Cyberspace Solarium Commission Report – March 2020
The Cyberspace Solarium Commission Report, released in March 2020, paints a grim picture of the level of cyber vulnerability in the United States. It stresses the need for immediate action from both the public and private sectors to deter looming catastrophe. The report focuses on strategic approaches to defend the United States against cyberattacks and the necessary policies and legislation to implement them.
A Layered Approach to Deterrence Recommended
To achieve a reduced probability of critical cyberattacks the report recommends three necessary layers of deterrence. To achieve this deterrence the United States must:
- Work with allies and partners to promote responsible cyber behavior.
- Deny benefits to adversaries who exploit cyberspace by securing critical networks.
- Impose costs by maintaining a credible capacity and capability to retaliate against cyber actors.
This approach to deterrence should incorporate a “defend forward” concept to disrupt and defeat adversaries. This would be accomplished by actively observing, persuing adversarial operations and imposing costs for those actions. These costs as defined should be “short of armed conflict”.
Six Policy Pillars for Implementation
To implement an effective national cybersecurity strategy six pillars have been defined for implementation of the three layered approach.
Reform the U.S. Government’s Structure and Organization for Cyberspace
Proposed governmental reforms include rapid and comprehensive improvements at a all levels. This would begin with an updated National Cyber Strategy from the executive branch. Along with this, creation of cyber oversight committees in the House and Senate should be created. A Senate-confirmed “National Cyber Director” is also advised. Along with these actions, the strengthening of the Cybersecurity and Infrastructure Security Agency (CISA) is recommended.
Strengthen Norms and Non-military Tools
While there has been significant international norms established for responsible cyberspace behavior, little if any enforcement is taken against cyberthreat actors. To mitigate this the report urges the Department of State to work with allies to employ law enforcement, information sharing, diplomacy, and sanctions, to support a “rules-based international order.
Promote National Resilience
A resilience to cyberthreats in both the public and private sector is required to deny adversaries a benefit from their actions and reduce confidence in actors from achieving their strategic ends. This resilience could be addressed through:
- Strengthening CISA.
- Develop a planning mechanism in consultation with the private sector to develop contingent planning for significant cyber disruptions.
- Codifying Cyber States of Distress tied to Response and Recovery Agencies and Funds.
- Improvement of the Election Assistance Commission.
- Governmental promotion of digital literacy through advancement of public awareness.
Reshape the Cyber Ecosystem Towards Greater Security
These efforts would include raising the baseline level of security by providing a National Cybersecurity Certification and Labeling Authority. They would also involve creating laws making hardware, firmware, and software final goods assemblers liable for damages from known unpatched vulnerabilities. Mention is also made for creation of national standardizing requirements for the collection, retention, and sharing of user data.
Operationalize Cybersecurity Collaboration with the Private Sector
Private sector entities must have primary responsibility for creating and maintaining viable Information Security Management Systems (ISMS), but the government can greatly assist these entities. This could be accomplished by using government resources and intelligence capabilities to support businesses.
Preserve and Employ the Military Instrument of Power – and All Other Options to Deter Cyberattacks at Any Level
Efforts in this regard include comprehensive assessment of the Cyber Mission Force, a vulnerability assessment of weapon systems, and a sharing between governmental agencies and the Defense Industrial Base of potential threats.