Washington: More than two years after the Cyberspace Solarium Commission made recommendations on how the US can bolster its cyber defences, nearly 85 percent have been implemented or are in progress — but others still face a few “significant hurdles,” says a new report. Overall, it’s work lawmakers said have already shown benefits when it comes to pushing back against Russian cyber activity.
The report, published today by Cyberspace Solarium Commission 2.0, paints a picture of some of the significant improvements over the past two years in US cybersecurity: Congress passed the Cyber Incident Reporting Act requiring companies to report cyber-attacks and ransom ware incidents, lawmakers increased funding for the Cybersecurity and Infrastructure Security Agency (CISA), and the White House appointed a national cyber director.
As far as malign actors go, the report specifically pointed to a few successes under some of the recommendations that are on track to being implemented, like streamlining the attribution of cyber-attacks through the “Cyber Incident Data and Analysis Working Group” and the “Cyber Incident Attribution and Analysis Decision Rubric.” These tools have already sped up attribution in recent years, the report said, including as recently as this February when Russia launched several cyber-attacks against Ukraine at the onset of the invasion.
“Within just three days of a distributed denial-of-service (DDoS) attack against the Ukrainian Ministry of Defence, US Deputy National Security Advisor Anne Neuberger accused Russia of perpetrating the attack,” according to the report. “The British government concurred. Subsequently, CISA released an advisory noting the indicators of compromise of the associated attack. The speedy attribution capabilities between the United States and its allies show the potential of this approach.”
Such cyber-attacks were to be expected from Russia’s aggressive cyber operators, but Sen. Angus King, I-Maine, co-chair of the Cyberspace Solarium Commission 2.0, said that he was a little surprised they weren’t more widespread, especially against the US and its allies. One reason, he speculated, was that Putin may be intimidated by the work of the National Security Agency.
“I believe that we would have seen more of a cyber-intrusion into the West, but for Putin is afraid of [Director of US Cyber Command Gen. Paul] Nakasone,” King said. “I think Putin is deterred, frankly, by the capabilities that we have and by what Nakasone and what NSA demonstrated in 2018 in the midterm elections… Now, again, I can’t prove that because they didn’t attack. My belief is that an attack might have been more likely but for the concern of the Russians that they were at risk. And in that case I think deterrence has made a real contribution.”
Overall the report shows that nearly 60 percent of the initial 82 recommendations made by the Cyberspace Solarium Commission in March 2020 have been fully or nearly implemented while more than 25 percent are on track to being implemented. Since the initial recommendations were made, the Cyberspace Solarium Commission 2.0, which was formed when the initial commission reached the planned end of its mandate, has added to the list, bringing the total number up to 116 recommendations.
