Cyber Solarium lists top recommendations for next administration and Congress

The Cyberspace Solarium Commission has adopted more than three-quarters of its recommendations. But with cyber threats to critical U.S. infrastructure growing, the four-year-old panel is pushing for renewed cybersecurity action in the next administration and Congress.

The Cyber Solarium Commission 2.0, now housed at the Foundation for Defense of Democracies, released its 2024 annual report today. The report found that of the original 75 cyber solarium recommendations from March 2020, 80% have been implemented or are in the process of being implemented.

Among the key recommendations to be implemented are the appointment of a national cybersecurity director in the White House, the enactment of a national cyber incident reporting law, and the creation of an Office of Cyber and Digital Policy in the State Department.

But members of the cybersolarium say more will need to be done in the coming years to prevent threats like Volt Typhoon and other intrusions into critical infrastructure.

“Naming the threat should help us, Congress and the private sector, come together now and really get the collaboration that we need,” said Mark Montgomery, executive director of CSC 2.0, at an event on Capitol Hill today.

The cyber solarium’s top recommendation is to identify both the “benefits and burdens” of so-called “systemically important entities.” The Cybersecurity and Infrastructure Security Agency already identifies critical infrastructure organizations that qualify as “SIEs” because of their importance to critical U.S. systems.

However, the commission says the government should also set minimum cybersecurity requirements, as well as information-sharing benefits, for organisations deemed to be “SIEs”.

“What do these entities need to do to maintain some level of cybersecurity to deter an adversary?” Montgomery explained. “And what do we do as a government? What information do we need to share? How quickly can we get threat intelligence to them?”

Senator Angus King (I-Maine), one of the co-chairs of the original committee, highlighted the recommendation to develop a strong Continuity of Economic Exposure (COTE) plan in the event of a major cyber disruption.

“How do we respond if the worst happens? And if you don’t have a plan, there’s going to be chaos,” King said. “And that’s why I think this is incredibly important.”

Tom Fanning, CEO of Southern Company and original Solarium commissioner, highlighted another priority recommendation from CISA aimed at strengthening its emerging Joint Collaborative Environment (JCE).

The Commission recommends that the JCE serve as “an advanced, integrated platform that would facilitate real-time cyber threat intelligence sharing and analysis among government agencies, private sector entities, and international partners.”

Fanning said the JCE will help support other CISA and federal government efforts related to private critical infrastructure, especially during major cyberattacks.

“You can’t call a friend in a crisis,” Fanning said. “We have to organize something.”

Challenges in Cybersecurity Legislation and Governance

Montgomery said he is optimistic about the prospects for cyber policy in the executive branch, regardless of who wins the presidential election. But he is more concerned about the potential ineffectiveness of Congress.

“You can have a bipartisan problem in a broken Congress, but it’s hard to get anything done,” Montgomery said.

He also said the National Defense Authorization Act has become a less effective tool for enacting cyber policy since the House of Representatives passed more restrictive NDAA provisions two years ago.

“House and Senate leaders understand that cybersecurity is not anti-submarine warfare, air defense, tank warfare,” Montgomery said. “It is a national security issue that cuts across multiple committees but still requires the NDAA to be continually updated on an annual basis.”

Still, many of the cybersolarium’s top recommendations are either “in progress” or have “limited/delayed progress,” according to the 2024 report.

The irony is that for a congressionally-appointed commission, the only recommendation that “faces significant barriers to implementation” is congressional action: the creation of the House Permanent Select Committee on Elections and the Senate Elections Committee on Cybersecurity.

“You know where that went? Nowhere,” King said. “You have so many commissions that have parts of that jurisdiction.”