Recently, we identified cyberattacks targeting people and organizations involved in the upcoming presidential election. While we are committed to defending our democracy against these attacks through notifications of such activity to impacted customers, security features in our products and services, and legal and technical disruptions, the role of government in addressing these threats has never been more important. Beyond the most recent attacks targeting U.S. elections, nation-states and cyber criminals continue to conduct attacks and steal data and dollars with impunity.
We can and must do better. On a national and global level, Microsoft has been an active participant with government and private-sector partners to strengthen cybersecurity. The opportunity for Congress to do its part and take meaningful steps to advance cybersecurity is right before us. Recent recommendations from the Cyberspace Solarium Commission offer opportunities to strengthen government and build deeper public and private partnerships in order to advance our collective cybersecurity.
Building trust and security in cyberspace requires sustained global engagement and collaboration across key multilateral and multi-stakeholder dialogues. Strengthened U.S. leadership is needed now more than ever. Importantly, the Commission contemplates working with a coalition of like-minded allies and partners willing to collectively support a rules-based international order in cyberspace to better hold malign actors accountable. We support this vision. However, in current practice, the lack of U.S. leadership in key dialogues at the United Nations and multi-stakeholder convenings such as the Paris Call for Trust and Security has inhibited progress. Moreover, as the Commission notes, and as we have seen through our participation, a leadership vacuum creates an opportunity for harmful agendas to gain traction.
Cyberattacks are increasing every day. These attacks are threatening or damaging our enterprises, critical infrastructure, elections and citizens who use the internet for banking, commerce, communication, education, entertainment and all the activities of modern society. Many of the ideas and recommendations put forward in the Commission’s report have become even more important since its work was completed, as the COVID-19 pandemic has intensified all of society’s reliance on the internet.
In the context of all of these considerations, the Solarium Commission has made some specific recommendations that are critical to advancing our collective cybersecurity, and, as we approach National Cybersecurity Awareness Month, we strongly recommend that Congress act on them:
- Streamline leadership: We strongly endorse the proposed National Cyber Director and see the establishment of a single individual responsible for leading national cyber strategy and coordinating federal government efforts to address malicious cyber activity as an essential step towards addressing the challenges of government coordination in the United States. The current distribution of authorities and responsibilities across the U.S. Government has created inefficiencies that undermine its ability to respond to incidents and work with the private sector. Through the establishment of a National Cyber Director, we are hopeful that improved coordination across government and the private sector will greatly enhance our collective security.
- Establish acceptable behavior: An Assistant Secretary of State focused on cybersecurity will enable the United States to assume a leadership role in defining and adopting global cyber policies, along with broader efforts around multi-stakeholder engagement and the development of acceptable practices. As the Commission notes, the United States is well suited to bolster existing rules through law enforcement actions, sanctions, diplomacy and information sharing – to encourage states to adhere to current rules and punish those who do not.
- Harden critical infrastructure: Strengthening the cybersecurity of U.S. critical infrastructure – including through adequate funding, effective use of advanced technology, improved legal authorities, codification of critical infrastructure, and improved data availability through the collection of cyber statistics – will advance the protection and resilience of these essential elements of our economy and democracy. Alongside other relevant steps, supporting critical infrastructure operators in effectively integrating technologies such as cloud services can help mitigate cybersecurity risks associated with the convergence of information technology and operational technology environments.
- Deter and defend: The executive branch should prepare a “continuity of the economy” plan to guide recovery from a potentially devastating cyberattack, indicating that the United States is prepared for such an event and will not be felled by it.Key to this effort will be leveraging and coordinating alongside existing and ongoing plans and activities, such as the National Cyber Incident Response Plan and the development of scenario- or sector-specific supplements.
The U.S. Government is well positioned to lead the world in domestic cybersecurity, and as an advocate for meaningful cybersecurity principles globally. Microsoft has long been an active participant in international cybersecurity policy and has worked continuously to collaborate with governments to strengthen security and improve the safety of the internet for all. We will continue to engage in this much-needed cybersecurity discourse both here and abroad. We commend the Cyberspace Solarium Commission for its thoughtful recommendations and believe that they warrant careful consideration by Congress. We call on members of Congress to take action on the Commission’s recommended solutions to establish mechanisms for the U.S. to strengthen its cybersecurity, facilitate collaboration among stakeholders and be a leader on critical global efforts.