A long-awaited report by the US Cyberspace Solarium Commission has been published, warning of a “catastrophic cyberattack” that leaves the nation in tatters.
The report begins with an unorthodox start: a piece of fiction written by American political scientist Peter Singer and national security writer and analyst August Cole entitled “A Warning From Tomorrow”.
Written from the perspective of an unnamed US legislator grappling with the aftermath of a string of catastrophic cyberattacks, it paints a view of what could happen if the US does not significantly improve its cybersecurity infrastructure and legislation, where “everything went so wrong, so fast”.
In the narrative, the Potomac River in Washington DC has been tainted by toxic chemicals spewed out from upstream treatment plants when their automated systems were hacked.
An attack on the sensors managing the city’s floodwater management systems have “left behind an oily sludge that will linger for who knows how long” in the Lincoln Memorial Reflecting Pool.
And the debris of delivery drones and air taxis litter the city after being “remotely hijacked to crash into crowds of innocents like fiery meteors”.
Meanwhile, refugees sit round campfires after fleeing a “the toxic railroad accident caused by the control system failure in Baltimore”.
“No matter what legislation we pass now, after everything that’s happened, we’re too late,” the unnamed protagonist concludes.
Preventing the future: Recommendations of the US Cyberspace Solarium Commission report
Despite its shock opening, the 182-page Cyberspace Solarium Commission report is packed with recommendations about what the US should do to prevent such a future from becoming possible.
These include numerous steps to ensure the US cyber ecosystem is more secure, acknowledging that the intersection of technology and people has caused “vulnerability across the United States”.
One area focuses on the lack of security in connected hardware, recommending that the US government drive a shift away from the “first to market” approach that currently dominates, in favour of improved cybersecurity. It proposes a voluntary certification scheme to identify secure hardware and the creation of critical technology security centres to test key infrastructure.
It also urges the expansion of the National Institute of Standards and Technology (NIST) to give it the power to develop and update cybersecurity frameworks and standards and the creation of a law to make final goods assemblers liable for damages as a result of cybersecurity incidents that occurred as a result of ignored vulnerabilities.
There are also recommendations to encourage greater corporate cyber responsibility, including amending the corporate accountability focused Sarbanes-Oxley Act to include requirements to enact and report internal cyber risk assessments and meet certain cybersecurity minimum requirements.
US government urged to restructure to improve cybersecurity
The Cyberspace Solarium Commission report also recommends that the US government’s organisation and structure be overhauled to make it able to resist and withstand cyberattacks, stating that: “Governmental action has too often been piecemeal and independent of private-sector insights and interests, too much information remains over-classified or narrowly distributed, and a lack of strategic coherence continues to hinder attempts at improving systemic national cybersecurity.”
To resolve this, it calls for a new national cyber strategy to be developed by the executive branch of the US government, which includes the President, Vice President, Cabinet, executive departments and agencies. This would include collaboration with private organisations in the cybersecurity space, and be focused on resilience and deterrence.
It also calls for a reorganisation and centralisation of Congress’ committee structure and jurisdiction so that it can improve its oversight of national cybersecurity, arguing that the current range of committees and subcommittees handling the issue are currently “hamstringing legislative authority, muddling oversight, and impeding Congress’s ability to act with the speed and vision necessary”.
In addition, the report urges that there should be a change in the executive branch to enable to US to quickly and effectively “plan, support and employ government resources”, creating a “single voice” on the matter. It also recommends that federal government recruitment and training be reformed to increase the presence of cybersecurity expertise in the government.
Cybersecurity community welcomes recommendations
The Cyberspace Solarium Commission report’s vast range of recommendations have been welcomed by experts from the cybersecurity community.
“It is a positive step that government-funded bodies like The Cyberspace Solarium Commission are prioritising time and resources to improve cybersecurity and hopefully correct security practises and protocols will be prioritised,” said Saryu Nayyar, CEO of Gurucul.
“It’s also high time that a federal law is passed that puts the onus on updating vulnerable hardware and software on vendors and/or final goods assemblers,” added Marty Edwards, VP of OT security at Tenable.
“With the vast majority of cyberattacks and data breaches caused by known, but unpatched vulnerabilities, this is a step in the right direction towards a more secure global ecosystem.”
However, while the news is being seen as positive, there are reservations about how much of it will ultimately result in meaningful changes.
“While this is yet another in a long line of reports projecting digital disaster, I was pleased to see an emphasis on incident detection and response via threat hunting as one of the more prominent recommendations. I began arguing in 2007, before ‘threat hunting’ was a defined term, that federal security teams should be ‘projecting friendly forces’ on their networks, assuming that they were already compromised,” said Richard Bejtlich, principal security strategist at Corelight.
“The new report integrates these recommendations, but it remains to be seen if anything changes in the federal government.”
For many, however, the advice for businesses is not to wait for government action.
“Organisations shouldn’t wait for the government to make recommendations. There are a series of steps they can take to get on the right track,” said Simon King, vice president of solutions at the Synopsys Software Integrity Group.
“First, if they don’t have a strong security team they should engage security firms with the extensive experience to consult on current and future needs. Secondly, they need to implement the recommended security changes based on findings right away; for example, conduct external pen testing and mitigate vulnerabilities.
Finally, they need a formal software security initiative. That may require hiring trained staff, tools for automated testing, and regular training to make security part of their DNA.”