The commission, in a follow-up report, found more than a third of its original 82 recommendations have been met, or are on the verge of being met.
More than 40% of the recommendations led to some action, such as lawmakers introducing a bill, but not yet received a floor vote in the House or Senate. Other programs, meanwhile, remain incomplete or unfunded.
Commission co-chairman Sen. Angus King (I-Maine) said Congress passed a significant number of recommendations in this year’s National Defense Authorization Act, but much of the work remains unfinished.
King, speaking Thursday during a webinar hosted by the commission, said federal agencies need to prepare for a short-term future where attacks on critical infrastructure are “possible, if not likely.”
“We have to reimagine conflict, and we’ve got a lot of work to do to get the private sector on board, because they’re the target. That’s where the target space is, and they have a sort of visceral resistance to close cooperation with the government sharing information. They’re worried about liability, they’re worried about proprietary information, and so that’s got to be overcome,” King said.
While King and the commission’s other co-chairman Rep. Mike Gallagher (R-Wis.) applauded Congress standing up a National Cyber Director office within the White House, and confirming Chris Inglis to lead it, the office so far remains under unfunded.
That, however, could soon change. The $1 trillion infrastructure bill by the Senate this week would give Inglis’ office $21 million through the end of the next fiscal year to hire staff and support operations.
King, joining in a statement with members of the Senate Homeland Security Committee, said that the funding will tide Inglis’ office over until Congress passes a spending bill for fiscal 2022.
The bipartisan infrastructure bill also includes $100 million over the next five years to support a Cyber Response and Recovery Fund. It would serve as a rainy-day fund that would help agencies respond to major cyber incidents.
The Cyber Response and Recovery Act included in the infrastructure bill would allow the Secretary of Homeland Security, working with the National Cyber Director, to declare a significant cyber incident.
The Cybersecurity and Infrastructure Security Agency would coordinate response to incidents and would authorize the use of the emergency fund.
The report highlights a recent surge in hacks, breaches and ransomware attacks as a reminder that agencies and industry can’t simply keep up the status quo to maintain the safety of national critical infrastructure.
“While we started as a non-crisis commission, I think the way the environment has evolved over the last two or three years has turned us into more of an urgent or crisis commission,” Senior Commission Director Robert Morgus said.
Congress, however, has yet to take action on a significant portion of the commission’s recommendations.
Nearly 5% of the recommendations have encountered “significant barriers,” and more than 15% have seen limited progress. The report outlines the following recommendations as those facing the most significant hurdles:
Create permanent House and Senate select committees on cybersecurity
Codify a “cyber state of distress” to trigger access to the Cyber Response and Recovery Fund
Pass a national data security and privacy protection law
Establish liability for final goods assemblers
Senior Commission Director Laura Bate, however, said inaction on these recommendations doesn’t mean they’re out of consideration.
“Just because a recommendation has encountered barriers, or has seen limited progress, does not mean that we have given up on it. Sometimes that means the time just wasn’t right, but that can also often be our way of telling the larger community that there’s something there for which we all need you to help build momentum,” Bate said.
One recent update that didn’t make it into the commission’s report is CISA’s new Joint Cyber Defense Collaborative, which will bring government and industry into one office to do cyber planning, threat analysis and defensive operations.
Major cloud providers, telecommunications companies and cybersecurity firms are already signed up to participate in the office. The collaborative’s initial efforts include combating ransomware and coming up with an incident response plan for cloud providers.
Other significant pending work includes the Cyber Diplomacy Act, which passed the House in April. The bill would create a Bureau of International Cyberspace Policy at the State Department that would help set international cyber norms and boundaries.
Senators recently introduced legislation that would stand up a Bureau of Cyber Statistics within the Department of Homeland Security that would collect, analyze and publish data on cybersecurity, cyber-crime and threats.
Aside from tracking goals being met, the commission is also fighting to keep funding for cyber programs already in place.
Bate said Congress has zeroed out funding for CISA’s Cybersecurity Education and Training Assistance Program (CETAP). Meanwhile, the National Institute of Standards and Technology’s cybersecurity budget isn’t yet on track to receive a significant increase, despite the agency implementing much of the administration’s recent executive order on cybersecurity.
“What’s outlined in this report is a good beginning. But it will take sustained attention investment and collaboration to make the potential benefits to cybersecurity itself real,” she said.