The Cyberspace Solarium Commission’s long-awaited report on how the United States can better defend itself against cyber threats focuses on a handful of major themes:
- Adopting a harder national deterrence strategy that will inflict more pain on attackers, sufficient to change their attack calculus;
- Creating cybersecurity-dedicated committees in Congress to cut down on current jurisdictional conflicts;
- Establishing a Senate-confirmed National Cyber Director in the White House;
- Strengthening the Cybersecurity and Infrastructure Security Agency (CISA) to ensure national resilience of critical infrastructure, and to serve as a national cybersecurity coordination hub;
- Taking action to better recruit, train, and retain talent in the cybersecurity workforce; and
- Building and enforcing international norms in cyberspace.
The commission released its formal report today, but has spent the past few weeks telegraphing its major themes, and the official release mostly follows along with those.
Even though the commission was created by Congress, its report and recommendations do not carry any force of law. But since the commission has members from both sides of the aisle in Congress, as well as administration representation, the recommendations are likely to carry significant weight with Federal policy makers.
Sen. Angus King, I-Maine, co-chair of the commission, said today, “We want to do something serious to defend this country before something catastrophic happens,” adding, “I think we are at a tipping point on cyber.”
Here’s a quick guide to the major themes, and some of the more prominent actions recommended to achieve them.
The Biggest Picture
The commission’s primary goal is to create a more robust strategy to deter nation-state cyber attacks against the U.S.
Getting to that goal rests on two big steps: 1) building up the U.S. defense of cyberspace through better resilience and collaboration between the government and the private sector, and 2) adopting the Defense Department’s “defend forward”approach announced in 2018 to reduce the severity and frequency of attacks on the U.S.
“Defend forward posits that to disrupt and defeat ongoing adversary campaigns, the United States must proactively observe, pursue, and counter adversaries’ operations and impose costs short of armed conflict,” the commission said. “This posture signals to adversaries that the U.S. government will respond to cyberattacks, even those below the level of armed conflict that do not cause physical destruction or death, with all the tools at its disposal and consistent with international law.”
Enabling Rapid Response
A major benefit that the commission says its proposals will yield is enabling quicker responses to threats.
“The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace,” the commission said. “We must get faster and smarter, improving the government’s ability to organize concurrent, continuous, and collaborative efforts to build resilience, respond to cyber threats, and preserve military options that signal a capability and willingness to impose costs on adversaries.
“Reformed government oversight and organization that is properly resourced and staffed, in alignment with a strategy of layered cyber deterrence, will enable the United States to reduce the probability, magnitude, and effects of significant attacks on its networks,” the commission said.
At the White House
The commission recommends the White House issue an updated National Cyber Strategy “that reflects the strategic approach of layered cyber deterrence and emphasizes resilience, public-private collaboration, and defend forward as key elements.”
The commission said Congress should establish permanent select committees on cybersecurity in the House and Senate “to provide integrated oversight of the cybersecurity efforts dispersed across the federal government.” This recommendation would address long-standing complaints that claims over cybersecurity jurisdiction by numerous committees in Congress makes it very difficult for lawmakers to take action on security issues.
It also said Congress should establish in law a Senate-confirmed National Cyber Director (NCD), supported by an Office of the NCD, within the executive branch. The NCD would serve as the President’s principal advisor for cybersecurity-related issues, and “lead national-level coordination of cybersecurity strategy and policy, both within the government and with the private sector,” the commission said.
Further, it said Congress should create an Assistant Secretary of State with a new State Department Bureau of Cyberspace Security and Emerging Technologies, that will lead U.S. efforts to develop and reinforce international norms in cyberspace.
The commission’s report features a lengthy list of additional congressional recommendations, including:
- Codifying additional responsibilities for CISA;
- Creating “continuity of the economy” planning in the event of cyber disruptions;
- Codifying a “cyber state of distress” tied to a Cyber Response and Recovery Fund;
- Improving funding for the Election Assistance Commission;
- Establishing a National Cybersecurity Certification and Labeling Authority, and directing it to develop a cloud security certification;
- Establishing a Bureau of Cyber Statistics to inform policy-makers;
- Directing establishment of an “industrial base strategy for information and communications technology” to ensure trusted supply chains;
- Directing DoD to conduct a force structure assessment of the Cyber Mission Force; and
- Directing DoD to conduct a cyber vulnerability assessment of nuclear control systems and nuclear weapons systems.
The commission recommended that Congress take action to “strengthen” CISA “in its mission to ensure the national resilience of critical infrastructure, promote a more secure cyber ecosystem, and serve as the central coordinating element to support and integrate federal, state and local, and private-sector cybersecurity efforts.”
“Congress must invest significant resources in CISA and provide it with clear authorities to realize its full potential,” the commission said.
The commission urged the U.S. to take a lead role in creating and enforcing international norms in cyberspace, predicting that that “effective norms will not emerge without American leadership.”
“For this reason, the United States needs to build a coalition of partners and allies to secure its shared interests and values in cyberspace” in order to promote responsible behavior and “over time,” dissuade “adversaries from using cyber operations to undermine any nation’s interests,” it said.
“The United States and others have agreed to norms of responsible behavior for cyberspace, but they go largely unenforced today. The United States can strengthen the current system of cyber norms by using non-military tools, including law enforcement actions, sanctions, diplomacy, and information sharing, to more effectively persuade states to conform to these norms and punish those who violate them,” it said.
“Such punishment requires developing the ability to quickly and accurately attribute cyberattacks. Building a coalition of like-minded allies and partners willing to collectively use these instruments to support a rules-based international order in cyberspace will better hold malign actors accountable,” the commission said.
Private Sector Collaboration
“The status quo in cyberspace is unacceptable,” the commission warned. “The current state of affairs invites aggression and establishes a dangerous pattern of actors attacking the United States without fear of reprisal. Adversaries are increasing their cyber capabilities while U.S. vulnerabilities continue to grow.”
“There is much that the U.S. government can do to improve its defenses and reduce the risk of a significant attack, but it is clear that government action alone is not enough. Most of the critical infrastructure that drives the American economy, spurs technological innovation, and supports the U.S. military resides in the private sector. If the U.S. government cannot find a way to seamlessly collaborate with the private sector to build a resilient cyber ecosystem, the nation will never be secure.”
“And, eventually, a massive cyberattack could lead to large-scale physical destruction, sparking a response of haphazard government overreach that stifles innovation in the digital economy and further erodes American strength,” the commission warned.