significant barriers to implementation, that doesn’t mean the commission is giving up on those initiatives.
“Sometimes that means the timing just wasn’t right, but that can also often be our way of telling the larger community that there’s something there for which we all need you to help build momentum,” Bate said. “So … across the board, where you see slowdowns, where you see delays, take that as a signal flare and not a write-off. We haven’t given up on any of them yet and, by and large, most of them are moving on nicely.”
Fellow senior director Robert Morgus said the way the commission views itself has changed since its inception. When setting up, he said, the group viewed itself as a non-crisis commission, but as the rate of cyberattacks has increased, the commission’s view of itself has changed.
“I think the way that the environment has evolved over the last two years or three years, has turned us into a more of an urgent or crisis commission,” Morgus said. “The way that both the incidents – as this sort of cadence of incidents and attacks has increased – and the severity of the increase in attacks as well. I think that’s changed the political landscape when it comes to cyber policy.”