Sen. Angus King, I-Maine, one of the chairs of the congressional  Cyberspace Solarium Commission (CSC).

Sen. Angus King, I-Maine, one of the chairs of the congressional Cyberspace Solarium Commission (CSC). AP Photo/Andrew Harnik

More Industry Regulations Are Needed to Improve US Cybersecurity, Congressional Report Says

New mandates should increase companies’ network monitoring and allow them to share data with a new government bureau, the Cyberspace Solarium Commission wrote.

The U.S. government should require private companies to better monitor their networks and more quickly respond to cyber attacks from Russia, China, and elsewhere, a new congressional report on the nation’s cybersecurity preparedness says.

The report, released Wednesday by the Cyberspace Solarium Commission, says the United States is underprepared for tomorrow’s network attacks from sophisticated actors. It offers 80 recommendations.

One big one for government: expand the role of the Cybersecurity and Infrastructure Security Agency, or CISA; and establish a National Cyber Director to advise the U.S. president and coordinate national strategy on cyber issues.

“We need to elevate and empower existing cyber agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA), and create new focal points for coordinating cybersecurity in the executive branch and Congress,” it reads. “Congress should strengthen the Cybersecurity and Infrastructure Security Agency (CISA) its mission to ensure the national resilience of critical infrastructure, promote a more secure cyber ecosystem, and serve as the central coordinating element to support and integrate federal, state and local, and private-sector cybersecurity efforts. Congress must invest significant resources in CISA and provide it with clear authority to realize its full potential.”

The report also says that private companies need the ability to quickly “stop cyberattackers from breaking out in their networks and the larger array of networks on which the nation relies.”

The report suggests a variety of legislative steps that could help, including the creation of a statistical bureau to gather data about threats and regulatory changes to allow companies that collect threat data, such as companies that sell security software, to share it with the bureau.

The report also urges the government to require companies to keep better internal records of their own security environments, which they might be able to share with federal authorities in a crisis. 

The U.S. government should: “Mandate that public companies maintain, as part of this requirement, internal records of cyber risk assessments, so that a full evaluation of cybersecurity risks can be judged in acquisition or in legal or regulatory action,” it reads. Those metrics could include “risk assessments, determinations, and decisions; cyber hygiene; and penetration testing and red-teaming results, including a record of metrics relating to the speed of their detection, investigation, and remediation.” 

Many cybersecurity professionals say speed of detection has become the most important cybersecurity metric. If a company can detect and react to a penetration faster than the adversary can move from one node in a network to another, also called breakout time, they can limit data theft, alteration, and destruction. 

As the cybersecurity company Crowdstrike noted in its most recent annual threat report,: “Breakout time is important for defenders, as it sets up the parameters of the continuous race between attackers and defenders. By responding within the breakout time window, which is measured in hours, defenders are able to minimize the cost incurred and damage done by attackers.” 

In 2019, Crowdstrike found that Russian attackers needed an average of 19 minutes to move from one node to the next.The numbers haven’t much changed. “It’s important to note that defenders should still focus on speed, as data attributable to nation-state activities in 2019 does not suggest any major changes in breakout times among state-affiliated adversaries this year compared to last year,” Crowdstrike’s new report says. 

Lawmakers couldn’t agree on all the steps that the private sector or the government should take to strengthen the country’s defenses to cyber threats, such as mandating end-to-end encryption, according to the report’s introduction. But the areas where there was agreement are significant and leave much to do.

“The status quo is inviting attacks on America every second of every day. The status quo is a slow surrender of American power and responsibility. We all want that to stop,” the report says [D]emand that your government and the private sector act with speed and agility to secure our cyber future.”