- Key insight: U.S. cybersecurity progress has seen a "substantial reversal," with a new report finding nearly 25% of implemented recommendations have "lost their implemented status."
- What's at stake: The expiration of the CISA 2015 law leaves banks and critical infrastructure without liability protections, chilling their ability to share vital threat intelligence.
- Forward look: The report's authors implore the federal government to "send a clear signal ... to its adversaries," starting with the reauthorization of CISA 2015.
Overview bullets generated by AI with editorial review
National progress on cybersecurity is stalling, and implementation efforts are "slipping" across the nation, according to a report issued this week by a foreign policy-focused think tank.
The report comes from the Foundation for Defense of Democracies, or FDD, a think tank that focuses on foreign policy.
The report assesses progress on recommendations issued in March 2020 by the U.S. Cyberspace Solarium Commission. That commission had been established by an act of Congress "to develop a strategic approach to defense against cyberattacks of significant consequences," according to the authorization bill.
Nearly a quarter of previously implemented recommendations have been rolled back, marking a "setback that underscores the fragility of progress," according to the FDD report.
While much of the lost progress relates to the politically polarized issues of disinformation, some also regard less partisan matters — chiefly, liability and antitrust protections that allow banks and other companies to share cyber threat information with each other.
Chief regression for banks: CISA 2015 expiration
The report's findings come the same month that a crucial federal law governing threat intelligence sharing expired. The Cybersecurity Information Sharing Act of 2015, or CISA 2015,
The lapse leaves financial institutions and critical infrastructure entities without antitrust protections that previously enabled them to share data about cyber threats targeting the industry.
CISA 2015 protected banks and other companies from liability claims when they shared threat intelligence, provided the data only included personally identifying information directly related to the cybersecurity threat.
Now, organizations must re-examine how they share this kind of information with the government and other companies, as they are potentially exposed to liabilities related to privacy rights.
A spokesperson for the Cybersecurity and Infrastructure Security Agency, or CISA,
Although CISA 2015, the cyber data law, shares an acronym with CISA, the agency, the two are separate. CISA has continued with certain functions despite CISA 2015 expiring and the federal government shutting down, though hindered by severe staff cuts, as detailed in the FDD report.
The expiration of CISA 2015 "is likely to cause other industries to pull back on sharing, which will create blind spots in our defenses," said Heather Hogsett, executive vice president and head of the tech policy division at the Bank Policy Institute.
The financial services sector faces major cyber threats if third-party service providers, such as Microsoft or Google, grow reluctant to share threat intelligence, according to Hogsett.
Polarized disinformation efforts tied up with bipartisan cybersecurity matters
The report from the Foundation for Defense of Democracies attributes some of the overall backsliding to the Trump administration rolling back efforts designed to improve societal resilience against foreign malign influence and disinformation operations.
The U.S. Cyberspace Solarium Consortium asserted with its original recommendation that disinformation campaigns overlap with cybersecurity operations for a variety of reasons.
First, the same threat actors active in cyber operations also carry out disinformation campaigns, so monitoring disinformation campaigns is a part of the broader countering of cybersecurity threats.
Second, during a major cyberattack on the nation's critical infrastructure and economic system, strong disinformation infrastructure would play an important role in multiplying the panic and damage caused by the attack.
On the other side, in a 2023 report from the Republican-controlled House Committee on the Judiciary, congressional staff argued that agencies such as CISA had engaged in mission creep, needlessly expanding their focus from countering foreign influence operations to addressing domestic mis-, dis- and malinformation.
Critics have also argued that countering disinformation is subject to political bias, violates the First Amendment and censors factual information that is merely used out of context.
The Trump administration has terminated all federal grant funding that supported state and local governments in countering disinformation.
The administration has also canceled federally funded research grants focused on misinformation, including studies on foreign influence and disinformation tactics on social media.
Lastly, the Trump administration has shuttered efforts at CISA, the FBI and the State Department that worked to identify and combat foreign malign influence.
Secretary Rubio, for example, in
The center had been established in 2016 to lead efforts to "recognize, understand, expose, and counter foreign state and non-state propaganda and disinformation" targeting the U.S., according to the center's mission statement.
Institutional capacity wanes, partnerships fray
The report this week also highlights significant regression outside the scope of disinformation, particularly concerning critical infrastructure partnerships and government capacity.
The Trump administration in March terminated the Critical Infrastructure Partnership Advisory Council, a body that provided the legal framework for information exchange between the federal government and private sector for nearly two decades.
Eliminating CIPAC created legal uncertainty around information sharing, according to the FDD report. Critical infrastructure operators have "scaled back their engagement" with the federal government due to fear that sensitive company data might be exposed publicly, according to FDD.
The report suggests that, if the Department of Homeland Security fails to immediately reinstate CIPAC, "Congress should intervene to restore clear legal protections for industry-government dialogue."
The Cybersecurity and Infrastructure Security Agency has also experienced substantial setbacks, losing nearly a third of its workforce, which has "severely affected" CISA's ability to engage meaningfully with industry stakeholders, according to the report.
Furthermore, the administration proposed cutting $36.5 million from CISA efforts related to the Joint Collaborative Environment, which is a real-time threat intelligence hub tasked with ensuring critical cyber-threat data is shared quickly and reliably.
Reductions have also impacted the federal cyber workforce generally. The rollback of diversity, equity and inclusion initiatives has eliminated programs that had broadened the pipeline of skilled candidates, effectively narrowing access to key talent pools, according to FDD.
A government-wide hiring freeze and workforce reductions have severely constrained federal agencies' ability to utilize hiring authorities to secure crucial cyber expertise, as well.
The FDD suggested in its report that clarifying a consistent, skills-based model and broadening the pipelines for nontraditional candidates "will be essential to stabilizing the cyber workforce."
Silver lining: Reporting requirements
Despite the challenges, some of Cyber Solarium Consortium's recommendations have progressed since the previous annual progress report by FDD.
The Securities and Exchange Commission's rules requiring publicly traded companies to disclose material cybersecurity incidents and annually update cybersecurity risk management policies implemented one of the key recommendations.
Additionally, the FDD report praised the General Services Administration on streamlining the Federal Risk and Authorization Management Program authorization process. FedRAMP is a compliance program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services the federal government uses.
The authors of the FDD report said that political leaders face critical choices and must "secure the gains of the past five years."
The authors also implored the federal government to "reinforce its cyber deterrence posture" and "send a clear signal of capability, intent, and continuity to its adversaries," starting with reauthorizing CISA 2015.
