CSC Final Report.pdf - SOL ARIU M CO I Y.C MMISS B E R S PA C E O N U S CO-CHAIRMEN MARCH 2020 Senator Angus King(I-Maine Representative Mike

CSC Final Report.pdf - SOL ARIU M CO I Y.C MMISS B E R S PA...

This preview shows page 1 out of 182 pages.

Unformatted text preview: SOL ARIU M CO I Y .C MMISS B E R S PA C E O N U. S CO-CHAIRMEN MARCH 2020 Senator Angus King (I-Maine) Representative Mike Gallagher (R-Wisconsin) A WARNING FROM TOMORROW By Peter Singer and August Cole You spend your whole career on Capitol Hill hoping for an office with a window. Then when you finally get it, all you want to do is look away. They set up our emergency offsite for essential Senate staff in vacant offices once belonging to one of the contractors that lobbied us before they went belly-up last year. The offices are in a high-rise in Rosslyn, with a literal million-dollar view; looking across the Potomac River, you can see past the National Mall and the monuments all the way into downtown DC. And it just breaks your heart. The rainbow of colors in the window paints how everything went so wrong, so fast. The water in the Potomac still has that red tint from when the treatment plants upstream were hacked, their automated systems tricked into flushing out the wrong mix of chemicals. By comparison, the water in the Lincoln Memorial Reflecting Pool has a purple glint to it. They’ve pumped out the floodwaters that covered Washington’s low-lying areas after the region’s reservoirs were hit in a cascade of sensor hacks. But the surge left behind an oily sludge that will linger for who knows how long. That’s what you get from deciding in the 18th century to put your capital city in low-lying swampland and then in the 21st century wiring up all its infrastructure to an insecure network. All around the Mall you can see the black smudges of the delivery drones and air taxis that were remotely hijacked to crash into crowds of innocents like fiery meteors. And in the open spaces and parks beyond, tiny dots of bright colors smear together like some kind of tragic pointillist painting. These are the camping tents and makeshift shelters of the refugees who fled the toxic railroad accident caused by the control system failure in Baltimore. FEMA says it’s safe to go back, now that the chemical cloud has dissipated. But with all the churn and disinfo on social media, no one knows who or what to trust. Last night, the orange of their campfires was like a vigil of the obstinate, waiting for everything to just return to the way it was. But it won’t. Cyberspace Solarium Commission i A knock on the door shakes me out of it. It’s the legislative director, checking back in. She’s anxious because the boss promised that we’d get a draft of the bill out tonight to all the other committees that touch on cybersecurity. No cars are online and nobody wants to risk the Metro after what happened on the Blue Line, though, so it’ll mean hours of walking from office to office. At least the irony of backpacking around paper printouts of new cybersecurity laws will be lost on no one. I tell her that I’ll get it done and turn back to wordsmithing the preamble. I mostly mined the language from old legislation that someone just like me wrote after the 9/11 attacks. I know some online troll or talking head on the news will end up calling it lazy, but it’s the closest anyone can think of as a parallel. Of course, with the servers down, our poor intern had to run down a paper copy from the Library of Congress. Whereas, for as long as the United States has been the nation that invented and then became dependent on the Internet, it has faced online threats; and Whereas, as these threats grew in scale and frequency, we grew too accustomed to digital interference in our society, economy, and even elections; and Whereas, AI and automation changed these networks from use not just for communications but to connect and operate the “things” that run our physical world; and Whereas, a new type of vulnerability thus emerged, where software could be not just a means of theft, but a weapon of disruption and even physical destruction; and Whereas, our government and industry failed to keep pace with this change of technology and threat, being ill-organized and ill-prepared; and Whereas, these vulnerabilities have just been exploited in extraordinary acts of treacherous violence that caused massive loss of life and effectively held the nation hostage; and Whereas, such acts continue to pose a threat to the national security and very way of life of the United States; Now, therefore, be it Resolved by the Senate and House of Representatives of the United States of America in Congress assembled, that the government of the United States must…1 “Must” what? What can we really do? No matter what legislation we pass now, after everything that’s happened, we’re too late. ii Cyberspace Solarium Commission CONTENTS EXECUTIVE SUMMARY THE CHALLENGE 1 8 The Threat . . . . . . . . . . . . . . . 8 Reform the U.S. Government’s Structure and Organization for Cyberspace . . . 31 Strengthen Norms and Non-military Tools . . . . . . . . . . 46 Promote National Resilience . . . . . . 54 Where Are We Now? . . . . . . . . . 14 Reshape the Cyber Ecosystem toward Greater Security . . . . . . . . 71 Where Are We Headed? . . . . . . . . 17 An Inflection Point . . . . . . . . . . 19 HISTORICAL LEGACY AND METHODOLOGY PILLARS AND KEY RECOMMENDATIONS Operationalize Cybersecurity Collaboration with the Private Sector . 96 20 Historical Legacy . . . . . . . . . . . 20 Preserve and Employ the Military Instrument of Power . . . . . . . . . 110 APPENDICES Methodology . . . . . . . . . . . . . 21 Appendix A: Roll-Up of Recommendations . . . . . . . . . . 123 STRATEGIC APPROACH: LAYERED CYBER DETERRENCE 23 Appendix B: Legislative Proposals . . . 127 Appendix C: Glossary . . . . . . . . . 130 The Strategic Logic Of Deterrence . . . 26 Appendix D: Abbreviations . . . . . . 140 Defend Forward And Layered Cyber Deterrence . . . . . . . . . . . 28 Appendix E: Government Structure for Cybersecurity . . . . . . 142 The Implementation Of Layered Cyber Deterrence . . . . . . . . . . . 29 Appendix F: Situating Layered Cyber Deterrence . . . . . . . . . . . 144 Appendix G: Engagements . . . . . . 146 Appendix H: Commissioners . . . . . 149 Appendix I: Staff List . . . . . . . . . 151 Appendix J: Solarium Event Support . . . . . . . . . . . . . . . 154 NOTES 155 Cyberspace Solarium Commission iii iv Cyberspace Solarium Commission CHAIRMEN’S LETTER O ur country is at risk, not only from a catastrophic cyberattack but from millions of daily intrusions disrupting everything from financial transactions to the inner workings of our electoral system. Capturing the complexity of this challenge is hard. Even the man credited with inventing the term “cyberspace,” the science fiction author William Gibson, would later criticize it as an “evocative and essentially meaningless” buzzword.2 In studying this issue, it is easy to descend into a morass of classification, acronyms, jargon, and obscure government organization charts. To avoid that, we tried something different: an unclassified report that we hope will be found readable by the very people who are affected by cyber insecurity—everyone. This report is also aimed squarely at action; it has numerous recommendations addressing organizational, policy, and technical issues, and we included an appendix with draft bills that Congress can rapidly act upon to put these ideas into practice and make America more secure. The reality is that we are dangerously insecure in cyber. Your entire life—your paycheck, your health care, your electricity—increasingly relies on networks of digital devices that store, process, and analyze data. These networks are vulnerable, if not already compromised. Our country has lost hundreds of billions of dollars to nation-state-sponsored intellectual property theft using cyber espionage. A major cyberattack on the nation’s critical infrastructure and economic system would create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast. To prevent this from happening, our report outlines a new cyber strategy and provides more than 75 recommendations for action across the public and private sectors. Here are some big ideas to get the conversation started. First, deterrence is possible in cyberspace. Today most cyber actors feel undeterred, if not emboldened, to target our personal data and public infrastructure. In other words, through our inability or unwillingness to identify and punish our cyber adversaries, we are signaling that interfering in American elections or stealing billions in U.S. intellectual property is acceptable. The federal government and the private sector must defend themselves and strike back with speed and agility. This is difficult because the government is not optimized to be quick or agile, but we simply must be faster than our adversaries in order to prevent them from destroying our networks and, by extension, our way of life. Our strategy of layered cyber deterrence is designed with this goal in mind. It combines enhanced resilience with enhanced attribution capabilities and a clearer signaling strategy with collective action by our partners and allies. It is a simple framework laying out how we evolve into a hard target, a good ally, and a bad enemy. Second, deterrence relies on a resilient economy. During the Cold War, our best minds were tasked with developing Continuity of Government plans to ensure that the government could survive and the nation recover after a nuclear strike. We need similar planning today to ensure that we can reconstitute in the aftermath of a national-level cyberattack. We also need to ensure that our economy continues to run. We recommend that the government institute a Continuity of the Economy plan to ensure that we can rapidly restore critical functions across corporations and industry sectors, and get the economy back up and running after a catastrophic cyberattack. Such a plan is a fundamental pillar of deterrence—a way to tell our adversaries that we, as a society, will survive to defeat them with speed and agility if they launch a major cyberattack against us. Cyberspace Solarium Commission v Third, deterrence requires government reform. We need to elevate and empower existing cyber agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA), and create new focal points for coordinating cybersecurity in the executive branch and Congress. To that end, we recommend the creation of a National Cyber Director with oversight from new congressional Cybersecurity Committees, but our goal is not to create more bureaucracy with new and duplicative roles and organizations. Rather, we propose giving existing organizations the tools they need to act with speed and agility to defend our networks and impose costs on our adversaries. The key is CISA, which we have tried to empower as the lead agency for federal cybersecurity and the private sector’s preferred partner. We want working at CISA to become so appealing to young professionals interested in national service that it competes with the NSA, the FBI, Google, and Facebook for toplevel talent (and wins). Fourth, deterrence will require private-sector entities to step up and strengthen their security posture. Most of our critical infrastructure is owned by the private sector. That is why we make certain recommendations, such as establishing a cloud security certification or modernizing corporate accountability reporting requirements. We do not want to saddle the private sector with onerous and counterproductive regulations, nor do we want to force companies to hand over their data to the federal government. We are not the Chinese Communist Party, and indeed our best path to beating our adversaries is to stay free and innovative. But we need C-suite executives to take cyber seriously since they are on the front lines. With support from the federal government, private-sector entities must be able to act with speed and agility to stop cyberattackers from breaking out in their networks and the larger array of networks on which the nation relies. Fifth, election security must become a priority. The American people still do not have the assurance that our election systems are secure from foreign manipulation. If we don’t get election security right, deterrence will fail and future generations will look back with longing and regret on the once powerful American Republic and wonder how we screwed the whole thing up. We believe we need to continue appropriations to fund election infrastructure modernization at the state and local levels. At the same time, states and localities need to pay their fair share to secure elections, and they can draw on useful resources—such as nonprofits that can act with greater speed and agility across all 50 states—to secure elections from the bottom up rather than waiting for top-down direction and funding. We also need to ensure that regardless of the method of casting a vote, paper or electronic, a paper audit trail exists (and yes, we recognize the irony of a cyber commission recommending a paper trail). We didn’t solve everything in this report. We didn’t even agree on everything. There are areas, such as balancing maximum encryption versus mandatory lawful access to devices, where the best we could do was provide a common statement of principles. Yet every single Commissioner was willing to make compromises in the course of our work because we were all united by the recognition that the status quo is not getting the job done. The status quo is inviting attacks on America every second of every day. The status quo is a slow surrender of American power and responsibility. We all want that to stop. So please do us, and your fellow Americans, a favor. Read this report and then demand that your government and the private sector act with speed and agility to secure our cyber future. Senator Angus King (I-Maine) Representative Mike Gallagher (R-Wisconsin) Co-Chairman Co-Chairman Cyberspace Solarium Commission Cyberspace Solarium Commission vi Cyberspace Solarium Commission EXECUTIVE SUMMARY AN URGENT CALL TO ACTION For over 20 years, nation-states and non-state actors have used cyberspace to subvert American power, American security, and the American way of life. Despite numerous criminal indictments, economic sanctions, and the development of robust cyber and non-cyber military capabilities, the attacks against the United States have continued. The perpetrators saw that their onslaught damaged the United States without triggering a significant retaliation. Chinese cyber operators stole hundreds of billions of dollars in intellectual property to accelerate China’s military and economic rise and undermine U.S. military dominance.3 Russian operators and their proxies damaged public trust in the integrity of American elections and democratic institutions.4 China, Russia, Iran, and North Korea all probed U.S. critical infrastructure with impunity. Criminals leveraged globally connected networks to steal assets from individuals, companies, and governments. Extremist groups used these networks to raise funds and recruit followers, increasing transnational threats and insecurity. American restraint was met with unchecked predation.5 The digital connectivity that has brought economic growth, technological dominance, and an improved quality of life to nearly every American has also created a strategic dilemma. The more digital connections people make and data they exchange, the more opportunities adversaries have to destroy private lives, disrupt critical infrastructure, and damage our economic and democratic institutions. The United States now operates in a cyber landscape that requires a level of data security, resilience, and trustworthiness that neither the U.S. government nor the private sector alone is currently equipped to provide. Moreover, shortfalls in agility, technical expertise, and unity of effort, both within the U.S. government and between the public and private sectors, are growing. The 2019 National Defense Authorization Act chartered the U.S. Cyberspace Solarium Commission to address this challenge. The President and Congress tasked the Commission to answer two fundamental questions: What strategic approach will defend the United States against cyberattacks of significant consequences? And what policies and legislation are required to implement that strategy? THE STRATEGY After conducting an extensive study including over 300 interviews, a competitive strategy event modeled after the original Project Solarium in the Eisenhower administration, and stress tests by external red teams, the Commission advocates a new strategic approach to cybersecurity: layered cyber deterrence. The desired end state of layered cyber deterrence is a reduced probability and impact of cyberattacks of significant consequence. The strategy outlines three ways to achieve this end state: 1. Shape behavior. The United States must work with allies and partners to promote responsible behavior in cyberspace. 2. Deny benefits. The United States must deny benefits to adversaries who have long exploited cyberspace to their advantage, to American disadvantage, and at little cost to themselves. This new approach requires securing critical networks in collaboration with the private sector to promote national resilience and increase the security of the cyber ecosystem. 3. Impose costs. The United States must maintain the capability, capacity, and credibility needed to retaliate against actors who target America in and through cyberspace. Cyberspace Solarium Commission 1 EXECUTIVE SUMMARY Each of the three ways described above involves a deterrent layer that increases American public- and private-sector security by altering how adversaries perceive the costs and benefits of using cyberspace to attack American interests. These three deterrent layers are supported by six policy pillars that organize more than 75 recommendations. These pillars represent the means to implement layered cyber deterrence. While deterrence is an enduring American strategy, there are two factors that make layered cyber deterrence bold and distinct. First, the approach prioritizes deterrence by denial, specifically by increasing the defense and security of cyberspace through resilience and public- and private-sector collaboration. Reducing the vulnerabilities adversaries can target denies them opportunities to attack American interests through cyberspace. Second, the strategy incorporates the concept of “defend forward” to reduce the frequency and severity of attacks in cyberspace that do not rise to a level that would warrant the full spectrum of retaliatory responses, including military responses. Though the concept originated in the Department of Defense, the Commission integrates defend forward into a national strategy for securing cyberspace using all the instruments of power. Defend forward posits that to disrupt and defeat ongoing adversary campaigns, the United States must proactively observe, pursue, and counter adversaries’ operations and impose costs short of armed conflict. This posture signals to adversaries that the U.S. government will respond to cyberattacks, even those below the level of armed conflict that do not cause physical destruction or death, with all the tools at its disposal and consistent with international law. THE IMPLEMENTATION Foundation: Government Reform The three layers of cyber deterrence rest on a common foundation: the need to reform how the U.S. government is organized to secure cyberspace and respond to attacks. The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace. We must get faster and smarter, improving the government’s ability to organize concurrent, continuous, and collaborative efforts to build resilience, respond to cyber threats, and preserve military options that signal a capability and willingness to impose costs on adversaries. Reformed government oversight and organization ...
View Full Document

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture