The Cyberspace Solarium Commission released a recent report on the U.S. government's cyber readiness, which found that “the U.S. is currently not designed to act with the speed and agility necessary to defend the country in cyberspace.” The report also outlined a three-tiered strategy of “layered cyber deterrence” to reduce the consequences of cyberattacks. These layers include:
● Shaping acceptable international norms in cyberspace
● Denying benefits to adversaries seeking gain through cyber capabilities
● Imposing greater costs—including direct retaliation when necessary—on malicious actors.
The report is incredibly comprehensive and well-considered, offering 75 recommendations for action across the public and private sectors. The call to invest in the National Cyber Moonshot Initiative is particularly welcome. I would suggest there are three additional key areas that must be addressed even further.
Empowering Local Law Enforcement
Although there is mention of international law enforcement and federal law enforcement, we desperately need to strengthen local law enforcement’s ability to handle cybercrime. We cannot elevate everything to the federal level, nor can we wait until activities rise to the level of a national response. By that time, the adversaries and criminals already have a foothold. This could serve as a baseline for a future attack, potentially escalating to a larger scale. Addressing it at a local level allows us to keep one step ahead of a much larger data breach - which means preparing our local law enforcement for success in such a situation.
Unfortunately, there is still a hesitation to report suspicious activity when we are unsure of what caused this cyber activity and the consequences of such. People shouldn’t be punished for being the victim of a crime, and while we must hold people accountable for their bad behaviors, we must continue to put even more pressure on the perpetrators.
Council for Defense Industrial Base Enterprises
As recommended within the Cyberspace Solarium Commission report, “a shared picture of the threat environment within a defense industrial base (DIB) is essential to proactively and comprehensively address cyber threats and vulnerabilities to this key sector.” This recommendation is more valuable for small and medium DIB enterprises. However, sharing has to be done in some manner that small and medium companies that have limited cyber expertise can digest and put to use. And, the large primes already participate in government and industry consortiums for threat intelligence sharing, like the Critical Infrastructure Partnership Advisory Commission, and are required to share incident data today, and threat hunting is a standard feature of DIB cybersecurity programs.
While these three activities have merit, nation-state cyber actors are quick to evolve, and that means that we need a more dynamic, governance model for the DIB and government to maintain collective cybersecurity. A standing Cybersecurity Council of government and DIB members (the large primes, with several small and medium contractors) would help speed the process for determining how best to collaborate and adapt, rather than the current model of contractors meeting in sector meetings, and the government separately issuing DFARS proposals and RFIs.
5G Adaptations & Protecting Critical Infrastructure
This report contains a series of recommendations around 5G that are very important to the future of internetworking security. In order to take advantage of the inherent security capabilities that 5G could bring, we need to take collective public-private action before we fully deploy our national infrastructure. For example, if we work together, we could create networks that establish transaction-appropriate security slices (e.g. banking transactions; e-commerce; healthcare administration), rather than having our devices on the common internet carrying our polluted “digital dust” from one session to the next.
We must also ask what should be the government’s responsibility for protecting critical infrastructure within the private sector. Fortunately, simple actions such as tighter collaboration with telecom and internet providers may help to protect endpoints more effectively - actively blocking malicious activity rather than allowing it to be delivered to our devices.
Ultimately, while this is truly a comprehensive report that touches upon many different facets of cyberspace and our need to protect it, it also brings attention to the efforts needed from the whole government in order to address cybersecurity effectively. Cyber is part of every transaction we make, and we must work together to protect it.
About the Author: Michael K. Daly has more than 34 years in security and information systems, in both the federal government and private sector. Daly is the Chief Technology Officer of Cybersecurity and Special Missions and a principal engineering fellow at Raytheon Intelligence and Space where he provides cyber solutions to domestic and international government and commercial customers delivers quick-reaction mission solutions and provides support to high consequence special missions. He supports the U.S. President's National Security Telecommunications Advisory Committee; is a member of the Rhode Island Homeland Security Advisory Board and the Massachusetts Cybersecurity Strategy Council; is Chair of the Kogod Cybersecurity Governance Center at American University; and is a member of the Forcepoint Product Advisory Council.
He was the 2006 recipient of the People’s Choice Award for the ISE New England Information Security Executive of the Year and the 2007 recipient of the Security 7 Award for the Manufacturing sector. He earned his bachelor’s degree in mechanical engineering from Boston University.