Frank Cilluffo has learned to look around policy corners that few people are even aware of.
He served as principal adviser to Tom Ridge, the first director of the Office of Homeland Security, after the 9/11 attacks. He directs Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. He is also a member of the Cyberspace Solarium Commission (CSC), the intergovernmental body aimed at protecting the U.S. from cyberattacks.
Cilluffo and the CSC have proven influential. Twenty-five of the group’s recommendations made their way into the National Defense Authorization Act for Fiscal Year 2021, which was signed into law in January. In the wake of the recent SolarWinds breach, and the recent ransomware attack on Colonial Pipeline, Cilluffo and the CSC have become critical to policymakers and to enterprise CIOs looking for guidance.
Much of Cilluffo’s work at the McCrary Institute centers on research designed to shore up cybersecurity across the private and public sectors, and to craft policies that protect the U.S.’s critical infrastructure.
Cilluffo took part in a panel at RSA Conference 2021 to discuss what’s needed to improve the nation’s cybersecurity posture. He met with Endpoint in advance to discuss working with Congress and executive agencies to make CSC’s recommendations a national reality.
How will your commission influence cybersecurity in the U.S.?
One of the big issues in cybersecurity is situational awareness. So one of our big efforts is what we call the joint cyber-collaborative environment. It’s a public-private partnership. We’ve talked about those for years, but really what are the operational steps you can take to advance that?
One of the big issues in cybersecurity is situational awareness.
For this effort, we’re starting with critical infrastructures—the lifeline sectors where a cybersecurity incident could have a catastrophic impact on public health and safety, economic security, or national security. It’s a database concept. It involves a cloud-based environment collecting data from the federal government and some of the most critical infrastructures, called pooled “systemically important critical infrastructure” (SICI).
How do you plan to get around the private sector hesitancy to share data?
One idea that is getting traction right now is around codifying a cyber state of distress. Think disaster recovery—we need the same for cyber, especially when it comes to state, local, tribal, and territorial partners. These entities assume the same risk as the feds do, and they are woefully behind in their capabilities. I think of it as similar to a FEMA disaster declaration when there’s a natural disaster. In the same way municipalities require federal assistance at those times, cyberincidents too require funding to provide technical support and resources to scale up in the event of an incident.
Do you expect the benefits to trickle down to the private sector?
Absolutely. As with a natural disaster, at the end of the day, you’re going to see Verizon, AT&T, and others at the heart of a response—just to keep crucial communications flowing.
We want to establish an ambassador-level role for cyber diplomacy.
One of our recommendations that the House has already passed was to have a Cyber Diplomacy Act elevating the State Department’s role in cyber responses. We want to establish an ambassador-level role.
We’ve ceded the international cyber battlefield, which is now fully exploited by Russia and China. I’m never going to say we should cede our national interest, but we must find ways to work better with our allies to push back on [things like] Huawei’s 5G aspiration.
Who pays for more robust cybersecurity across the public and private sectors?
We’re looking at the viability of creating a public-private national security investment group to attract private capital for investments. We’ve got all sorts of loopholes that have allowed other nations, with different intentions from us, to gobble up opportunities in early-stage venture funding for technologies. We’ve got to start onshoring some of these technologies again. Whether it’s the most critical components, such as chips, we’ve got to bring that back.
That being said, I don’t care how secure or robust your response is. If you’ve got potential vulnerabilities in the hardware, that opens it up for exploitation. We’ve got to bring that technology back in order to have greater confidence in our supply chains, our products, and our components.
How should the U.S. fend off cybercriminals and nation-states working together?
The commission is dead set on trying to advance a Bureau of Cyber Statistics. That way, we can have actuarial data and statistics to be able to ultimately define smart cybersecurity responses and tools. There’s also support for provisions like a Cyber Crime Victim Assistance and Recovery Center. At the end of the day, individuals still don’t know who to call after an incident. Who cares if we’re winning the inside-the-Beltway game if we’re not helping the average citizen?
After hacks like SolarWinds, how can the software supply chain be protected without hampering productivity?
We’re calling for a National Supply Chain Intelligence Center. Again we’re not just talking about government, but also about bringing in the private sector so we have visibility. Now, every time something happens, we’re in firefighting mode. That’s not a sustainable approach. We need to have greater visibility across our supply chains, obviously focusing on the most critical sectors and functions first. We can’t constantly react and take a tactical approach to a strategic issue.
Companies need to help us define the pathways forward, because they’re on the frontline of this war.
We do need visibility, and we just don’t have it now. Our recommendations have to include the private sector. Companies need to help us define the pathways forward, because they’re on the frontline of this war. Not many companies went into business thinking they’d have to defend themselves against foreign intelligence services.
There are some very unique capabilities the federal government can bring, including intelligence from multiple sources. But they are by no means the panacea. Companies need to take all these concepts and make them real.