Yesterday, the Cyberspace Solarium Commission report was released, which outlines a comprehensive strategy for defending the U.S. against major cyber attacks. Read our expert analysis below, and to read the report, visit this page.
March 12, 2020
Lauren Bedula – NSI Visiting Fellow; Senior Vice President at Beacon Global Strategies LLC
“I think the ‘big ideas’ reflected in the Commission’s report will do more than just ‘get the conversation started’. There are specific and achievable recommendations that are unusual for this type of effort – particularly when it comes to cybersecurity – and the Commission should be commended for this approach. The private sector is eager to operationalize cybersecurity collaboration with the U.S. government, and will welcome the Commission’s emphasis on strengthened support of their defensive efforts. Clarification of U.S. government roles and responsibilities, and the elevation of cybersecurity as a priority at DHS in recent years, has improved public-private partnerships around cybersecurity, but the Commission is right to push these efforts further. To do so, CISA must be well resourced and the U.S. government must bring to bear its authorities, resources, and intelligence capabilities to ensure meaningful support of the private sector’s defensive efforts. The Commission’s work will no doubt continue to move the needle to where we must be in order to address the many existing cyber insecurities in our nation.”
Andrew Borene – NSI Senior Fellow; CEO, Cipherloc Corporation & QuantaNova
“The report is right. America is flat out not ready to battle adversaries in cyberspace. We need to start talking about cyber the way we talk about large-scale terrorist attacks. Our adversaries don’t care if you’re public or private sector, if you’re a government agency or a private business – but that’s how we insist on defending ourselves. The real lesson from 9/11 is that we have to be willing to erase those lines and tackle the threat together. This report gives us the answers before we’re tested by a cyber 9/11. We’d be fools to ignore it again – this could be our last alarm bell.”
Christopher Bright – NSI Visiting Fellow; Professorial Lecturer, Elliott School of International Affairs, George Washington University
“When faced with novel and complex national security threats, since at least the Eisenhower Administration’s Solarium exercise in 1953, the federal government has called upon outside experts to help craft a response. Just as there is disagreement about many aspects of past initiatives, the recommendations of the Cyberspace Solarium Commission will no doubt prompt debate. What should not be obscured in these discussions, however, is the dangers highlighted in this report and the urgent need to take action.”
Megan Brown – NSI Senior Fellow and Associate Director for Cybersecurity Programs; Partner, Wiley Rein LLP
“The Report is a clarion call for more regulation and government power. It makes several helpful recommendations but includes heavy handed commands to the private sector. It is rife with the statement ‘Congress should pass a law’ – which should make readers nervous. The proposed ‘certification and labeling authority’ is one example. It would put government in the middle of private innovation, and oversimplifies cyber as something easy to quantify and communicate, like Energy Star or nutrition labels.”
Jim Danoy – NSI Visiting Fellow; Former Defense Intelligence Executive, U.S. Department of Defense
“The Cyberspace Solarium Commission’s (CSC) call for greater interaction between the Intelligence Community (IC) and the private sector, particularly in the area of information-sharing will be a critical component of the ‘layered cyber deterrence’ strategic approach outlined by the CSC. The ability to deter, detect, deny, and respond with ‘speed and agility’ to defend U.S. people, property, and interests in cyberspace as the report demands will be dependent on and enabled through exquisite intelligence. Outdated U.S. government information sharing directives must be revised and outmoded and inadequate information technology (IT) dissemination systems upgraded—all with the need to protect sensitive information.
As part of the CSC approach the IC will require greater ‘situational awareness’ of the cyberthreats and vulnerabilities facing the private sector. As noted in the CSC report, private sector feedback to the IC on the nature of the threat it faces will be essential and must be timely and detailed in order for the IC to craft useful collection requirements and execute effective support operations. This will require an unprecedented level of trust and confidence between the private sector and the IC that to date has been uneven across the public-private domain. While a close collaborative partnership between the private sector and the IC may be uncomfortable for some, each must undertake an intensified strategic communications outreach effort to change mindsets as part of the ‘shape behavior’ component of the CSC’s call to action. I applaud the Commission’s call for a comprehensive government review of the IC ‘s ability to provide support to the private sector as it pertains to cybersecurity and ways to address identified shortfalls.”
Sean Kanuck – NSI Advisory Board Member; Former National Intelligence Officer for Cyber Issues, Office of the Director of National Intelligence
“The Solarium report is a formidable summation of the current state of affairs. Its near-term impact will depend on implementation of the numerous policy recommendations, but ultimate success will require adoption of even more advanced initiatives for artificial intelligence and quantum computing.”
Gentry Lane – NSI Visiting Fellow; CEO and founder of ANOVA Intelligence
“The Cyber Solarium Commission report endeavors to add context, personalize and make more compelling the incremental and abstract nature of cyber conflict. The scope is wide-sweeping and the majority of proposals are obvious. However the proposed expansion of DHS’s authority is worrying. Despite the stellar leadership of CISA Director Chris Krebs, DHS is a shell of the agency it was meant to be. Severely understaffed in general, and even more so by those with significant cyber expertise, morale is scarce and efficiency of action is scarcer. The CSC report’s overall strategy of layered deterrence via shaping behavior, denying benefits and imposing costs is straight out of any military strategy primer. By prioritizing national security and public safety, some proposals will meet resistance by those who prioritize profits. It will be interesting to see how many of these recommendations will be adopted by the next administration.”
Andrea Limbago – NSI Senior Fellow; Chief Social Scientist at Virtru
“We are dangerously insecure in cyber. The Cyberspace Solarium Commission report quickly acknowledges this reality and highlights the infinite ways cyberspace shapes society and our national and economic security. We are at an inflection point, and authoritarian regimes currently are shaping this reality. The United States has failed to keep pace with other countries in shaping the digital revolution.
This new report refreshingly and clearly demonstrates this failure and introduces solutions to innovate across technology, governance, and norms, and to reestablish global leadership across each of these areas. The report is significant in its balanced approach to offense and defense, with key insights focused on the necessity of resilience. Whether through the creation of trusted supply chains ecosystems to promoting greater digital literacy and civics education, the report takes a necessarily nuanced approach to defense. In fact, the report highlights the need for a national data security and privacy protection law, a conversation that is too often disconnected from broader cybersecurity conversations much to the detriment of our national and economic security.
Oddly, the report seems to have a mixed relationship with math. Concrete recommendations include a new Bureau of Cyber Statistics and a Joint Collaborative Environment for secure data sharing and collaboration, as well as a strong prioritization of artificial intelligence research. These are welcome acknowledgements of the current and future digital landscape. In fact, the report declares that it is the actors with the best algorithms and tech that have the upper hand.
At the same time, the report fails to take a stance on the encryption debate that grows stronger by the day. The report (p 17) explicitly acknowledges how authoritarian states build in backdoors for government access that allows surveillance at home and abroad, but fails to take a stance against these backdoors. In fact, the report (p 95) acknowledges that encryption is essential to combat this surveillance and is necessary for a free and open internet, not to mention protecting data against the full-range of threats listed in the first fifth of the report. To its credit, the opening statement admits the lack of agreement in this area, demonstrating just how fragile this essential protection is and the potential that a U.S. anti-encryption policy could be an ‘own goal’ making life easier for the range of adversaries.
Finally, while the report does a great job addressing the broad range of innovations required across technology, governance, and norms, it fell slightly short in its overview of the challenges. It describes the state and non-state actors well, but does not include the emerging threat to security and stability posed by the growing privatization of hackers for hire and disinformation for hire that continues, such as the NSO Group and Dark Matter, or so-called black PR firms.
Regardless of this oversight, the report is a welcome first step, with concrete recommendations for finally making progress toward a coherent national cyber strategy. It rightly details the ways the US – in collaboration with allies – must take the leadership role and craft the playbook for a digital democracy. Absent this digital modernization across technology, governance, and norms, authoritarian regimes will continue to fill this global vacuum to the detriment of democracy across the globe as well as our national and economic security.”
Andrew McClure – NSI Visiting Fellow; Principal, ForgePoint Capital
“The Cyber Solarium Commission is perhaps the most ambitious review of the nation’s cyber strategy in years. Unlike other run-of-the-mill think tank reports or academic papers, the Commissioners put forward practical recommendations, with clear steps toward implementation, to advance national security and sustain the health of the digital economy.
While many of the report’s proposals are welcome, not all recommendations will be met without resistance. It’s unlikely the Executive branch would welcome a Senate-confirmed National Cyber Director in the White House. However, restoring the role of the Cybersecurity Coordinator at the National Security Council would re-elevate cybersecurity as a strategic imperative across the government.
Other elements are missing from the report. Given the importance placed in the report on election security and countering disinformation, the private sector is looking to the government to lead a coordinated approach with industry to counter foreign malign influence operations, akin to a process established for coordinated vulnerability disclosure.
Nonetheless, among the report’s most important recommendations is the call for greater collaboration on data sharing among cyber insurers given the industry’s broader capacity to set standards for corporate hygiene, from seat belts to fire safety.
Most importantly, the Commissioners chart a future to regain American leadership in cybersecurity, by setting and influencing emerging standards, or leading the dialogue on acceptable norms of behavior in cyberspace, to blunt many of the gains authoritarian regimes have made to undermine human rights in the digital realm or undermine supply chains to fuel their surveillance states.”
Stephen Viña – NSI Visiting Fellow; Former Chief Counsel for Homeland Security, U.S. Senate Committee on Homeland Security
“The call to action by the Cyberspace Solarium Commission launches a bold new strategy to better strengthen cybersecurity and build more resilient infrastructure in the United States. With over seventy-five recommendations, the ‘layered cyber deterrence’ approach has the potential to reshape our country’s cyber policies for the next generation. Real progress, however, will be challenging without a strong partnership between industry and government. This report provides a solid foundation for continued collaboration among cyber stakeholders but more work needs to be done. Now is time for Congress, the Administration, and industry to come together and turn this cyber blueprint into action.”
Dave Weinstein – NSI Visiting Fellow; Vice President of Threat Research, Claroty, Inc.
“I highly commend the Chairmen, Commissioners, and Solarium staffers for their strategic observations and practical recommendations for improving the state of the Nation’s cybersecurity. Having faced these challenges first in government and now in industry, I’m particularly enthusiastic about the prospect of ‘operationalizing’ public-private partnerships in this domain. Today the burden of defense against state-backed cyber threats rests largely with America’s private sector. Government at all levels must share in this burden. The notion of ‘ruthlessly prioritizing support to private entities’ should be adopted and codified by Congress with expediency and in a manner that doesn’t levy additional undue burdens on critical infrastructure owners and operators.”
Disclaimer: The views and opinions expressed in this analysis are those of the authors and do not necessarily reflect the official policy or position of the National Security Institute or any agency of the U.S. government. Assumptions made within the analysis are not reflective of the position of the National Security Institute or any U.S. government entity.