National Cybersecurity Infrastructure Efforts Bearing Fruit
The U.S. has achieved notable progress in bolstering its cybersecurity infrastructure, with approximately 70% of the Cyberspace Solarium Commission’s recommendations put into action, according to a CSC 2.0 report.
The report assessed the advancements in implementing these recommendations, originally established in March 2020 with 82 initial suggestions, later expanded to 116 by the commission.
This progress comes as the nation benefits from increased investments in cybersecurity, including significant funding allocated in the fiscal year 2023 omnibus spending bill.
The report highlighted that 70% of the CSC’s recommendations are fully implemented or in the final stages of implementation, while another 20% are on track for adoption.
Key achievements include the establishment of the State Department’s Bureau of Cyberspace and Digital Policy, aimed at addressing ransomware and other cybersecurity threats through international diplomacy.
Additionally, the Securities and Exchange Commission’s (SEC) adoption of the cybersecurity incident reporting rule has been commended for enhancing transparency and accountability in corporate governance.
The report also mentioned key gaps in the nation’s cybersecurity posture, particularly in the resilience of federal networks and critical infrastructure sectors like health care and agriculture.
Jim Kelly, RVP of endpoint security at Tanium, noted that health care is dealing with issues like keeping patient data safe, securing medical devices and making sure health care services aren’t disrupted.
“We need to use better encryption, protect medical devices and have tested incident response plans to be able to respond quickly if an event occurs,” he said.
He added that agriculture relies a lot on technology, with everything from crop management to supply chains going digital.
“It’s vulnerable to supply chain problems and attacks on connected devices,” he said. “To improve security, we should focus on supply chain safety, protecting IoT devices and educating the workforce.”
Mika Aalto, co-founder and CEO at Hoxhunt, said altogether, the work of the CSC reminded him a bit of the early days of international climate change and environmental and sustainability standards.
“Creating a new leadership and coordination role for the National Cyber Director is a good concrete step because change needs to start from the top, and there are a lot of changes and processes that must be defined and enforced,” he said.
He said he believed the CSC will be making its biggest impact on initiatives that show how cybersecurity touches people’s working and personal lives and brings awareness to the masses of the mutual responsibilities against this multi-trillion-dollar threat, from the board room to the mail room.
“We’re seeing elements of that with critical infrastructure companies required to report cybersecurity incidents, diplomatic efforts on cyberspace and digital issues and the launching of a public-private partnership to defend against cybersecurity threats,” Aalto pointed out.
He noted that the National Risk Management Act and the Federal Information Security Modernization Act aimed to correct the lack of a comprehensive and coordinated approach to mitigating the most significant cybersecurity risks and update the currently inconsistent cybersecurity policies and practices across federal agencies.
“This might mean the establishment of a National Risk Management Strategy and Plan, the modernization and streamlining of the federal cybersecurity policies and practices, the enhancement of the oversight and accountability mechanisms for federal cybersecurity and the improvement of the cybersecurity collaboration and information sharing between the federal government and the private sector,” he said.
From his perspective, focus needs to be placed on people because that’s where the cybercriminals are putting most of their attention.
“We can significantly turn the tide of the cybercrime wave with the creation and implementation of a National Cybersecurity Education and Training Program and the development and adoption of a National Data Security and Privacy Protection Law,” he said.
He cautioned that social engineering and phishing attacks will always slip through the cracks of our technical defenses, and it’s up to the security community to transform people from top risks to valuable security resources when that happens.
“Let’s build security into the fabric of our society, from how we conduct ourselves online to establishing security-by-design principles in our software and IoT and consumer devices,” Aalto said.
He said CISA can be further empowered to provide more effective and proactive cybersecurity services and assistance and improve the security of consumer smart devices.
“The attack surface needs to be tightened up, and our data protection processes need to be strengthened,” he added.
