July 29, 2022

Last Updated on January 19, 2024

There have been many recent changes to US government cyber policy. Much of this has been driven by the groundbreaking Cyberspace Solarium Commission (CSC) report released in March 2020, which proposes over 80 recommendations on “defending the United States in cyberspace against cyber attacks of significant consequences.”

After publishing that report, the CSC has been recapitulated as The CSC 2.0 Project, with a goal of “preserving the legacy and continuing the work of the Cyberspace Solarium Commission.”

To talk about the CSC report and its impacts, Mark Montgomery, former CSC Executive Director and currently Senior Fellow at Foundation for Defense of Democracies, joined a recent episode of The Virtual CISO podcast. Hosting the show as usual is John Verry, Pivot Point Security CISO and Managing Partner.

5 areas of focus

While the original CSC was sunsetted at the end of 2021, there is still significant implementation work left on in-progress legislation. Why not setup an NGO to help drive that forward?

“We ended up setting up the Foundation for Defense of Democracies, a no foreign government think tank that has no foreign government funds,” explains Mark. “I have a small staff, because most of my staff is now working at National Cyber Director, CISA or on Capitol Hill, where they can bring the expertise they got in the commission right back into the government, and that’s fantastic.”

Mark enumerates his org’s top 5 priorities as:

  • Supporting cyber legislation based on CSC recommendations that’s still TBD
  • Building support for an annual third-party cyber assessment program
  • Helping with water/wastewater cybersecurity concerns, including improving the EPA’s overall viability
  • Driving the federal cybersecurity workforce issue, including legislative proposals to improve cybersecurity workers’ pay and job descriptions, gathering better workforce data and setting up a remote cyber learning institute for federal employees
  • Ongoing Continuity of the Economy research and policy work

The final frontier

Mark and his team are also looking at whether aerospace & aviation should be designated a critical infrastructure vertical. Another industry that Mark thinks might merit critical infrastructure designation is maritime transportation security.

“It was a tough Christmas, with the ships backed up at Long Beach and Charleston,” Mark recalls. “Just think how it could’ve been worse, which is a cybersecurity attack on our sea points of departure, our major civilian ports. All those gantries and cranes are operated by position, navigation, timing… They’re very cyber vulnerable and we’ve got real questions about that and about some of the other elements in the maritime transportation security infrastructure.”

Maintaining influence

The original CSC was commissioned by the government. What’s left if it is now part of a 501C3. Now that it’s no longer a government commission, will CSC 2.0 still have the same sway and influence that CSC did?

“We’ll see; it depends,” relates Mark. “First of all, it’s definitely still being driven by Senator King and Representative Gallagher, the two [CSC] chairmen, and I think Representative

Langevin and Senator Sasse have a big push on it too, as do the other former commissioners, Suzanne Spalding, Samantha Ravage, Tom Fanning, Patrick Murphy and Frank Ciluffo. Those nine people are moving us. The question is, particularly the four congressmen, to what degree do they stay involved? If they stay involved, we’ll have sway. If they don’t stay involved, we won’t. It’s as simple as, we only had sway because of them. There are tons of federal commissions out there that produce a doorstop and wedge the door open just fine. And there’s tons of things that aren’t handled by commissions that get done, because they have motivated congressmen pushing them.”

What’s next?

When you’re ready to hear the complete podcast episode with USG cyber leader Mark Montgomery, click here.

What are the top workplace issues contributing to our cyber talent shortage? This podcast with cyber placement leader Deidre Diamond spells everything out: EP#2 Deidre Diamond – How to Attract & Retain Cyber Talent