Generic filters

Use These Guiding Principles by the Cyberspace Solarium Commission (CSC) to Manage Cyber Risk

July 21, 2021

Use These Guiding Principles by the Cyberspace Solarium Commission (CSC) to Manage Cyber Risk

Any business can use these best practices established by the Cyberspace Solarium Commission (CSC) Guide

The Cyberspace Solarium Commission (CSC) was created by the John S. McCain National Defense Authorization Act for Fiscal Year 2019 to develop a strategic approach to defending the United States against cyberattacks of significant consequences. The CSC recognizes the importance of working with the private sector, which means that all companies need to understand where they fit into the layered cyber deterrence strategies.

What are the 3 layers of defense?

Before even getting to the three layers of defense, the Cyberspace Solarium Commission (CSC) points out that government reform must be the foundation of any good cyber deterrence program. The Commission points out that reformed government oversight and organization means resourcing and staffing that reduces the likelihood, magnitude, and impact of attacks on federal networks for cyber resilience.

To establish this foundation, the Commission suggests the following:

  • Updating the National Cyber Strategy
  • Establishing Congressional Committees on Cybersecurity
  • Establishing a National Cyber Director
  • Strengthening the Cybersecurity and Infrastructure Agency (CISA)
  • Working to recruit, develop, and retain cyber talent

Layer 1: Shape Behavior

The Commission recommends that the United States proactively take a leadership role in shaping responsible behavior by other parties in cyberspace through strategic partners and alliances.

Strengthen Norms and Non-military tools

International norms for responsible behavior in cyberspace already exist, but a lack of tools to enforce compliance does little to persuade conformity or punish violators.

The Commission recommends the following:

  • Creating an Assistant Secretary of State
  • Participating with the National Institute of Standards and Technology
  • Streamlining the Mutual Legal Assistance Treaty and Mutual Legal Assistance Agreement
  • Increasing the number of FBI Cyber Assistant Legal Attachés

Layer 2: Deny Benefits

Working jointly between the public and private sectors to enhance situational awareness on all fronts denies malicious actors the opportunity to destabilize large institutions and promotes national resilience.

Promote National Resilience

Maintaining basic infrastructure on a national level and recovering from cyberattacks promotes resilience across the U.S. and denies adversaries an opportunity to interfere with critical resources.

The Commission recommends the following:

  • Codifying CISA responsibilities for identifying, assessing, and managing risk
  • Developing Continuity of the Economy planning
  • Designating a Cyber State of Distress and Cyber Response and Recovery Fund
  • Improving the Election Assistance Commission
  • Promoting digital literacy and public awareness

Reshape the Cyber Ecosystem toward Greater Security

The public and private sectors must work jointly to raise the baseline security level to minimize the opportunities bad actors have to exploit vulnerabilities.

The Commission recommends the following:

  • Establishing a National Cybersecurity Certification and Labeling Authority
  • Passing laws holding assemblers accountable for exploits of known vulnerabilities
  • Establishing a Bureau of Cyber Statistics
  • Developing cloud security certification
  • Implementing strategies to ensure trusted supply chains
  • Passing national data security and privacy protection law

Operationalize Cybersecurity Collaboration with the Private Sector

The government must support and collaborate with the private sector by using its resources to secure critical, privately-owned infrastructure.

The Commission recommends the following:

  • Codifying all critical infrastructure for additional security requirements
  • Establishing and funding a Joint Collaborative Environment
  • Strengthening a public-private cyber center in CISA
  • Establishing a Joint Cyber Planning Cell under CISA

Layer 3: Impose Costs

The United States government must respond to cybersecurity attacks by responding to malicious actors and reducing the threat by using all options available as a military power.

Preserve and Employ the Military Instrument of Power – and All Other Options to Deter Cyberattacks at Any Level

The United States must have strategic objectives in response to crisis and conflict, which impose significant enough to deter cybersecurity threats.

The Commission recommends the following:

  • Conducting a force structure assessment of the Cyber Mission Force
  • Conducting a cybersecurity vulnerability assessment for nuclear control systems
  • Requiring Defense Industrial Base (DIB) participation

The private sector implications of the Cyber Solarium Commission’s report

The CSC report emphasizes the US government’s need to support private sector cybersecurity compliance. While private organizations are liable for theirs ecurity, a government baseline will ultimately protect the nation’s most critical infrastructure.

5.1.2 Strengthen and Codify Processes for Identifying Broader Private-Sector Cybersecurity Intelligence Needs and Priorities

The private sector lacks a formal process for self-identifying and reporting intelligence gaps that can be analyzed along with known, common vulnerabilities. As a result, compiling private sector data helps the federal government better identify malicious actors’ threats.

The President’s Executive Order on Improving the Nation’s Cyber Security (Executive Order) addresses the need for federal network security risks by implementing a series of best practices across the supply chain. By effectively hardening systems, the public and private sectors can reduce cybersecurity vulnerabilities. To help them, the Executive Order established the Software Bill of Materials, a formal record of software components to help mitigate risks, like open-source code.

5.3 Congress should direct the executive branch to strengthen a public-private, integrated cyber center within CISA

Infrastructure cybersecurity and resilience depend on coordination between the public and private sectors, and CISA serves as the primary interface between the security of these networks and the federal government. Strengthening an integrated cyber center within CISA to  facilitate this coordination would include identifying its current gaps and shortcomings while providing greater centralization of cybersecurity efforts between the public and private sectors.

The private sector already adopts the Continuous Diagnostics and Mitigation (CDM) program which, CISA originally intended for agencies. As the private sector progresses toward CDM goals, secure system configurations prevent malicious actors from exploiting the same kind of vulnerabilities the public sector is also looking to avoid.

Private-Sector Automated System Hardening in Response to Commission Recommendations

Fundamentally, system hardening mitigates risks from software vulnerabilities by ensuring that organizations implement secure configurations. By using Security Technical Implementation Guides (STIGs), organizations build more robust security. Automating these lower-level controls and documenting processes gives organizations a way to prevent threat actors from exploiting software and firmware vulnerabilities.

SteelCloud’s patented ConfigOS automation scans your entire environment in a few hours, implement controls, detect conflicts, remediate conflicts, and document waivers all in a single location.

Share This Resource: