With the SolarWinds and Microsoft Exchange hacks framing every discussion around federal cybersecurity efforts, policy pros are offering a variety of steps as top priorities for legislative and executive branch action this year, including doubling down on better identifying and securing critical functions and infrastructure.
“I think we [the Cyberspace Solarium Commission) will be working about 25-30 legislative proposals this year,” commission senior advisor Mark Montgomery said. But a key underlying priority, he said, will be “how we better protect the federal government’s IT networks. What is the appropriate level of investment in technology, processes and people, to include issues such as how much centralization is required, and how do we improve adaptation of continuous monitoring and threat hunting inside the networks.”
Kent Landfield, chief standards and technology policy strategist at McAfee, likewise recently told Inside Cybersecurity that Cybersecurity and Infrastructure Security Agency officials need to focus on cleaning up federal networks with an infusion of funding via the COVID relief package, as well as on incorporating new responsibilities for the .gov domain.
A senior administration official late last week described priorities and next steps beyond the immediate four-week dash to remediate the SolarWinds and Microsoft Exchange hacks, such as addressing gaps in technology and software security, and in info-sharing between government and industry.
Policy pros are looking at both broad and discrete cyber steps that are possible this year, including pieces from the 2020 Cyberspace Solarium Commission report that weren’t folded into the annual defense policy bill enacted in January.
Former DHS cyber leader Phil Reitinger, now head of the Global Cyber Alliance, called for “funding and authorities to drive IT modernization to cloud and shared services with cybersecurity embedded by design.”
Further, Reitinger said, policy leaders must “build support for strengthening cybersecurity/internet ‘health’ metrics to support ecosystem-wide risk management, including establishing a Bureau of Cyber Statistics as recommended by the Cyberspace Solarium Commission.”
And, he said, “help widen CISA’s focus to national economic security over and above ‘critical infrastructure protection,’ with significant resources devoted to the additional stakeholders like small businesses that are a key part of the economy.”
“The one that I think has the most legs is the idea of a Bureau of Cyber Statistics. My guess is that there is a 50/50 chance it will move this year as part of the NDAA,” said Paul Rosenzweig of the R Street Institute and a former senior DHS official. Such a bureau was among the Solarium Commission’s recommendations but didn’t make it into the fiscal 2021 NDAA. “I don’t see this divided Congress moving much else, unless the Democrats blow up the filibuster for other reasons — they won’t do it for cyber, of course — in which case, all bets are off.”
Montgomery, who serves as a senior director for the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation in addition to playing a key role on the Solarium Commission, said, “The big issues I see being examined this year” include completing a cyber reorganization at the State Department as well as steps on CISA authority and critical infrastructure.
He expects action on the “Cyber Diplomacy Act,” which he said would “establish a bureau for cyber policy at the State Department, located in a position to provide cross-cutting leadership throughout the department,” he said.
Further, Montgomery called for “establishing a ‘Cyber State of Distress’ that CISA can declare and access resources — including Defense Support to Civil Authority and the Defense Production Act — to support state/local governments and commercial infrastructure that is at risk.”
And, he said, federal officials and lawmakers should continue efforts to “identify and codify systemically important critical infrastructure, those national critical functions that have to be protected, and determine the rule sets for how the U.S. government assists and what the government demands of the operators of these critical functions.”
Montgomery also urged lawmakers to pass national data-breach notification and incident reporting legislation.
The senior Biden official last week suggested the administration is pursuing collaborative steps to foster information exchanges on cyber incidents rather than a mandatory reporting requirement. — Charlie Mitchell (firstname.lastname@example.org)