The US is facing what is being called a catastrophic cyber-attack, one which may create lasting damage. Said damage is expected to surpass that of wildfires, hurricanes, and floods, as the country has endured before.
The US Cyberspace Solarium Commission made an expansive, 182-page report detailing the multiple threats the United States is facing online. From cybercriminals and nation-states, IP theft, cybercrime and infrastructure attacks, ransomware, to espionage aimed at finding geopolitical advantage. Attacks aimed at undermining the democratic institutions of the country were also covered.
According to the CSC, the US now works in a cyber landscape that requires data security. The commission states not even the private sector is capable of providing it at this time, or the US government. The lack of technical expertise, unified effort, and speed are growing in both the government and private sectors, they stated.
"The digital connectivity that has brought economic growth, technological dominance and improved quality of life to nearly every American has also created a strategic dilemma. The more digital connections people make and data they exchange, the more opportunities adversaries have to destroy private lives, disrupt critical infrastructure, and damage our economic and democratic institutions."
To tackle the challenges ahead, the CSC advocates for a so-called layered cyber deterrence. It is to be designed with the idea of shaping behavior, denying benefits, and imposing costs. That requires the US to work together with its allies to promote what would be more responsible behavior in cyberspace. It also aims at making sure that the government can work with the private sector to maximize and enhance security, as well as retaining the ability to retaliate against attackers in cyberspace.
The CSC report lists six significant policy changes and 75 recommendations to help push the US as a country toward improved cybersecurity. The proposals include suggestions that aim at government reforms that include the creation of a House Permanent Select as well as Senate Select Committees on Cybersecurity. Other measures as well as a Senate-confirmed National Cyber Director with new powers for CISA that would begin the necessary work in government.
The report underlines five important points the US should focus on above all:
1. Deterrence in cyberspace
According to the CSC, deterrence is possible. A lot of the cyber actors today feel undeterred if not even encouraged to target the public infrastructure and personal data. Through the inability and unwillingness of the US government to punish the attackers, the CSC says the government is signaling them these actions are acceptable.
2. Resilient economy
Deterrence relies on a strong economy. The CSC mentions the government should ensure they can reconstitute and survive in the aftermath of a possible national level cyberattack. They also need to provide the economy can keep running regardless of such an anticipated event. The government is expected to prepare a Continuity of the Economy plan to make sure the economy can get back on track after a massive cyber-attack.
3. Government Reform
According to the CSC, this will require government reform. That would need to empower and elevate the existing cyber agencies, specifically the Cybersecurity and Infrastructure Security Agency (CISA). New focal points would need to be created for coordinating security between the agency and the executive branch and Congress. Organizations should have the speed and agility to act to defend networks and impose costs on the adversaries attacking US installations.
4. Deterrence requires private sector strengthening their security
The private sector owns most of the critical infrastructure in the US. The CSC mentions specific recommendations that need to be made to businesses, such as establishing cloud security certification and modernizing corporate accountability reporting. The commission suggests this needs to be done with freedom and innovation in mind. It won't be a totalitarian approach, so private entities can act with speed and agility when stopping attackers.
5. Election security must be a priority
The CSC listed elections as being a priority in future cybersecurity changes. US citizens need to have the assurance that the elections stay free from foreign manipulation. The commission believes this needs to be made with funding to infrastructure modernization on local and state levels. At the same time localities and states must also pay a share of this. A paper audit trail is also necessary, the CSC said.