EVALUATING PROGRESS

EVALUATING PROGRESS

EVALUATING PROGRESS

In many respects, the recommendations enumerated in the Cyberspace Solarium Commission’s report and ensuing white papers are the most concrete basis on which to evaluate the Commission’s progress. However, these recommendations are based on conclusions that the Commission reached during the deliberative process, and on the larger strategic framework implied by those conclusions. That is to say, the retrospective accuracy of the Commission’s assumptions about the opportunities and threats in cyberspace must be part of an overall review of the Commission’s work. Similarly, meaningful evaluation must also consider the Commission’s strategic approach to addressing those opportunities and deterring threats. Accordingly, this section examines fundamental assumptions around what success looks like, the issues the Commission sought to address, and the strategic framework laid out in the Commission’s March 2020 report. The section then establishes the methodology used in evaluating individual recommendations.

MEASURING IMPACT AND PROMOTING FUTURE SUCCESS

A secure cyberspace will never be a single, static goal. Making lasting progress toward improved cybersecurity is certain to be an ongoing, iterative process requiring the engagement of leaders across government, the private sector, civil society, and the international community of U.S. allies and partners. The implementation of CSC recommendations in law or policy must be seen only as the beginning of work toward a more stable, secure cyberspace. Accordingly, this report distinguishes between the implementation of a recommendation and the achievement of lasting success. Moreover, success of the Commission’s overall strategy of layered cyber deterrence could be defined as its adoption through a national cyber strategy or, borrowing from the Commission’s original mandate, “defending the United States in cyberspace against cyber attacks of significant consequences.” Since, as a practical matter, it is impossible to know the number of attacks successfully deterred, a definition of success might consider whether national cybersecurity improves upon wider adoption of the strategic approach—but that definition itself is dependent on having metrics to evaluate the effectiveness of cybersecurity and cyberspace policy.⁴

For an example of the distinction between implementation and longer-term impact on cybersecurity, consider the Commission’s Recommendation 1.3, calling for the establishment of a National Cyber Director. The FY21 NDAA legally requires the President to designate a National Cyber Director, and the first Director was confirmed on June 17, 2021.⁵ This represents a major success in implementation of the recommendation, but its successful impact will be a function of how future presidents choose to empower and employ the Director. For this and all Commission recommendations, real success will depend on continuing momentum and impact long past the term of the Commission itself. With the distinction between implementation, impact, and success in mind, this assessment also looks to the future by outlining the steps needed to ensure that changes have lasting momentum.

⁴ The need for metrics to evaluate effectiveness in cybersecurity and cyber policy is also reflected in the Commission’s recommendations. In particular, see Recommendation 4.3 – Establish a Bureau of Cyber Statistics, and Recommendation 6.1.6 – Require the Department of Defense to Define Reporting Metrics.

⁵ Tonya Riley, “Chris Inglis Confirmed as First US National Cyber Director after Senate Vote,” CyberScoop, June 17, 2021, https://www.cyberscoop.com/chris-inglis-national-cyber-director-senate-vote/.

IDENTIFICATION OF THREATS, OPPORTUNITIES, AND PRIORITIES

The year 2020 threw more than its fair share of curveballs. In evaluating the future of the digital threat landscape, the Cyberspace Solarium Commission certainly did not anticipate all these twists and turns perfectly. Although the Commission’s basic assumptions about threats, opportunities, and priorities bore out in the aggregate, hindsight does offer some lessons. Outlined below are the major dynamics that were not anticipated during the development of the Commission’s original report.

Threats: The SolarWinds incident highlighted the importance of software supply chain security. Although a speculative evaluation suggests that some CSC recommendations might have helped mitigate the consequences of the event as it unfolded, many of those recommendations were not implemented until it occurred;⁶ others still remain unimplemented. For example, the creation of a National Cybersecurity Certification and Labeling Authority (Recommendation 4.1) might have helped provide baseline levels of assurance to customers regarding the security of purchased ICT products. Similarly, a cloud security certification (Recommendation 4.5) might have also addressed some of the vulnerabilities that became apparent with respect to cloud service authentication. On the response side, certain recommendations, such as the codification of a Cyber State of Distress (Recommendation 3.3), would have granted the federal government additional response and recovery funds to assist state, local, tribal, and territorial (SLTT) governments and private-sector companies. In addition, in the wake of SolarWinds, renewed calls for federal breach notification (Recommendation 4.7.1) and incident reporting laws⁷ (Recommendation 5.2.2) underscored the importance of recommendations that CSC made in its final report. Nevertheless, in retrospect it appears that CSC could have devoted more explicit attention to the issue of software supply chain security in its final report or its white paper on supply chain security, which was published in October 2020, just months before news broke about the SolarWinds incident.

Opportunities:The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (FY21 NDAA) reauthorized the CSC for an additional year, which has provided the Commission with more time than anticipated to push for the implementation of the March 2020 report’s recommendations. Over this period, CSC has focused on updating legislative proposals for the coming NDAA cycle, encouraging appropriators to fund priorities authorized in the FY21 NDAA, and working on new white papers.

CSC’s extended mandate also coincided with an election that created opportunities to engage a new administration and Congress and help set priorities for the coming years. CSC thus released a transition book for the Biden-Harris administration and was able to engage directly with the transition team and incoming appointees to help ensure that cybersecurity received the attention it deserves in the new administration’s plans. The start of a new congressional session also created opportunities to implement CSC recommendations in new legislation and to engage with newly elected members of Congress as well as incumbent members assuming new leadership roles. The Senate-passed United States Innovation and Competition Act of 2021 (USICA) and the House-passed Cyber Diplomacy Act are important examples of how a new Congress, energized to tackle pressing issues, can champion new legislation.

⁶ For example, the executive order on improving the nation’s cybersecurity implemented CSC Recommendation 4.4.3 on federal acquisition, and it touches on elements of Recommendations 4.1, 4.5, and others. Exec. Order No. 14028, “Improving the Nation’s Cybersecurity,” 86 Fed. Reg. 26633 (2021), https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity. CSC Recommendation 3.3 was included in the U.S. Innovation and Competition Act (formerly Endless Frontier Act). The bill was passed by the Senate on June 8 and as of this writing awaits consideration in the House of Representatives. See United States Innovation and Competition Act of 2021 [hereafter USICA], S. 1260, § 4251-4252, 117th Cong. (2021), https://www.congress.gov/bill/117th-congress/senate-bill/1260/text/es.

⁷ Gopal Ratnam, “SolarWinds Incident May Bring Data Breach Notification Rules,” Government Technology, March 3, 2021, https://www.govtech.com/security/solarwinds-incident-may-bring-data-breach-notification-rules.html.

Another unanticipated dynamic, although not one that constitutes an opportunity per se, was the increased focus on cybersecurity issues—and certain CSC recommendations—resulting from the SolarWinds hack, Microsoft Exchange Server hack, and, most recently, the Colonial Pipeline ransomware attack. As highlighted above, for example, the SolarWinds incident has renewed calls for national breach notification and incident reporting laws. Similarly, the pandemic, though devastating, has underscored the need for certain cybersecurity reforms that can aid both the federal government and SLTT governments in delivering digital services to American citizens. The American Rescue Plan Act included $650 million for the Cybersecurity and Infrastructure Security Agency (CISA), in recognition of the crucial role that cybersecurity plays at a time when the COVID-19 pandemic has forced Americans to shift economic, educational, and social activities online.

Priorities: CSC correctly focused attention on coordination and engagement with the private sector as a means of driving change. While that has always been a key priority, it is now even more crucial in the wake of the devastating SolarWinds, Microsoft, and Colonial Pipeline cyberattacks. The CSC’s 2020 report noted that operationalizing this engagement with the private sector would enable the creation of a new “social contract” of shared responsibility in order to best secure the United States cyberspace.⁸ Efforts to address this lack of coordination are evident through Pillar Five’s specific focus on the private sector. Its recognition that “the majority of critical infrastructure, hardware, and software that powers the information age resides in the private sector” positioned CSC to see the private sector not as merely a regulatory subject but as an essential partner in the effort to deliver cybersecurity. For that reason, the private sector also plays a key role in Pillars Three and Four, and many of the recommendations in those pillars are designed to provide incentives for the private sector to improve its own cybersecurity and the security of products and services delivered to the public.

It is certainly true that events of the past year have not all unfolded as the Commission anticipated, but ongoing work has made possible further analysis and updates where initial assumptions or expectations proved incorrect. Throughout the past year, the Commission has continued to adjust to circumstances in a series of white papers. Both the Pandemic White Paper and the Supply Chain White Paper have provided opportunities to respond to new situations, including the COVID-19 pandemic, SolarWinds, Microsoft Exchange, and Colonial Pipeline attack. Meanwhile, an ongoing process to draft and propose legislation has enabled the Commission to continue to update the path of implementation for recommendations as conditions change.

EVALUATING THE IMPLEMENTATION OF THE LAYERED CYBER DETERRENCE STRATEGY

The Commission’s layered cyber deterrence strategy itself provided a useful lens through which to consider the development of recommendations, and it has continued to provide helpful context in working through their implementation. Insofar as success can be defined as providing a coherent vision for the CSC’s work, the strategic framework succeeded. A more general evaluation of whether it has been successful—both in being implemented and in driving improvements to national cybersecurity—will require a longer timeline and further development of metrics designed to assess cybersecurity.⁹ An updated national cyber strategy will yield insight into implementation; but until an update is issued, the layered cyber deterrence approach can—at a minimum—give policymakers and government officials a means of thinking about the problem, especially when it comes to the broader implementation of “defend forward” across all instruments of national power.

⁸ U.S. Cyberspace Solarium Commission, Report of the United States of America Cyberspace Solarium Commission (March 2020), 96, https://www.solarium.gov/home.

⁹ The need for metrics to evaluate effectiveness in cybersecurity and cyber policy is also reflected in the Commission’s recommendations. In particular, see Recommendation 4.3 – Establish a Bureau of Cyber Statistics, and Recommendation 6.1.6 – Require the Department of Defense to Define Reporting Metrics.

Cyber policy watchers have seen the unified exercise of different layers over the past year. For example, CISA has taken the lead on denying benefits by working with the private sector to build resilience, especially in the face of SolarWinds, while the White House imposes costs on adversary actors through sanctions and seeks to shape behavior through capacity-building projects.¹⁰ While the administration may not use the term “layered cyber deterrence” to describe the suite of actions taken in response to cybersecurity crises, it has recognized that different tools of statecraft can work together, in concert, in response to specific threats and has generally taken a whole-of-nation approach to addressing the problem. In this respect, this strategy overall has been successful. To examine the state of implementation in further detail, this report considers examples at each layer of the strategy.

Shape Behavior

Strengthening U.S. cyber diplomacy at the State Department was chief among the recommendations proposed by the Commission to improve U.S. ability to shape behavior in cyberspace, and there has been clear progress toward this goal. The introduction of the Cyber Diplomacy Act, which was passed in the House of Representatives,¹¹ is an important step in the direction of developing this layer more thoroughly. The creation of a bureau at the State Department where U.S. strategy on cyber norms and international engagement on cyberspace issues can receive the attention and resources they deserve will position the United States well to shape the behavior of both allies and adversaries.

While improvements to the State Department’s cyberspace policy structures would be major strides toward enhancing the U.S. ability to shape behavior, valuable work is already under way under the auspices of the Office of the Coordinator for Cyber Issues at the State Department, which has led U.S. cyber diplomacy since its creation in 2011.¹² The United States has historically been an influential and active participant at cyber norms forums like the U.N. Group of Governmental Experts and the U.N. Open-Ended Working Group.¹³ Meanwhile, funding for international cybersecurity capacity building also received a modest increase for FY21 through the Consolidated Appropriations Act.¹⁴ In short, progress is being made, but further efforts and sustained commitment in these areas are needed in order to effectively shape adversary behavior in cyberspace. Much more significant improvements to this layer of U.S. cyber deterrence are on the horizon.

Deny Benefits

By building more resilient systems nationwide and reducing the harm to the United States that can result from a cyberattack, effective deterrence denies adversaries the benefits of attacking. The majority of recommendations falling under three of the six pillars of the Solarium Commission’s report focused on these types of changes (Pillars Three, Four, and Five).

¹⁰“FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian Government,” White House Briefing Room, Press Release, April 15, 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/ fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/.

¹¹ Cyber Diplomacy Act of 2021, H.R. 1251, 117th Cong. (2021), https://www.congress.gov/bill/117th-congress/house-bill/1251.

¹² “About Us – Office of the Coordinator for Cyber Issues,” United States Department of State, https://www.state.gov/ about-us-office-of-the-coordinator-for-cyber-issues/.

¹³ Christian Ruhl, Duncan Hollis, Wyatt Hoffman, and Tim Maurer, “Cyberspace and Geopolitics: Assessing Global Cybersecurity Norm Processes at a Crossroads,” Carnegie Endowment for International Peace, February 26, 2020, https://carnegieendowment.org/2020/02/26/ cyberspace-and-geopolitics-assessing-global-cybersecurity-norm-processes-at-crossroads-pub-81110.

¹⁴ U.S. Congress, Joint Explanatory Statement, Division F (to Accompany the Consolidated Appropriations Act, 2021), 116th Cong., 2nd sess. (2020), 51, https://docs.house.gov/billsthisweek/20201221/BILLS-116RCP68-JES-DIVISION-F.pdf.

One of the biggest successes with respect to denying benefits has been the inclusion of Continuity of the Economy planning in the FY21 NDAA. As outlined in the Commission’s Recommendation 3.2, such a plan would dramatically decrease the impact of a cybersecurity attack—not to mention any other type of catastrophic event—through planning and preparation, thereby decreasing the incentive for adversaries to pursue such activity. Similarly, codifying sector-specific agencies (SSAs) as Sector Risk Management Agencies (SRMAs; Recommendation 3.1) has focused attention on how CISA can support federal departments and agencies in their efforts to build resilience by engaging the private sector. The establishment of the Joint Cyber Planning Office and study of an Integrated Cyber Center at CISA, which will focus, respectively, on coordinating cybersecurity readiness and planning between public and private sectors and on supporting the critical infrastructure security and resilience mission of the agency, are further noteworthy efforts in this area.

Denial of benefits also received significant attention in the CSC’s white paper on supply chain security. Many of these recommendations have been implemented through the executive order on America’s supply chains.¹⁵ Other recommendations implemented in this area have yielded progress on developing an industrial base strategy, identifying key technologies, and designating a lead agency for coordinating supply chain risk management. In addition, recommendations from the original report such as requiring intelligence sharing within the Defense Industrial Base (DIB) (Recommendation 6.2.1) and threat hunting on DIB networks (Recommendation 6.2.2) contribute to the overall effort to deny benefits to adversary actors through improvements to the systems that underpin national cybersecurity.

While the Commission’s work has been quite successful in driving overall progress on this layer of the strategy, challenges remain. Denying adversaries the benefits of attack requires extensive collaboration with the private sector and other stakeholders outside the federal government. Its multi-stakeholder nature makes this strategic layer quite complex to implement. In particular, three of the four recommendations proposed by the Commission that face significant known barriers to implementation fall under this layer of the strategy (3.3.2 – Clarify Liability for Federally Directed Mitigation, Response, and Recovery Efforts; 4.2 – Establish Liability for Final Goods Assemblers; and 4.7 – Pass a National Data Security and Privacy Protection Law). In the most difficult of cases, implementation may not be possible without significant shifts in opinion from major stakeholders. As major cybersecurity incidents continue to stack up, such a shift is not impossible. But in the meantime, the path forward will rest on continued engagement between sectors and stakeholders. While some elements of the “deny benefits” layer of the strategy have not yet been implemented, its prospects overall are very promising when the totality of the related recommendations are taken into account.

Impose Costs

Much of the attention devoted to this layer originates with recommendations from Pillar Six: Preserve and Employ the Military Instrument of Power. Many of these recommendations were put into law via the FY21 NDAA, making them successful in terms of their adoption. We need more time, however, to know whether that adoption will cause meaningful positive change. Promising steps toward implementation include NDAA language related to the Cyber Mission Force force structure assessment (Recommendation 6.1), assessing the establishment of a military cyber reserve (Recommendation 6.1.7), and studying potential vulnerabilities in weapons systems related to cybersecurity and emerging technologies like quantum computing (Recommendations 6.2 and 6.2.4). The Commission also saw major progress, albeit only partial implementation, with respect to efforts to create a Major Force Program (MFP) funding category for Cyber Command (Recommendation 6.1.1). With that said, not all of the U.S. ability to impose costs is military in nature. Other steps toward

¹⁵ Exec. Order No. 14017, “America’s Supply Chains,” 86 Fed. Reg. 11849 (2021), https://www.federalregister.gov/documents/2021/03/01/2021-04280/americas-supply-chains.

implementation of this layer of the strategic approach have come from the emphasis in Pillar Two on non-military tools for cost imposition. For example, the partial success in raising the number of FBI Cyber Assistant Legal Attachés (ALATs; part of Recommendation 2.1.4) increases the likelihood that bad actors are held accountable and face the consequences of violating the law.

Recent improvements to the structures and tools available to implement all three layers of a layered cyber deterrence strategy suggest that the United States is better positioned to employ the strategy now than it was a year ago. But because these changes are only just beginning to take effect, and others are yet to come, more information—and more time—is needed to successfully deter attacks of significant consequence in cyberspace. Moreover, more clearly defined metrics of cybersecurity and means of measuring effectiveness of cyberspace policy will be required to determine whether the strategy has been successful.

IMPLEMENTATION OF CSC RECOMMENDATIONS

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (FY21 NDAA) adds to the mandate of the U.S. Cyberspace Solarium Commission by including the ongoing charge to review the implementation of the CSC’s recommendations and provide an annual update.¹⁶ While much work is yet required to fully implement CSC’s recommendations, an interim review of progress shows that cybersecurity leaders throughout the government have taken significant steps. This report documents progress and identifies future actions required to advance the recommendations along the path toward protecting the United States from attacks of significant consequence in cyberspace. For the purposes of this assessment, indicators of progress toward implementation of Commission recommendations are varied but appear most frequently in authorizing legislation, appropriations, and executive policy.

Authorizing Legislation: The 2021 NDAA included a historic number of cybersecurity provisions, 27 of which represent the implementation of 25 different CSC recommendations. CSC will be supporting additional proposals during the course of its upcoming work. In July 2020, the Commission staff published a package of 54 legislative proposals,¹⁷ many of which served as the starting point for legislation later included in the FY21 NDAA. Others are driving legislation expected to be proposed during the coming legislative cycle.

Appropriations: CSC highlighted 19 funding priorities during the FY21 appropriations cycle, many of which received funding in the Consolidated Appropriations Act of 2021.¹⁸ Priorities not included or funded in the FY21 appropriations cycle, as well as those newly authorized in 2020, were included in recommendations to congressional appropriators for the FY22 cycle.

Executive Orders and Policy: In its “Transition Book for the Incoming Biden Administration,” CSC outlined three priority areas of focus for the first hundred days, and an additional six priority areas for attention beyond one hundred days.

¹⁶ William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. No. 116-283 [hereafter FY21 NDAA], § 1714 (2021), available as enrolled bill at https://www.congress.gov/bill/116th-congress/house-bill/6395/text/enr.

¹⁷ Mark Montgomery, “Cyberspace Solarium Commission – Legislative Proposals,” Cyberspace Solarium Commission, accessed March 22, 2021, https://www.solarium.gov/report/legislative-proposals.

¹⁸ For further information on the FY21 appropriations process, please see the joint explanatory statements provided by the House Rules Committee. House Committee on Rules, “Text of Bills for the Week of Dec. 21, 2020.” December 21, 2020, https://docs.house.gov/floor/Default.aspx?date=2020-12-21.

Collectively, these areas represent 30 individual activities. Although at the time of this reporting the administration is still in its relatively early days, several of those actions are under way and are already being tracked by the Commission.

Other Actions: In some instances, indicators of progress fall outside the activities outlined above or government leaders are carrying the actions out in tandem with or anticipation of official legislation or policy. Furthermore, the Commission’s recommendations were not made in a vacuum: they were the result of hundreds of conversations between Commissioners, staff, government representatives, subject matter experts, and many others. Consequently, many actions undertaken in cyberspace policy over the course of the past year both shaped and were shaped by Commission recommendations. Recognizing this dynamic, this assessment considers actions taken that align with CSC recommendations to be indicators of progress in implementing them, with the full appreciation that commendation for success in these—and all—cases is due to the hard work of cybersecurity and policy professionals in government and beyond. While these activities have not always been made public, the assessment below accounts for them to the extent possible.

In some cases, the recommendations face significant barriers to implementation that were anticipated even as they were drafted. While the Commission has focused heavily on shaping recommendations that had a clear path to implementation, it also recognized that limitations based on current circumstances should not inhibit its endorsement of ideas that could lead to dramatic improvement. Accordingly, the assessment below also contains four recommendations (marked in red) that are unlikely to overcome current barriers to implementation but that remain critical proposals, in the Commission’s view.

Across the totality of actions included in these areas, progress toward implementation of each recommendation is given a single score as indicated by the following color-coding system:

color-coding system

THE FIRST 100 DAYS OF THE BIDEN-HARRIS ADMINISTRATION

In January of 2021, the Cyberspace Solarium Commission released its “Transition Book for the Incoming Biden Administration.” This document outlined three areas on which the new administration should focus in its first hundred days:

Establish the Office of the National Cyber Director;
Develop and promulgate a National Cyber Strategy; and
Improve the coherence and impact of existing government cybersecurity efforts and further strengthen partnerships with the private sector.

That those first hundred days have recently drawn to a close provides an opportunity both to evaluate whether the priority areas identified by the Commission have been addressed and to note where executive action in general is trending toward the implementation of Commission recommendations. As we make this evaluation, the context of the past several months, which have been fraught with repeated cyber incidents, becomes particularly pertinent as well. The consequences of the SolarWinds compromise continue to unfold, even as major vulnerabilities are exploited in Microsoft Exchange Servers and as ransomware usage explodes, shutting down major critical infrastructure. The administration should be commended for responding to these exigent circumstances—a monumental task—and progress in the response is evident in the May 12, 2021, executive order on improving the nation’s cybersecurity.¹⁹ While the demands of wrestling with these specific incidents have undoubtedly drawn time and attention away from other aspects of policymaking, they have also demonstrated the need for the coordination, coherence, and strategic guidance that improved policies could bring.

Efforts to address these three CSC 100-day priorities are under way to varying degrees, but only the first— establishing the Office of the National Cyber Director—is clearly on track to implementation, as is discussed at length below. Meanwhile, a new national cyber strategy has not been released but is reportedly in process.²⁰ The Interim National Security Strategic Guidance states that the administration “will elevate cybersecurity as an imperative across the government,” and will encourage collaboration between the public and private sectors.²¹ While the final result of the strategy development is not yet known, it is clear that its intent aligns with the Commission’s priorities for executive action.

¹⁹ Exec. Order No. 14028.

²⁰ Subcommittee on Cyber, Innovative Technologies, and Information Systems Hearing: “Operations in Cyberspace and Building Cyber Capabilities Across the Department of Defense,” 117th Cong. (2021) (testimony of Mieke Eoyang and Paul M. Nakasone) https://armedservices.house.gov/hearings?ID=A29B4BAE-E25A-4ABF-B0AF-8C1F089EF2E0.

²¹ Joseph R. Biden, Jr., “Interim National Security Strategic Guidance” (March 2021), 18, https://www.whitehouse.gov/wp-content/uploads/2021/03/NSC-1v2.pdf.

Beyond the priorities established in the Commission’s transition book, early activity from the executive branch suggests progress on other CSC recommendations. One particular example is the February 2021 executive order on America’s supply chains,²² which made major steps toward implementing the Commission’s Recommendations 4.6 and 4.6.1, as well as the recommendations from the CSC white paper “Building a Trusted ICT Supply Chain.” The executive order initiated a series of reports that align with the first steps of the Commission’s recommendations for developing an information communication technology supply chain strategy. Similarly, the establishment of a cybersecurity working group involving the United States, Japan, India, and Australia, formed in March 2021,²³ is a major step towards implementing the activities described in Commission Recommendation 2.1.1, which calls for international engagement to strengthen norms of responsible state behavior.

The President’s Budget Request provides further insight into the Biden administration’s early priorities. Overall, the request strengthens cybersecurity and particularly focuses on protecting federal civilian networks by requesting a nearly 15 percent increase in funding for cybersecurity in federal civilian agencies, on top of a nearly 11 percent increase achieved in 2020 by the Trump administration.²⁴ This willingness to invest signals that the issue is being made a real priority; however, funding for the federal government’s work as an enabler of better cybersecurity nationwide—beyond federal networks—is less evident in the request. For example, the Cybersecurity and Infrastructure Security Agency saw an increase of just under $110 million, about 5 percent.²⁵ As a point of comparison, in a letter to the congressional appropriations committees, Commissioners recommended an increase of $400 million. Similarly, the budget for cybersecurity and privacy at the National Institute of Standards and Technology (NIST), which develops and maintains several resources that have become keystones of national and even global cybersecurity best practice, recommends an increase of only 6 percent, bringing the total to $81.9 million. Notably, the President recommends an increase in NIST’s overall budget of almost 45 percent.²⁶ In the aggregate, it is apparent that the administration is taking investment in the cybersecurity of federal networks seriously, but more is needed to reflect the government’s role as an enabler of national cybersecurity.

As is clear from the assessment below, these steps forward are being taken in only a few of many different areas that call for executive action. The U.S. government has a lot of work ahead. However, the early progress under the leadership of the Deputy National Security Advisor for Cyber and Emerging Technology is very encouraging; and as other key cybersecurity leaders—particularly the Director of the Cybersecurity and Infrastructure Security Agency, the head of State Department’s cyberspace policy, and especially the National Cyber Director—officially take office, the Commission expects to see more indicators of progress toward the implementation of recommendations that require executive action.

²² Exec. Order No. 14017.

²³ “Press Briefing by Press Secretary Jen Psaki and National Security Advisor Jake Sullivan,” The White House, March 12, 2021, https://www.whitehouse.gov/briefing-room/press-briefings/2021/03/12/press-briefing-by-press-secretary-jen-psaki-march-12-2021/.

²⁴ United States Office of Management and Budget, Analytical Perspectives: Budget of the U.S. Government, Fiscal Year 2022, (Washington, DC, U.S. Government Publishing Office, 2021), 168, https://www.whitehouse.gov/wp-content/uploads/2021/05/spec_fy22.pdf.

²⁵ United States Department of Homeland Security, Cybersecurity and Infrastructure Security Agency: Budget Overview, Fiscal Year 2022 (Washington, DC, 2021), 8, https://www.dhs.gov/sites/default/files/publications/cybersecurity_and_infrastructure_security_agency_0.pdf.

²⁶ United States Department of Commerce, National Institute of Standards and Technology, National Technical Information Service: Fiscal Year 2022 Budget Submission to Congress (Washington, DC, 2021), 8. https://www.commerce.gov/sites/default/files/2021-06/fy2022_nist_congressional_budget_justification.pdf.