In March 2020, the U.S. Cyberspace Solarium Commission released its report detailing numerous recommendations for how the nation can strengthen its online infrastructure and overall security posture. The Cyberspace Solarium Commission tackled issues of security strategy and overall cybersecurity preparedness across both the private and public sectors in the U.S. Though its recommendations were largely directed at Congress, their scope and potential effects span all branches of government as well as private industry.
In particular, the report highlights three types of threats directed at the private sector:
- Cyber crimes that are perpetrated for financial gain
- Intellectual property theft
- Interference with private-sector-run critical infrastructure during times of conflict
While some of the pillars and key recommendations of the report focus on government cybersecurity, others squarely involve the private sector and are of significant relevance and interest to enterprises. These points include recommendations around promoting national resilience, especially in such a way as to “operationalize cybersecurity collaboration with the private sector.” The following are four recommendations laid out in the report.
Focus on Deterrence
The Cyberspace Solarium Commission report emphasizes the government’s commitment to deterrence in cyberspace through a layered strategy that combines enhanced resilience and attribution with stronger signaling. The report describes three components of this strategy:
- Shaping behavior to promote the responsible use of cyberspace
- Denying benefits of cyberattacks to adversaries
- Imposing costs on adversaries who launch cyberattacks at targets in the U.S.
While the government will play a major role in implementing that deterrence strategy, the report also calls out the need for private companies, especially operators of critical infrastructure, to “step up and strengthen their security posture.” This is particularly important for the second component of layered cyber deterrence: denying benefits to adversaries who target U.S.-based companies and infrastructure.
To make deterrence feasible, the Commission found, private industry actors responsible for critical infrastructure must take cybersecurity seriously all the way up to the executive level. Further, they must take proactive steps to contain and prevent cyberattacks in order to maintain the overall resilience of national infrastructure. In keeping with that mission of resilience, the report also recommends that the public and private sectors jointly develop a “Continuity of the Economy” to be used in the event of a significant cyber disruption.
Support Systemically Important Critical Infrastructure
The report encourages greater government support for the operators of “systemically important critical infrastructure” (SICI) in the form of increased information sharing and other types of special support from the government. For instance, the report advises that SICI operators, in the event of a cyberattack, should receive privileged intelligence information from the government, as well as prioritized and expedited federal assistance.
The authors of the report also suggest that, in exchange, infrastructure operators should be asked to shoulder additional security responsibilities, given the unique and essential nature of their services.
Maintain Situational Awareness of Cyberthreats
Another section of the report focuses on going beyond just information sharing between the private and public sectors and moving toward stronger, more integrated joint situational awareness of cyberthreats. The recommendations made by the Commission to achieve this goal include establishing a Joint Collaborative Environment where cyberthreat information and other relevant data can be correlated, analyzed and rapidly disseminated to both industry and government entities.
An additional suggestion focuses on expanding and standardizing voluntary threat detection programs to serve as an “early warning network” and enhance situational awareness.
Integrate Public-Sector and Private-Sector Defense Efforts
Finally, the Solarium Commission report designates the integration of public-sector and private-sector cyber defense efforts as another strategic objective in strengthening the public-private partnership on cybersecurity. Specifically, the report calls for the establishment of a public-private integrated cyber center within the Cybersecurity and Infrastructure Security Agency in DHS, as well as a Joint Cyber Planning Cell to “coordinate cybersecurity planning and readiness.”
The initial proposed steps include the government identifying areas of cybersecurity work where the public and private sectors might benefit from greater integration or even collocation. The National Security Agency’s Cybersecurity Directorate is another branch of government that the report highlights as a potential place for greater interaction and integration with the private sector.
As a model for what this integration might look like, the Commission points to the U.K.’s National Cybersecurity Centre, which engages in both classified and unclassified collaboration with private-sector entities. Another suggestion of the report focuses on integrating more private-sector personnel into government cyber defense efforts by mitigating obstacles posed by the security clearance program.
While the purpose of the report was not to create binding directives or set any specific goals, enterprises can expect that the Commission’s findings and suggestions will inform specific objectives in the future. Leaders should bear these proposals in mind as they steer their own organizations in the coming years and do what they can now to prepare for the incoming wave of government-industry collaboration.
assistant professor of cybersecurity policy at the Tufts University Fletcher School of Law and Diplomacy