July 29, 2022

Last Updated on January 19, 2024

One of the most important drivers for recent US government cyber policy is the Cyberspace Solarium Commission (CSC) report from March 2020, which lays out over 80 recommendations on “defending the United States in cyberspace against cyber attacks of significant consequences.”

Since publishing its report, the CSC has circulated five white papers on a range of topics. The most recent, “Countering Disinformation in the United States,” was released in December 2021. Other titles include “Building a Trusted ICT Supply Chain,” “Growing a Stronger Federal Cyber Workforce,” and “Cybersecurity Lessons from the Pandemic.”

Why were these papers written and who are they intended to help and/or influence? Who should be reading them and who should at least get the Cliff notes?

To overview all the CSC’s most important initiatives and efforts, Mark Montgomery, former CSC Executive Director and currently Senior Fellow at Foundation for Defense of Democracies, joined a recent episode of The Virtual CISO podcast. John Verry, Pivot Point Security CISO and Managing Partner, is the podcast host.

Leadership lessons from COVID

Since the CSC report was finalized during early COVID-19 impacts, it’s not surprising that a pandemic-related paper was in the offing.

“What could you learn from the first year of response to the pandemic?” poses Mark. “The answer was particularly about leadership. It’s not hard to recognize that our failure to have a strategic leader at the White House on COVID slowed and complicated our response. We were able to show similarities with cyber and then show how the National Cyber Director could have helped. Then we also said, ‘Hey, here are a few things that, studying COVID, we didn’t think about.’”

Of course, there were also lessons from the whole federal government suddenly working from home, etc.

Countering disinformation

Another CSC white paper Mark highlights covers disinformation by our cyber adversaries.

“The amount of disinformation flowing, particularly foreign disinformation like Chinese and Russian…” says Mark. “The bottom line was, ‘Hey, at this time, we have to be really attuned to foreign disinformation. And we said very explicitly, the government should not be the arbiter of truth.’”

A recommendation was for the government to support NGOs to help counter disinformation.

Sharing deeper guidance

The other three CSC white papers provide more depth on issues that were highlighted but not fully developed in the March 2020 CSC report.

“There were about eight or nine of those issues and we got white papers done on three of them,” says Mark. “One was on supply chain and that ended up with about twelve more recommendations, a handful of which have been done and a handful more are in this Innovation bill [US Innovation and Competition Act of 2021].”

Another paper was on the federal cyber workforce.

“I’ll just say, it’s so disappointing that you can read a federal cybersecurity workforce policy paper from 23 years ago that identifies 10 problems, 7 of which still exist in exactly the same way,” Mark points out. “Then there’s workforce studies from 2010 and 2015, and from those we’ve probably only gotten one or two things done. It’s not okay that the federal government has not been able, particularly in the dot-gov, to solve its cybersecurity workforce challenge.”

Similar to the public sector, the US government is manned at “two-thirds, roughly speaking,” Mark states. “It means you’re probably not getting the job done, but your people are unhappy while they do it. And most importantly for cyber, unlike almost any other skill set, the requirement for recurring training is significant.”

Of course, it’s tough for management to get behind regular training and certifications when the team is understaffed and people can’t be spared.

“You have this problem where you have an underperforming, unhappy, poorly trained cybersecurity workforce,” Mark states. “Shockingly, that doesn’t lead to high retention.”

What’s next?

Ready to hear the podcast episode with Washington cyber leader Mark Montgomery? Click here.

Interested in how you can attract and retain cyber talent? This podcast shares unique insights: EP#85 – Deidre Diamond – 8 Ingredients for Baking Inclusivity Into Your Culture