In March 2020, the U.S. Cyberspace Solarium Commission released its report detailing numerous recommendations for how the nation can strengthen its online infrastructure and overall security posture. The Cyberspace Solarium Commission tackled issues of security strategy and overall cybersecurity preparedness across both the private and public sectors in the U.S. Though its recommendations were largely directed at Congress, their scope and potential effects span all branches of government as well as private industry.

In particular, the report highlights three types of threats directed at the private sector:

  • Cyber crimes that are perpetrated for financial gain
  • Intellectual property theft
  • Interference with private-sector-run critical infrastructure during times of conflict

While some of the pillars and key recommendations of the report focus on government cybersecurity, others squarely involve the private sector and are of significant relevance and interest to enterprises. These points include recommendations around promoting national resilience, especially in such a way as to “operationalize cybersecurity collaboration with the private sector.” The following are four recommendations laid out in the report.

Focus on Deterrence

The Cyberspace Solarium Commission report emphasizes the government’s commitment to deterrence in cyberspace through a layered strategy that combines enhanced resilience and attribution with stronger signaling. The report describes three components of this strategy:

  • Shaping behavior to promote the responsible use of cyberspace
  • Denying benefits of cyberattacks to adversaries
  • Imposing costs on adversaries who launch cyberattacks at targets in the U.S.

While the government will play a major role in implementing that deterrence strategy, the report also calls out the need for private companies, especially operators of critical infrastructure, to “step up and strengthen their security posture.” This is particularly important for the second component of layered cyber deterrence: denying benefits to adversaries who target U.S.-based companies and infrastructure.

To make deterrence feasible, the Commission found, private industry actors responsible for critical infrastructure must take cybersecurity seriously all the way up to the executive level. Further, they must take proactive steps to contain and prevent cyberattacks in order to maintain the overall resilience of national infrastructure. In keeping with that mission of resilience, the report also recommends that the public and private sectors jointly develop a “Continuity of the Economy” to be used in the event of a significant cyber disruption.

Support Systemically Important Critical Infrastructure

The report encourages greater government support for the operators of “systemically important critical infrastructure” (SICI) in the form of increased information sharing and other types of special support from the government. For instance, the report advises that SICI operators, in the event of a cyberattack, should receive privileged intelligence information from the government, as well as prioritized and expedited federal assistance.

The authors of the report also suggest that, in exchange, infrastructure operators should be asked to shoulder additional security responsibilities, given the unique and essential nature of their services.

Maintain Situational Awareness of Cyberthreats

Another section of the report focuses on going beyond just information sharing between the private and public sectors and moving toward stronger, more integrated joint situational awareness of cyberthreats. The recommendations made by the Commission to achieve this goal include establishing a Joint Collaborative Environment where cyberthreat information and other relevant data can be correlated, analyzed and rapidly disseminated to both industry and government entities.

An additional suggestion focuses on expanding and standardizing voluntary threat detection programs to serve as an “early warning network” and enhance situational awareness.

Integrate Public-Sector and Private-Sector Defense Efforts

Finally, the Solarium Commission report designates the integration of public-sector and private-sector cyber defense efforts as another strategic objective in strengthening the public-private partnership on cybersecurity. Specifically, the report calls for the establishment of a public-private integrated cyber center within the Cybersecurity and Infrastructure Security Agency in DHS, as well as a Joint Cyber Planning Cell to “coordinate cybersecurity planning and readiness.”

The initial proposed steps include the government identifying areas of cybersecurity work where the public and private sectors might benefit from greater integration or even collocation. The National Security Agency’s Cybersecurity Directorate is another branch of government that the report highlights as a potential place for greater interaction and integration with the private sector.

As a model for what this integration might look like, the Commission points to the U.K.’s National Cybersecurity Centre, which engages in both classified and unclassified collaboration with private-sector entities. Another suggestion of the report focuses on integrating more private-sector personnel into government cyber defense efforts by mitigating obstacles posed by the security clearance program.

While the purpose of the report was not to create binding directives or set any specific goals, enterprises can expect that the Commission’s findings and suggestions will inform specific objectives in the future. Leaders should bear these proposals in mind as they steer their own organizations in the coming years and do what they can now to prepare for the incoming wave of government-industry collaboration.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…