The past year witnessed several notable bipartisan policy advances in the cyber arena. In March, Congress authorized $1 billion for the Technology Modernization Fund as part of the bipartisan American Rescue Plan to support new investments in federal agencies’ cybersecurity infrastructure. In May, the Biden administration released its Executive Order on Improving the Nation’s Cybersecurity, which included provisions to increase security standards for vendors who supply high-risk software through the government acquisition process and a number of critical technology implementation requirements that raise the bar for security across federal government networks. Finally, the Infrastructure Investment and Jobs Act, passed by Congress in November, included $1.9 billion for a range of cyber-related investments.

Although these bipartisan initiatives collectively represent a historic investment in the nation’s cybersecurity, there is much still to do to ensure that government agencies—as well as American companies and organizations—are protected from cyber attacks. As the legislative and executive branches look ahead to the coming calendar year, Silverado Policy Accelerator recommends prioritizing the following initiatives.

1. Passage of a comprehensive federal cyber incident reporting law

In light of the 2022 National Defense Authorization Act not including provisions requiring companies to report hacks and ransom payments to the government, Congress should consider alternative paths to enacting a mandatory cyber incident reporting requirement in 2022. Such a law should require major private companies, including critical infrastructure entities, to report technical indicators associated with breach attempts to the Cybersecurity and Infrastructure Security Agency (CISA).  CISA should also build the architecture to immediately pass the information on to other agencies with a need to know, such as the FBI and sector-specific relevant agencies. Rapid access to these incident reports by CISA and FBI, among others, is necessary to allow the government to have a clear view into adversary campaigns targeting the U.S. and to support timely federal action. Such legislation is critical to provide insights to the government about the true nature of the threat to the private sector in order to take appropriate deterrent action (criminal investigation, cyber offense, sanctions, etc), as well as to help warn and notify other victims or vulnerable organizations who may not be aware that they had been targeted.

2. Provide CISA with the appropriate authorities and resources to eventually become the operational federal CISO, or Chief Information Security Office, for the civilian federal government (excluding DoD and IC)

Congress took an important step toward centralizing federal cybersecurity strategy by creating CISA in DHS in 2018, but the next step is to give CISA both the authority and the resources that it needs to effectively execute its mission. The long-term goal for CISA should be to evolve into an operational cybersecurity shared services provider for most civilian federal government agencies, taking over fully or partially their cybersecurity operations. Achieving this objective would result in streamlined and more effective cybersecurity efforts, centralized accountability and a higher standard for security across the government.

Congress should support CISA's ongoing efforts in the following ways:

• Provide CISA with the resources and authority to create a 24/7 threat hunting operation center to search for intrusions on federal networks.
• Authorize CISA to conduct a trial in which it assumes responsibility for running cybersecurity operations of a small executive agency. The trial would allow the government to gauge what sort of additional resources CISA would need to be able to evolve into an operational Chief Information Security Office (CISO) for the civilian federal government.
• Create budgetary and FISMA compliance incentives for federal agencies to outsource their cybersecurity operations to CISA, turning it into a Shared Service Provider for cybersecurity.
• Provide CISA with the appropriations that are commensurate with its growing importance by reallocating resources from agencies that opt into the Shared Service Provider model.

3. Adopt speed and outcome-based metrics to measure agencies’ response time to cyber threats

In cyberspace, the only way to reliably defeat an adversary is to be faster than they are. For this reason, Congress should require federal agencies to adopt speed-metrics that measure agencies’ response to cyber threats based on the time it takes to begin and complete fundamental defensive tasks.

​Through legislation, Congress could require agencies to adopt speed-based metrics by mandating that they collect data on the average time it takes to perform three fundamental defensive actions: (1) detecting an incident; (2) responding to an incident; and (3) fully mitigating the risk of high-impact vulnerabilities. Taking these measurements should be as simple as recording the times of the initial discovery of the event (intrusion or vulnerability) and the time when the investigation or mitigation action is finished. Thus, it should require minimal additional resources to implement. Congress could also include a “recoverability metric” to measure agencies’ ability to recover data in the event of a ransomware attack or major cyber incident.

Over time, these metrics would provide objective and diachronic measurement of an agencies’ incident response capabilities that they could report to CISA, OMB, and the relevant oversight committees in Congress. If the metrics prove effective at driving the right behavior to decrease agencies’ response time to cyber threats, Congress should also consider models to extend their adoption by the private sector.

In addition to these fundamental intrusion and mitigation metrics, CISA should also be given the authority to develop new metrics beyond these fundamental intrusion and mitigation ones to respond to changes in the threat and defense landscape. To incentivize agencies to drive down the times it takes to discover and respond to intrusions or vulnerabilities, CISA should also implement a civilian-government-wide annual awards program to publicly acknowledge agencies and their leaders who achieve the best metrics.

4. Strengthen the executive branch’s authority to sanction foreign cryptocurrency exchanges that fail to comply with basic “Know Your Customers” and anti-money laundering requirements

Ransomware criminals rely on widely-available and largely anonymous cryptocurrency such as Bitcoin to collect hundreds of millions of dollars in ransom payments each year and to launder ransom payments into fiat currencies without risk of disclosing their identities to victims or law enforcement. Although U.S.-based exchanges are required by law to comply with robust “Know Your Customer” (KYC) and other anti-money laundering regulations, foreign exchanges have been slow to adopt similar requirements. The lack of widespread compliance undermines the efficacy of the U.S.’s and other like-minded governments’ efforts to clean up the global cyber ecosystem, since malicious actors can easily circumvent security requirements simply by using less secure foreign exchanges.

The United States should pursue a two-pronged strategy to level the international playing field. First, it should work with existing and new trading partners to ensure they have adequate KYC and AML safeguards in place for cryptocurrency exchanges based in their jurisdictions. Second, the executive branch should explore its ability to sanction foreign cryptocurrency exchanges that fail to comply with minimum KYC and other anti-money laundering requirements or that refuse to cooperate with U.S. law-enforcement on investigations.

The Treasury Department currently has broad authority to sanction specific foreign exchanges based on evidence that they cooperate with prohibited nations or entities, but it does not have the authority to sanction exchanges for non-compliance with KYC and AML regulations. Granting them such authority explicitly would likely encourage foreign institutions to implement these regulations in order to avoid the prospect of sanctions.

5. Incorporate cyber-specific details into OFAC’s SDN list

The most difficult task facing many foreign cyber threat actors is procuring anonymous, reliable, fast, and long-lasting infrastructure (such as domains and cloud servers) to support malicious cyber attacks. These actors frequently go to great lengths—including registering shell companies and developing complex anonymous payment mechanisms—to disguise their activity, since using stolen bank accounts and credit cards for payment often results in the rapid shutdown of their infrastructure once the chargebacks start being reported. In addition, threat actors are increasingly taking advantage of legal constraints on the U.S. intelligence community’s ability to monitor domestic networks to gain access to the U.S.-based cyber infrastructure needed to carry out attacks against both private sector companies and U.S. government agencies.

The United States needs stronger mechanisms to deter cyber threat actors from leveraging U.S.-based cyber infrastructure to carry out cyber attacks. The Treasury Department’s Office of Foreign Assets Control (OFAC) already maintains a Specially Designated Nationals and Blocked Persons List (SDN), but the list only contains names of cyber criminals and other threat actors and does not include bank account information, credit card numbers or cryptocurrency wallets. As a consequence, the list is not always effective at identifying and blocking cyber threat actors, who almost always use fake names to procure infrastructureThe Treasury Department should consider how to add these other identifying financial elements to the SDN to allow payment processors and cryptocurrency exchanges to block adversary-initiated transactions at the point of sale.

6. Require threat hunting on Defense Industrial Base (DIB) networks

In March of 2020, the Cyberspace Solarium Commission recommended that Congress direct regulatory action that the executive branch could pursue in order to require companies that make up the Defense Industrial Base, as part of the terms of their contract with DoD, to create a mechanism for mandatory threat hunting on DIB networks. This recommendation was partially authorized in Section 1739 of the FY21 NDAA, but that article only required DoD to conduct an assessment on the feasibility and suitability of a DIB threat-hunting program without requiring DoD to establish the program after the report is issued. Congress should pass the necessary legislation to fulfill the intent of the initial proposal and enable DoD to execute threat hunting operations on the networks of cleared defense contractors that hold sensitive national security information.