The past two years have been witness to significant improvements in U.S. cybersecurity. Critical legislation has broken loose from long-standing jurisdictional conflicts to become law. Congress passed the Cyber Incident Reporting Act, which requires critical infrastructure companies to report cyberattacks and ransomware incidents. Lawmakers have increased funding for government cybersecurity efforts, particularly at the country’s primary cybersecurity agency, the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security, whose budget has grown by more than 25
percent, from $2 billion for FY20 appropriation1 to $2.59 billion for FY22 appropriation.2 Even more funding is expected in FY23.3 The White House now has a national cyber director (NCD) to lead the coordination of cybersecurity strategy and policy implementation across the government. The State Department has a bureau and a nominated ambassador charged with leading America’s international engagement on cyberspace challenges. And the executive branch has taken other important actions
(based on new legislation), such as the establishment of the Joint Cyber Defense Collaborative at CISA.
Collectively, these changes will help deter malign actors in cyberspace and shore up U.S. defenses at home. They will also make digital interactions safer for stakeholders across industry and around the world. Most importantly, these changes will help to protect every American who uses the internet for work, study, or staying connected with loved ones. However, this progress cannot be the culmination of
the U.S. government’s focus on cybersecurity; it must be the prelude to even further changes.
Congress created the U.S. Cyberspace Solarium Commission(CSC) to identify a strategic approach to securing cyberspace.
Over the course of three years, the Commission developed 116 recommendations, many of which are accompanied by model legislative language. The Commission’s original report in March 2020 had 82 recommendations. Of these, nearly 60 percent are fully implemented or nearing implementation, and
more than 25 percent are on track to implementation.
However, implementation is not the same as success. Lasting improvements in national cyber resilience will take sustained attention, investment, and agility to address the ever-shifting threat landscape. Accordingly, this assessment details both the progress of the Commission’s original work as well as the work of the non-profit CSC 2.0 project that has accepted the baton in the long race to secure cyberspace. Even as we issue this progress report, we know that assessing implementation is not enough. We urge readers to consider this report as a mid-course check, laying a path for the many stakeholders in government and industry charged with a task that we cannot afford to fail — protecting our national cybersecurity.