In March 2020, the U.S. Cyberspace Solarium Commission released its report detailing numerous recommendations for how the nation can strengthen its online infrastructure and overall security posture. The Cyberspace Solarium Commission tackled issues of security strategy and overall cybersecurity preparedness across both the private and public sectors in the U.S. Though its recommendations were largely directed at Congress, their scope and potential effects span all branches of government as well as private industry.

In particular, the report highlights three types of threats directed at the private sector:

  • Cyber crimes that are perpetrated for financial gain
  • Intellectual property theft
  • Interference with private-sector-run critical infrastructure during times of conflict

While some of the pillars and key recommendations of the report focus on government cybersecurity, others squarely involve the private sector and are of significant relevance and interest to enterprises. These points include recommendations around promoting national resilience, especially in such a way as to “operationalize cybersecurity collaboration with the private sector.” The following are four recommendations laid out in the report.

Focus on Deterrence

The Cyberspace Solarium Commission report emphasizes the government’s commitment to deterrence in cyberspace through a layered strategy that combines enhanced resilience and attribution with stronger signaling. The report describes three components of this strategy:

  • Shaping behavior to promote the responsible use of cyberspace
  • Denying benefits of cyberattacks to adversaries
  • Imposing costs on adversaries who launch cyberattacks at targets in the U.S.

While the government will play a major role in implementing that deterrence strategy, the report also calls out the need for private companies, especially operators of critical infrastructure, to “step up and strengthen their security posture.” This is particularly important for the second component of layered cyber deterrence: denying benefits to adversaries who target U.S.-based companies and infrastructure.

To make deterrence feasible, the Commission found, private industry actors responsible for critical infrastructure must take cybersecurity seriously all the way up to the executive level. Further, they must take proactive steps to contain and prevent cyberattacks in order to maintain the overall resilience of national infrastructure. In keeping with that mission of resilience, the report also recommends that the public and private sectors jointly develop a “Continuity of the Economy” to be used in the event of a significant cyber disruption.

Support Systemically Important Critical Infrastructure

The report encourages greater government support for the operators of “systemically important critical infrastructure” (SICI) in the form of increased information sharing and other types of special support from the government. For instance, the report advises that SICI operators, in the event of a cyberattack, should receive privileged intelligence information from the government, as well as prioritized and expedited federal assistance.

The authors of the report also suggest that, in exchange, infrastructure operators should be asked to shoulder additional security responsibilities, given the unique and essential nature of their services.

Maintain Situational Awareness of Cyberthreats

Another section of the report focuses on going beyond just information sharing between the private and public sectors and moving toward stronger, more integrated joint situational awareness of cyberthreats. The recommendations made by the Commission to achieve this goal include establishing a Joint Collaborative Environment where cyberthreat information and other relevant data can be correlated, analyzed and rapidly disseminated to both industry and government entities.

An additional suggestion focuses on expanding and standardizing voluntary threat detection programs to serve as an “early warning network” and enhance situational awareness.

Integrate Public-Sector and Private-Sector Defense Efforts

Finally, the Solarium Commission report designates the integration of public-sector and private-sector cyber defense efforts as another strategic objective in strengthening the public-private partnership on cybersecurity. Specifically, the report calls for the establishment of a public-private integrated cyber center within the Cybersecurity and Infrastructure Security Agency in DHS, as well as a Joint Cyber Planning Cell to “coordinate cybersecurity planning and readiness.”

The initial proposed steps include the government identifying areas of cybersecurity work where the public and private sectors might benefit from greater integration or even collocation. The National Security Agency’s Cybersecurity Directorate is another branch of government that the report highlights as a potential place for greater interaction and integration with the private sector.

As a model for what this integration might look like, the Commission points to the U.K.’s National Cybersecurity Centre, which engages in both classified and unclassified collaboration with private-sector entities. Another suggestion of the report focuses on integrating more private-sector personnel into government cyber defense efforts by mitigating obstacles posed by the security clearance program.

While the purpose of the report was not to create binding directives or set any specific goals, enterprises can expect that the Commission’s findings and suggestions will inform specific objectives in the future. Leaders should bear these proposals in mind as they steer their own organizations in the coming years and do what they can now to prepare for the incoming wave of government-industry collaboration.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…