Solarium Commission wants action on stalled cybersecurity recommendations

Since its release in 2020, the recommendations of the Cyberspace Solarium Commission have served as a roadmap for the Biden administration’s attempts to deliver broad improvements in computer security, but according to a report released Tuesday, a number of the panel’s key recommendations have stalled.

The recommendations that remain on the drawing board read like a to-do-list for federal cybersecurity policymakers: clarifying liability for federal cyber response efforts, modernizing campaign regulations to promote cybersecurity defenses, funding research and development centers to explore cybersecurity insurance certificates, the formation of congressional cybersecurity committees and establishing a national breach notification law.

Three years since its release, nearly 70% of the congressionally mandated Solarium Commission’s 80 initial recommendations have been implemented or are close to it, a testament to the report’s influence. But the chairmen of the commission warned in their follow-up report released on Tuesday that it is essential to maintain momentum in improving computer security at a time of widespread cyberattacks.

“We cannot afford to pause in the pursuit of enhanced cybersecurity,” wrote Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wisc., in the report.

The initial Solarium Commission report and subsequent follow up white papers led to major policy changes, such as the creation of both the National Cyber Director and the State Department’s Bureau of Cyberspace and Digital Policy. But the annual implementation report from the C2C 2.0 — an organization spun off from the Solarium Commission — argues that while both the Biden administration and Congress have “taken significant steps” to improve U.S. cybersecurity efforts, more needs to be done.

Of the 116 total recommendations from the Solarium Commission, 42 are considered fully implemented, while 36 are “nearing implementation,” which means that the recommendation is either included in legislation or an executive order, there is a clear path to approval or the idea is partially implemented in a new law or policy.

Of the recommendations that are not yet fully implemented, 26 are considered to be “on track” to completion on some level, while 11 show limited or delayed progress.

Notably, only one recommendation is seen as facing “significant barriers” to adoption: the creation of a House Permanent Select and a Senate Select Committee on Cybersecurity. The report says that “significant pushback” against the creation of such a committee continues but notes that draft legislative language exists in case a major event like a cyberattack occurs that might help to overcome “political barriers.”

The lack of progress for select committees on cybersecurity is “one of the biggest failures of the work of the commission,” said King at an event for the launch of the report.

King also noted that the lack of a Joint Collaborative Environment is another aspect that is still lacking. The Joint Collaborative Environment is a type of public-private effort that aims at giving faster, actionable information to the private sector. CISA is rolling out a JCE project but the report — which says the recommendation is on track — notes that language codifying the program did not make it into the House fiscal year 2023 NDAA.

“We’ve got to build a situation where the private sector and the government can work together harmoniously, seamlessly in real time, and that doesn’t come naturally to either of those entities,” King said.

Gallagher pointed out that the development and maintenance of a continuation of the economy plan recommendation from the commission has not been treated seriously by the White House. The plan would look at how to revamp systems in case of a major cyberattack on multiple critical industries.

The White House delegated that responsibility to CISA, but the Solarium report notes that CISA’s efforts do not outline a way to update those plans, did not involve private sector participation and do not focus on economic recovery.

Gallagher said that the response from the White House was “a joke.”

On privacy, the Solarium Commission recommended passage of a national data security and privacy protection law. That idea that faces an uncertain future in Congress, but Tuesday’s implementation report nonetheless deems it “on track,” as several congressional committees have resumed discussions on federal privacy legislation.

The commission’s recommendation to form a Bureau of Cyber Statistics — a government body that would serve as a repository for cybersecurity data and address the paucity of data in the field of computer security — could be revived by Congress. Legislative language included in the Senate version of the National Defense Authorization Act would require the Defense Department to conduct a study on establishing such an office.

Other recommendations of the commission could be implemented with further executive action. Efforts to develop cyber confidence building measures could be taken on by the State Department’s new cyber bureau and developed in its forthcoming international cybersecurity strategy, Tuesday’s report notes.

Updated, Sept. 19, 2023: This article has been updated with additional quotes from Sen. Angus King and Rep. Mike Gallagher.