Last Updated on February 23, 2023
The US government has lately been churning out cybersecurity regulations for private companies, as well as directives for its own agencies. For example: the May 12, 2021 “cyber executive order” driving new guidance from NIST and CISA, the DoD’s CMMC program, the DoJ’s cyber fraud initiative, and much more. But are these efforts in alignment across corporate America and “the dot-gov”? Without robust cybersecurity throughout both sectors, is not our economy and even our national sovereignty in peril?
Looking to bridge the gaps in responsibility, planning and preparedness across critical infrastructure companies and the US federal government, the Cyberspace Solarium Commission (CSC) issued a report in March 2020 with 80-plus recommendations on “defending the United States in cyberspace against cyber attacks of significant consequences.” Efforts have been underway since then to operationalize those recommendations.
To reveal some of the many positive impacts and influences of the CSC report on US national security, a recent episode of The Virtual CISO podcast features Mark Montgomery, former CSC Executive Director and now Senior Fellow at Foundation for Defense of Democracies. The show’s host is John Verry, Pivot Point Security’s CISO and Managing Partner.
Partnership isn’t just for the Fortune 1000
Mark explains that the CSC report addresses government partnership with business on two fronts, as reflected primarily within two of the six “pillars” (aka categories) of recommendations in the report:
The [‘Operationalize cybersecurity collaboration with the private sector’ pillar] is about Dominion Power and things like that. The [‘Reshape the cyber ecosystem’ pillar] is about Vick’s Dry Cleaners. In one of them, you’re trying to very carefully ensure that the critical infrastructure’s identified and properly protected for our national security, economic stability, public health and safety. In the other one, you’re trying to raise everyone’s security, so we’re less vulnerable to adversaries, whether they be nation states or criminal actors.”
Around public/private collaboration, Mark feels that the “biggest thing left on the table right now” starts with identifying the 120 to 150 “systemically important” critical infrastructure entities that “facilitate national security, the movement of our troops, the transportation, power, water; that allow our troops to move to their jump-off points; that facilitate our economic security—the telecommunications, financial services and electrical power, that allow us to continue to run the world’s largest economy and rapidly recover from and restore following a significant event.”
One regulation to rule them all
Once identified and agreed, the next step would be to identify a minimum security standard/regulation for those systemically important entities.
Mark explains: “Big water, big power, big hospital systems: Those 120 to 150 have to maintain a certain standard. You can call it a regulation. You can call it a standard. We need to say there’s a floor for those [orgs]. And if that floor is already set by your regulation—by the SEC or the FDIC or some other financial group, or by FERC in the energy world, or the NRC if you have nuclear power plants—great, you already meet it. We do want to have third party assessments of that and if it’s already being done by your regulation, great. If not, we’ve got to have a system center for that. We need to have really quick incident reporting, not the stuff that they debated and passed last year of 48 or 72 hours, but really quick.”
“It’s going to be protected under liability when you give it to us,” continues Mark. “It’s not going to go right to law enforcement or anything like that. It’s going to allow us to get a hint that, ‘Hey, seven electrical power grid generation companies are experiencing the same attack at the same time.’ Or ‘Three banks saw this.’ You can see a campaign being run against you.”
Mark would also like to see tangible rewards for rapid incident reporting, including some liability protection: “If you meet a floor we set and you’re attacked by a foreign adversary, because you’re a US critical infrastructure company and you’ve met the third-party check, we’re going to have to give you some liability protection against loss of business operations.”
Security is about as non-partisan as it gets
Cybersecurity improvement has wide bipartisan support. But the legislative process is what it is.
“When you start throwing around words like regulation, security standards, third-party checks, liability, it gets a little less nonpartisan… But if we have a comprehensive deal, where everyone’s giving up a little, to get a better process, to get that end result that we know we need,” Mark adds. “Chris Ingles [current National Cyber Director], says, ‘To beat one of us, you’ve got to beat all of us.’ That’s the idea, that you’ve got to have this public/private collaboration that works. We’re not going to get there without some sticky legislation. This is not something you can ‘executive-order’ into existence, that kind of liability protection. This is something that’s got to stand up in court.”
In other words, you’re going to need to pass more legislation that codifies the CSC recommendations. That’s Mark’s top goal for 2022.
To catch the complete show with Mark Montgomery, former Cyber Solarium Committee director, click here.
What changes does the “cyber executive order” promise for federal agencies? This podcast addresses that question: EP#58 – Scott Sarris – The Cybersecurity Executive Order: What You Need to Know