US Cyberspace Solarium Commission and the Defense Industrial Base

The US Cyberspace Solarium Commission (CSC) Report recommends a mandated program for cyber threat-hunting (CTH) on defense industrial base (DIB) networks. The recommendation, and the associated legislative proposals note that this activity could be conducted by the network owners, DoD entities, or approved third parties. PwC has asked the Capstone team to investigate the potential market for CTH as a service across the DIB. Through literature reviews, background research, and stakeholder interviews , the Capstone team met three project objectives:

• Generated insights into the potential market of stakeholders who could benefit from PwC CTH services;
• Analyzed the particular threat hunting service needs for these relevant stakeholders and the best approach to providing them;
• Provided a draft design plan for PwC to position itself as an approved thirdparty vendor of CTH services.

The  research concluded that cybersecurity legislation, in particular the Cybersecurity Maturity Model Certification, which tiers DIB firms according to level of security, is still in the early stages of implementation. Due to uneven rollout and definitions of regulations, projecting precise market size was not feasible; the only conclusion that can be drawn is that cyber threat hunting will be a very profitable enterprise as CMMC becomes defined and risk requirements proliferate. Therefore, the service model recommendation is strategic catering of CTH services to mid-tier firms whom are risk-aware but do not have the internal resources for proactive hunting. The policy recommendations advise third-party vendors to anchor expectations to CMMC and shape future policy through this acquisition reform.