In March 2020, the U.S. Cyberspace Solarium Commission released its report detailing numerous recommendations for how the nation can strengthen its online infrastructure and overall security posture. The Cyberspace Solarium Commission tackled issues of security strategy and overall cybersecurity preparedness across both the private and public sectors in the U.S. Though its recommendations were largely directed at Congress, their scope and potential effects span all branches of government as well as private industry.

In particular, the report highlights three types of threats directed at the private sector:

  • Cyber crimes that are perpetrated for financial gain
  • Intellectual property theft
  • Interference with private-sector-run critical infrastructure during times of conflict

While some of the pillars and key recommendations of the report focus on government cybersecurity, others squarely involve the private sector and are of significant relevance and interest to enterprises. These points include recommendations around promoting national resilience, especially in such a way as to “operationalize cybersecurity collaboration with the private sector.” The following are four recommendations laid out in the report.

Focus on Deterrence

The Cyberspace Solarium Commission report emphasizes the government’s commitment to deterrence in cyberspace through a layered strategy that combines enhanced resilience and attribution with stronger signaling. The report describes three components of this strategy:

  • Shaping behavior to promote the responsible use of cyberspace
  • Denying benefits of cyberattacks to adversaries
  • Imposing costs on adversaries who launch cyberattacks at targets in the U.S.

While the government will play a major role in implementing that deterrence strategy, the report also calls out the need for private companies, especially operators of critical infrastructure, to “step up and strengthen their security posture.” This is particularly important for the second component of layered cyber deterrence: denying benefits to adversaries who target U.S.-based companies and infrastructure.

To make deterrence feasible, the Commission found, private industry actors responsible for critical infrastructure must take cybersecurity seriously all the way up to the executive level. Further, they must take proactive steps to contain and prevent cyberattacks in order to maintain the overall resilience of national infrastructure. In keeping with that mission of resilience, the report also recommends that the public and private sectors jointly develop a “Continuity of the Economy” to be used in the event of a significant cyber disruption.

Support Systemically Important Critical Infrastructure

The report encourages greater government support for the operators of “systemically important critical infrastructure” (SICI) in the form of increased information sharing and other types of special support from the government. For instance, the report advises that SICI operators, in the event of a cyberattack, should receive privileged intelligence information from the government, as well as prioritized and expedited federal assistance.

The authors of the report also suggest that, in exchange, infrastructure operators should be asked to shoulder additional security responsibilities, given the unique and essential nature of their services.

Maintain Situational Awareness of Cyberthreats

Another section of the report focuses on going beyond just information sharing between the private and public sectors and moving toward stronger, more integrated joint situational awareness of cyberthreats. The recommendations made by the Commission to achieve this goal include establishing a Joint Collaborative Environment where cyberthreat information and other relevant data can be correlated, analyzed and rapidly disseminated to both industry and government entities.

An additional suggestion focuses on expanding and standardizing voluntary threat detection programs to serve as an “early warning network” and enhance situational awareness.

Integrate Public-Sector and Private-Sector Defense Efforts

Finally, the Solarium Commission report designates the integration of public-sector and private-sector cyber defense efforts as another strategic objective in strengthening the public-private partnership on cybersecurity. Specifically, the report calls for the establishment of a public-private integrated cyber center within the Cybersecurity and Infrastructure Security Agency in DHS, as well as a Joint Cyber Planning Cell to “coordinate cybersecurity planning and readiness.”

The initial proposed steps include the government identifying areas of cybersecurity work where the public and private sectors might benefit from greater integration or even collocation. The National Security Agency’s Cybersecurity Directorate is another branch of government that the report highlights as a potential place for greater interaction and integration with the private sector.

As a model for what this integration might look like, the Commission points to the U.K.’s National Cybersecurity Centre, which engages in both classified and unclassified collaboration with private-sector entities. Another suggestion of the report focuses on integrating more private-sector personnel into government cyber defense efforts by mitigating obstacles posed by the security clearance program.

While the purpose of the report was not to create binding directives or set any specific goals, enterprises can expect that the Commission’s findings and suggestions will inform specific objectives in the future. Leaders should bear these proposals in mind as they steer their own organizations in the coming years and do what they can now to prepare for the incoming wave of government-industry collaboration.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…