limit or infringe upon privacy, civil liberties, even the safety of individuals.” The commission has also recommended creating a Bureau of Cyberspace Security and Emerging Technologies at the State Department, along with an assistant secretary to lead the bureau. That idea has drawn less congressional support than the national
cyber director proposal, however.
Calling out cyber adversaries
Commissioners and lawmakers said they want to see the U.S. and allies get more aggressive about attributing major cyberattacks to specific groups and their patron countries. One recommendation is strengthening the Cyber Threat Intelligence Integration Center at the Office of the Director of National Intelligence to provide “analysis and coordination necessary for rapid and accurate attribution.”
The Justice Department and Special Counsel Robert Mueller’s investigation have issued indictments containing detailed accusations and evidence linking a series of intrusions and influence campaigns during the 2016 election to the Russian government, while the White House and other U.S. agencies have publicized evidence linking China, Iran and North Korea to other high-profile attacks.
Many of the individuals and entities had previously been identified by U.S. and other governments, causing Langevin to question whether more could be done to “shorten the timeline between incident and response” when it comes to attribution.
“The WannaCry and NotPetya malware, for instance, were both released in the first half of 2017, and we have known the culprits were the North Koreans and the Russians, respectively, for almost as long,” Langevin said. “Like-minded nations that believe that cyberspace is not the ‘Wild West’ must work together to take swift and decisive action in the face of continued belligerence from countries seeking to benefit from ‘gray zone’ conflict in cyberspace.” n
Selected recommendations from the Cyberspace Solarium Commission
The commission’s 175-page report calls for scores of changes across the public and private sectors, and another document includes 54 legislative proposals. Here are some of the recommendations that would most directly affect federal agencies.
• Assess the establishment of a Military Cyber Reserve.
• Clarify the cyber capabilities and strengthen the interoperability of the National Guard.
• Codify a “cyber state of distress” tied to a Cyber Response and Recovery Fund.
• Codify and strengthen the CyberThreat Intelligence Integration Center.
• Codify sector-specific agencies into law as sector risk management agencies and strengthen their ability to manage critical infrastructure risk.
• Create House permanent select and Senate select committees on cybersecurity.
• Designate a threat-hunting capability across the Defense Department Information Network.
• Designate responsibilities for cybersecurity services under the Defense Production Act.
• Direct DOD to create a major force program funding category for U.S. Cyber Command.
• Diversify and strengthen the federal cyberspace workforce.
• Establish a Bureau of Cyber Statistics.
• Establish a cyber bureau and assistant secretary position at the State Department.
• Establish a Joint Cyber Planning Cell under the Cybersecurity and Infrastructure Security Agency.
• Establish a national cyber director position.
• Establish a National Cybersecurity Assistance Fund to ensure consistent and timely funding for initiatives that underpin national resilience.
• Establish a public/private partnership on modeling cyber risk.
• Establish and fund a joint collaborative environment for sharing and fusing threat information.
• Establish and fund a national cybersecurity certification and labeling authority.
• Expand and support the National Institute of Standards andTechnology’s security work.
• Improve and expand planning capacity and readiness for cyber incident response and recovery efforts.
• Improve cybersecurity-capacity building and consolidate the funding of cyber foreign assistance.
• Improve the structure and enhance funding of the Election Assistance Commission.
• Incentivize IT security through federal acquisition regulations and Federal Information Security Management Act authorities.
• Incentivize the uptake of secure cloud services for small and midsize businesses and state, local, tribal and territorial governments.
• Increase support for supply chain risk management efforts.
• Institutionalize DOD’s participation in public/private cybersecurity initiatives.
• Pass a national breach notification law.
• Pass a national cyber incident reporting law.
• Reestablish the Office of Technology Assessment.
• Require defense industrial base participation in a threat intelligence-sharing program.
• Require threat hunting on defense industrial base networks.
• Resource a federally funded research and development center to develop cybersecurity insurance certifications.
• Review and update intelligence authorities to increase intelligence support for the broader private sector.
• Strengthen an integrated cyber center within CISA and promote the integration of federal cyber centers.
• Strengthen CISA.
• Strengthen the FBI’s cyber mission and the National Cyber Investigative JointTask Force.
• Strengthen the U.S. government’s ability to take down botnets.
August 2020 FCW.COM 35