Since its release in 2020, the recommendations of the Cyberspace Solarium Commission have served as a roadmap for the Biden administration’s attempts to deliver broad improvements in computer security, but according to a report released Tuesday, a number of the panel’s key recommendations have stalled.
The recommendations that remain on the drawing board read like a to-do-list for federal cybersecurity policymakers: clarifying liability for federal cyber response efforts, modernizing campaign regulations to promote cybersecurity defenses, funding research and development centers to explore cybersecurity insurance certificates, the formation of congressional cybersecurity committees and establishing a national breach notification law.
Three years since its release, nearly 70% of the congressionally mandated Solarium Commission’s 80 initial recommendations have been implemented or are close to it, a testament to the report’s influence. But the chairmen of the commission warned in their follow-up report released on Tuesday that it is essential to maintain momentum in improving computer security at a time of widespread cyberattacks.
“We cannot afford to pause in the pursuit of enhanced cybersecurity,” wrote Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wisc., in the report.
The initial Solarium Commission report and subsequent follow up white papers led to major policy changes, such as the creation of both the National Cyber Director and the State Department’s Bureau of Cyberspace and Digital Policy. But the annual implementation report from the C2C 2.0 — an organization spun off from the Solarium Commission — argues that while both the Biden administration and Congress have “taken significant steps” to improve U.S. cybersecurity efforts, more needs to be done.
Of the 116 total recommendations from the Solarium Commission, 42 are considered fully implemented, while 36 are “nearing implementation,” which means that the recommendation is either included in legislation or an executive order, there is a clear path to approval or the idea is partially implemented in a new law or policy.
Of the recommendations that are not yet fully implemented, 26 are considered to be “on track” to completion on some level, while 11 show limited or delayed progress.
Notably, only one recommendation is seen as facing “significant barriers” to adoption: the creation of a House Permanent Select and a Senate Select Committee on Cybersecurity. The report says that “significant pushback” against the creation of such a committee continues but notes that draft legislative language exists in case a major event like a cyberattack occurs that might help to overcome “political barriers.”
On privacy, the Solarium Commission recommended passage of a national data security and privacy protection law. That idea that faces an uncertain future in Congress, but Tuesday’s implementation report nonetheless deems it “on track,” as several congressional committees have resumed discussions on federal privacy legislation.
The commission’s recommendation to form a Bureau of Cyber Statistics — a government body that would serve as a repository for cybersecurity data and address the paucity of data in the field of computer security — could be revived by Congress. Legislative language included in the Senate version of the National Defense Authorization Act would require the Defense Department to conduct a study on establishing such an office.
Other recommendations of the commission could be implemented with further executive action. Efforts to develop cyber confidence building measures could be taken on by the State Department’s new cyber bureau and developed in its forthcoming international cybersecurity strategy, Tuesday’s report notes.