Cyberspace Solarium Commission 2021 Annual Report on Implementation

Download CSC Report

The United States has a problem in cyberspace. The recent torrent of hacks, intrusions, breaches, ransomware, and shutdowns demonstrates that we have much more to do to secure Americans’ lives and livelihoods online. This is true for the private sector, where it is far past time for business leaders to proactively protect critical infrastructure and secure sensitive information. It is also true for the government, where issues of jurisdiction, bureaucracy, and underinvestment hamper efforts to combat cyber threats, build effective public-private collaboration, and promote responsible behavior in cyberspace. Complex and interwoven challenges like these were precisely what motivated the Cyberspace Solarium Commission’s work and informed the Commission’s March 2020 report. Last year we concluded that attaining meaningful security in cyberspace requires action across many coordinated fronts. We have seen a great deal of progress in implementing the original 82 recommendations from that report, as well as the recommendations we added in white papers along the way.

But these changes are just beginning, and the threat remains every bit as real this year. As a country, we all—businesses, government, civil society, and individuals—need to act with more speed and agility when it comes to securing cyberspace. That means investing in enterprise cybersecurity before attacks happen, developing a clear cyber strategy, sharing threat information at the speed of data, ensuring that our teachers have the tools they need to kindle a spark of interest that will one day lead a student to a cyber job, and so much more. Keeping in mind the monumental work still ahead of us, we find several highlights in assessing the Commission’s progress to date:

Evaluating the Big Picture – The Commission’s report was more than a collection of recommendations. It was also a strategic approach to and assessment of the cyber threat landscape. In some cases, the accuracy of the Commission’s analysis is obvious: the drumbeat of significant cyberattacks undeniably increased as expected, but we certainly did not predict that the COVID-19 pandemic would create a new opportunity for such attacks. In other cases, evaluating the Commission’s work is more difficult. While the Commission’s strategic approach of layered cyber deterrence has remained a valuable framework for evaluating possible U.S. actions to defend against attacks of significant consequence, understanding its larger impact will require more time and better mechanisms for measuring improvements in national cybersecurity. In the meantime, individual recommendations that anchor that strategic approach are well on their way to implementation.

Major Steps Forward – A number of the Commission’s key recommendations have been implemented by the Congress or executive branch; in other cases, significant progress toward their implementation is being made. The establishment, nomination, and confirmation of a National Cyber Director (Recommendation 1.3) represents significant progress toward implementing the Commission’s highest-priority goals. The FY21 National Defense Authorization Act included provisions to strengthen the Cybersecurity and Infrastructure Security Agency (Recommendation 1.4), codify Sector Risk Management Agencies (Recommendation 3.1), establish a Continuity of the Economy plan (Recommendation 3.2), establish a Joint Cyber Planning Office (Recommendation 5.4), and require a force structure assessment of the Cyber Mission Force (Recommendation 6.1). Meanwhile, both Trump and Biden administration actions have made inroads toward implementing an information and communications technology or ICT industrial base strategy (Recommendation 4.6), and the President’s Budget Request proposes a Cyber Response and Recovery Fund (Recommendation 3.3).

Remaining Priorities – Progress in implementing Commission recommendations has been remarkable, but not universal, and many key issues remain priorities for the Commission’s future work. Codifying the concept of Systemically Important Critical Infrastructure (Recommendation 5.1) and establishing a Joint Collaborative Environment (Recommendation 5.2) continue to be complex, challenging, and high-priority goals. The Cyber Diplomacy Act (Recommendation 2.1), which has yet to pass the Senate, would implement the Commission’s recommendation for a cyber-focused bureau at the State Department. Several recommendations—like the establishment of House Permanent Select and Senate Select Committees on Cybersecurity (Recommendation 1.2) and a National Data Security and Privacy Protection Law (Recommendation 4.7)—have met resistance and are unlikely to move forward in the near future. However, the Commission remains dedicated to refining and advancing these recommendations. The policy community may not be prepared to take on these hard problems today, but we are making sure that the recommendations are ready when the time comes.

The Commission is proud of its progress but recognizes that in order to determine where we go next in cybersecurity, we must be clear-eyed about what is not working. And we understand that many of the remaining recommendations are not low-hanging fruit; we need to keep climbing to get many of them done. Many critical recommendations are not implemented yet, but that does not mean we intend to write them off as a loss and move on. With that in mind, the analysis below does more than just enumerate recommendations that have or have not been implemented. It also outlines remaining priorities and the adaptations made by the Commission to improve its approach.

We have endeavored to be very careful in our use of the word “success” in this report. Real success is protecting national critical infrastructure from malicious cyber activity. We believe that these recommendations will help the country achieve that success, but we are under no illusions that the work ends when a recommendation becomes law or an executive order incorporates a Commission priority. This report draws a map connecting our current reality in cyberspace to a future when Americans can rely on the digital infrastructure that surrounds us. Implementation of the Commission’s recommendations is only the very first step toward a connected world we can trust. All of us—and each of you—share responsibility for every step after that.