Unformatted text preview: SOL ARIU M
.C MMISS B E R S PA C E O N U. S CO-CHAIRMEN MARCH 2020 Senator Angus King (I-Maine)
Representative Mike Gallagher (R-Wisconsin) A WARNING FROM
By Peter Singer and August Cole
You spend your whole career on Capitol Hill hoping for an office with a window.
Then when you finally get it, all you want to do is look away.
They set up our emergency offsite for essential Senate staff in vacant offices once belonging to
one of the contractors that lobbied us before they went belly-up last year. The offices are in a
high-rise in Rosslyn, with a literal million-dollar view; looking across the Potomac River, you can
see past the National Mall and the monuments all the way into downtown DC.
And it just breaks your heart.
The rainbow of colors in the window paints how everything went so wrong, so fast. The
water in the Potomac still has that red tint from when the treatment plants upstream were
hacked, their automated systems tricked into flushing out the wrong mix of chemicals.
By comparison, the water in the Lincoln Memorial Reflecting Pool has a purple glint to it.
They’ve pumped out the floodwaters that covered Washington’s low-lying areas after the
region’s reservoirs were hit in a cascade of sensor hacks. But the surge left behind an oily
sludge that will linger for who knows how long. That’s what you get from deciding in the
18th century to put your capital city in low-lying swampland and then in the 21st century
wiring up all its infrastructure to an insecure network. All around the Mall you can see the
black smudges of the delivery drones and air taxis that were remotely hijacked to crash into
crowds of innocents like fiery meteors. And in the open spaces and parks beyond, tiny dots
of bright colors smear together like some kind of tragic pointillist painting. These are the
camping tents and makeshift shelters of the refugees who fled the toxic railroad accident
caused by the control system failure in Baltimore. FEMA says it’s safe to go back, now that
the chemical cloud has dissipated. But with all the churn and disinfo on social media, no one
knows who or what to trust. Last night, the orange of their campfires was like a vigil of the
obstinate, waiting for everything to just return to the way it was.
But it won’t. Cyberspace Solarium Commission i A knock on the door shakes me out of it. It’s the legislative director, checking back in. She’s
anxious because the boss promised that we’d get a draft of the bill out tonight to all the
other committees that touch on cybersecurity. No cars are online and nobody wants to risk
the Metro after what happened on the Blue Line, though, so it’ll mean hours of walking from
office to office. At least the irony of backpacking around paper printouts of new cybersecurity laws will be lost on no one.
I tell her that I’ll get it done and turn back to wordsmithing the preamble. I mostly mined the
language from old legislation that someone just like me wrote after the 9/11 attacks. I know
some online troll or talking head on the news will end up calling it lazy, but it’s the closest
anyone can think of as a parallel. Of course, with the servers down, our poor intern had to
run down a paper copy from the Library of Congress.
Whereas, for as long as the United States has been the nation that invented and then
became dependent on the Internet, it has faced online threats; and
Whereas, as these threats grew in scale and frequency, we grew too accustomed to digital
interference in our society, economy, and even elections; and
Whereas, AI and automation changed these networks from use not just for communications
but to connect and operate the “things” that run our physical world; and
Whereas, a new type of vulnerability thus emerged, where software could be not just a
means of theft, but a weapon of disruption and even physical destruction; and
Whereas, our government and industry failed to keep pace with this change of technology
and threat, being ill-organized and ill-prepared; and
Whereas, these vulnerabilities have just been exploited in extraordinary acts of treacherous
violence that caused massive loss of life and effectively held the nation hostage; and
Whereas, such acts continue to pose a threat to the national security and very way of life of
the United States;
Now, therefore, be it Resolved by the Senate and House of Representatives of the United
States of America in Congress assembled, that the government of the United States must…1
What can we really do? No matter what legislation we pass now, after everything that’s
happened, we’re too late. ii Cyberspace Solarium Commission CONTENTS
EXECUTIVE SUMMARY THE CHALLENGE 1 8 The Threat . . . . . . . . . . . . . . . 8 Reform the U.S. Government’s Structure
and Organization for Cyberspace . . . 31
Strengthen Norms and
Non-military Tools . . . . . . . . . . 46
Promote National Resilience . . . . . . 54 Where Are We Now? . . . . . . . . . 14 Reshape the Cyber Ecosystem
toward Greater Security . . . . . . . . 71 Where Are We Headed? . . . . . . . . 17
An Inflection Point . . . . . . . . . . 19 HISTORICAL LEGACY AND
METHODOLOGY PILLARS AND KEY RECOMMENDATIONS Operationalize Cybersecurity
Collaboration with the Private Sector . 96
20 Historical Legacy . . . . . . . . . . . 20 Preserve and Employ the Military
Instrument of Power . . . . . . . . . 110 APPENDICES Methodology . . . . . . . . . . . . . 21 Appendix A: Roll-Up of
Recommendations . . . . . . . . . . 123
LAYERED CYBER DETERRENCE 23 Appendix B: Legislative Proposals . . . 127
Appendix C: Glossary . . . . . . . . . 130 The Strategic Logic Of Deterrence . . . 26 Appendix D: Abbreviations . . . . . . 140 Defend Forward And Layered
Cyber Deterrence . . . . . . . . . . . 28 Appendix E: Government
Structure for Cybersecurity . . . . . . 142 The Implementation Of Layered
Cyber Deterrence . . . . . . . . . . . 29 Appendix F: Situating Layered
Cyber Deterrence . . . . . . . . . . . 144
Appendix G: Engagements . . . . . . 146
Appendix H: Commissioners . . . . . 149
Appendix I: Staff List . . . . . . . . . 151
Appendix J: Solarium Event
Support . . . . . . . . . . . . . . . 154 NOTES 155 Cyberspace Solarium Commission iii iv Cyberspace Solarium Commission CHAIRMEN’S LETTER O ur country is at risk, not only from a catastrophic cyberattack but from millions of daily intrusions disrupting
everything from financial transactions to the inner workings of our electoral system. Capturing the complexity of this
challenge is hard. Even the man credited with inventing the term “cyberspace,” the science fiction author William Gibson,
would later criticize it as an “evocative and essentially meaningless” buzzword.2 In studying this issue, it is easy to descend into a morass of classification, acronyms, jargon, and obscure government organization charts. To avoid that, we tried something different: an unclassified report that we hope will be found readable by
the very people who are affected by cyber insecurity—everyone. This report is also aimed squarely at action; it has numerous
recommendations addressing organizational, policy, and technical issues, and we included an appendix with draft bills that
Congress can rapidly act upon to put these ideas into practice and make America more secure.
The reality is that we are dangerously insecure in cyber. Your entire life—your paycheck, your health care, your electricity—increasingly relies on networks of digital devices that store, process, and analyze data. These networks are vulnerable,
if not already compromised. Our country has lost hundreds of billions of dollars to nation-state-sponsored intellectual
property theft using cyber espionage. A major cyberattack on the nation’s critical infrastructure and economic system would
create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the
To prevent this from happening, our report outlines a new cyber strategy and provides more than 75 recommendations for
action across the public and private sectors. Here are some big ideas to get the conversation started.
First, deterrence is possible in cyberspace. Today most cyber actors feel undeterred, if not emboldened, to target our
personal data and public infrastructure. In other words, through our inability or unwillingness to identify and punish our
cyber adversaries, we are signaling that interfering in American elections or stealing billions in U.S. intellectual property is
acceptable. The federal government and the private sector must defend themselves and strike back with speed and agility.
This is difficult because the government is not optimized to be quick or agile, but we simply must be faster than our adversaries in order to prevent them from destroying our networks and, by extension, our way of life. Our strategy of layered cyber
deterrence is designed with this goal in mind. It combines enhanced resilience with enhanced attribution capabilities and a
clearer signaling strategy with collective action by our partners and allies. It is a simple framework laying out how we evolve
into a hard target, a good ally, and a bad enemy.
Second, deterrence relies on a resilient economy. During the Cold War, our best minds were tasked with developing
Continuity of Government plans to ensure that the government could survive and the nation recover after a nuclear strike.
We need similar planning today to ensure that we can reconstitute in the aftermath of a national-level cyberattack. We
also need to ensure that our economy continues to run. We recommend that the government institute a Continuity of the
Economy plan to ensure that we can rapidly restore critical functions across corporations and industry sectors, and get the
economy back up and running after a catastrophic cyberattack. Such a plan is a fundamental pillar of deterrence—a way to
tell our adversaries that we, as a society, will survive to defeat them with speed and agility if they launch a major cyberattack
against us. Cyberspace Solarium Commission v Third, deterrence requires government reform. We need to elevate and empower existing cyber agencies, particularly the
Cybersecurity and Infrastructure Security Agency (CISA), and create new focal points for coordinating cybersecurity in the
executive branch and Congress. To that end, we recommend the creation of a National Cyber Director with oversight from
new congressional Cybersecurity Committees, but our goal is not to create more bureaucracy with new and duplicative
roles and organizations. Rather, we propose giving existing organizations the tools they need to act with speed and agility
to defend our networks and impose costs on our adversaries. The key is CISA, which we have tried to empower as the lead
agency for federal cybersecurity and the private sector’s preferred partner. We want working at CISA to become so appealing
to young professionals interested in national service that it competes with the NSA, the FBI, Google, and Facebook for toplevel talent (and wins).
Fourth, deterrence will require private-sector entities to step up and strengthen their security posture. Most of our
critical infrastructure is owned by the private sector. That is why we make certain recommendations, such as establishing a
cloud security certification or modernizing corporate accountability reporting requirements. We do not want to saddle the
private sector with onerous and counterproductive regulations, nor do we want to force companies to hand over their data
to the federal government. We are not the Chinese Communist Party, and indeed our best path to beating our adversaries
is to stay free and innovative. But we need C-suite executives to take cyber seriously since they are on the front lines. With
support from the federal government, private-sector entities must be able to act with speed and agility to stop cyberattackers from breaking out in their networks and the larger array of networks on which the nation relies.
Fifth, election security must become a priority. The American people still do not have the assurance that our election systems are secure from foreign manipulation. If we don’t get election security right, deterrence will fail and future generations
will look back with longing and regret on the once powerful American Republic and wonder how we screwed the whole
thing up. We believe we need to continue appropriations to fund election infrastructure modernization at the state and local
levels. At the same time, states and localities need to pay their fair share to secure elections, and they can draw on useful
resources—such as nonprofits that can act with greater speed and agility across all 50 states—to secure elections from the
bottom up rather than waiting for top-down direction and funding. We also need to ensure that regardless of the method of
casting a vote, paper or electronic, a paper audit trail exists (and yes, we recognize the irony of a cyber commission recommending a paper trail).
We didn’t solve everything in this report. We didn’t even agree on everything. There are areas, such as balancing maximum
encryption versus mandatory lawful access to devices, where the best we could do was provide a common statement of
principles. Yet every single Commissioner was willing to make compromises in the course of our work because we were all
united by the recognition that the status quo is not getting the job done. The status quo is inviting attacks on America every
second of every day. The status quo is a slow surrender of American power and responsibility. We all want that to stop. So
please do us, and your fellow Americans, a favor. Read this report and then demand that your government and the private
sector act with speed and agility to secure our cyber future. Senator Angus King (I-Maine) Representative Mike Gallagher (R-Wisconsin) Co-Chairman Co-Chairman Cyberspace Solarium Commission Cyberspace Solarium Commission vi Cyberspace Solarium Commission EXECUTIVE SUMMARY
AN URGENT CALL TO ACTION
For over 20 years, nation-states and non-state actors have used cyberspace to subvert American power, American security, and the American way of life. Despite numerous criminal indictments, economic sanctions, and the development of
robust cyber and non-cyber military capabilities, the attacks against the United States have continued. The perpetrators
saw that their onslaught damaged the United States without triggering a significant retaliation. Chinese cyber operators
stole hundreds of billions of dollars in intellectual property to accelerate China’s military and economic rise and undermine
U.S. military dominance.3 Russian operators and their proxies damaged public trust in the integrity of American elections
and democratic institutions.4 China, Russia, Iran, and North Korea all probed U.S. critical infrastructure with impunity.
Criminals leveraged globally connected networks to steal assets from individuals, companies, and governments. Extremist
groups used these networks to raise funds and recruit followers, increasing transnational threats and insecurity. American
restraint was met with unchecked predation.5
The digital connectivity that has brought economic growth, technological dominance, and an improved quality of life
to nearly every American has also created a strategic dilemma. The more digital connections people make and data they
exchange, the more opportunities adversaries have to destroy private lives, disrupt critical infrastructure, and damage our
economic and democratic institutions. The United States now operates in a cyber landscape that requires a level of data
security, resilience, and trustworthiness that neither the U.S. government nor the private sector alone is currently equipped
to provide. Moreover, shortfalls in agility, technical expertise, and unity of effort, both within the U.S. government and
between the public and private sectors, are growing.
The 2019 National Defense Authorization Act chartered the U.S. Cyberspace Solarium Commission to address this challenge.
The President and Congress tasked the Commission to answer two fundamental questions: What strategic approach will defend
the United States against cyberattacks of significant consequences? And what policies and legislation are required to implement
that strategy? THE STRATEGY
After conducting an extensive study including over 300 interviews, a competitive strategy event modeled after the original
Project Solarium in the Eisenhower administration, and stress tests by external red teams, the Commission advocates a new
strategic approach to cybersecurity: layered cyber deterrence. The desired end state of layered cyber deterrence is a reduced
probability and impact of cyberattacks of significant consequence. The strategy outlines three ways to achieve this end state:
1. Shape behavior. The United States must work with allies and partners to promote responsible behavior in cyberspace.
2. Deny benefits. The United States must deny benefits to adversaries who have long exploited cyberspace to their advantage, to American disadvantage, and at little cost to themselves. This new approach requires securing critical networks in
collaboration with the private sector to promote national resilience and increase the security of the cyber ecosystem.
3. Impose costs. The United States must maintain the capability, capacity, and credibility needed to retaliate against actors
who target America in and through cyberspace. Cyberspace Solarium Commission 1 EXECUTIVE SUMMARY Each of the three ways described above involves a deterrent layer that increases American public- and private-sector security by
altering how adversaries perceive the costs and benefits of using cyberspace to attack American interests. These three deterrent
layers are supported by six policy pillars that organize more than 75 recommendations. These pillars represent the means to
implement layered cyber deterrence.
While deterrence is an enduring American strategy, there are two factors that make layered cyber deterrence bold and
distinct. First, the approach prioritizes deterrence by denial, specifically by increasing the defense and security of cyberspace
through resilience and public- and private-sector collaboration. Reducing the vulnerabilities adversaries can target denies
them opportunities to attack American interests through cyberspace. Second, the strategy incorporates the concept of
“defend forward” to reduce the frequency and severity of attacks in cyberspace that do not rise to a level that would warrant
the full spectrum of retaliatory responses, including military responses. Though the concept originated in the Department
of Defense, the Commission integrates defend forward into a national strategy for securing cyberspace using all the instruments of power. Defend forward posits that to disrupt and defeat ongoing adversary campaigns, the United States must proactively observe, pursue, and counter adversaries’ operations and impose costs short of armed conflict. This posture signals to
adversaries that the U.S. government will respond to cyberattacks, even those below the level of armed conflict that do not
cause physical destruction or death, with all the tools at its disposal and consistent with international law. THE IMPLEMENTATION
Foundation: Government Reform
The three layers of cyber deterrence rest on a common foundation: the need to reform how the U.S. government is organized
to secure cyberspace and respond to attacks. The U.S. government is currently not designed to act with the speed and agility
necessary to defend the country in cyberspace. We must get faster and smarter, improving the government’s ability to organize
concurrent, continuous, and collaborative efforts to build resilience, respond to cyber threats, and preserve military options
that signal a capability and willingness to impose costs on adversaries. Reformed government oversight and organization ...
View Full Document