The Cyberspace Solarium Commission released a 122 page report on Wednesday via livestream aimed at creating a “layered cyber deterrence” to defend the US against cyber attacks. “The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace,” the report asserted.
The Cyberspace Solarium Commission (CSC) was established by the John S. McCain National Defense Authorization Act in 2019 and tasked with developing a “consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” The CSC Commissioners consist of 4 legislators, from both chambers of Congress, 4 senior executive agency leaders, and 6 nationally recognized experts from outside of government. After conducting over 300 extensive interviews, the fourteen Commissioners issued over 80 recommendations focused into the following six policy goals.
First, the CSC recommends reforming the US government’s “Structure and Organization for Cyberspace” through the issuance of an updated National Cyber Strategy and the establishment of a Senate-confirmed National Cyber Director by the executive branch. Additionally, the CSC recommends establishing permanent House and Senate Committees on Cybersecurity, the passage of legislation aimed toward “policies designed to better recruit, develop, and retain cyber talent,” and the investment of resources for strengthening of the Cybersecurity and Infrastructure Security Agency (CISA).
Second, the US should “Strengthen Norms and Non-military Tools” by creating an Assistant Secretary of State within the Department of State with a new Bureau of Cyberspace Security and Engineering Technologies tasked with leading efforts to protect US interests through international norms by engagement with allies and partners. Also, the Executive and Legislative branches should seek to set international information and communications technology standards and improve tools for law enforcement to better police activities in cyberspace.
Third, the US should “Promote National Resilience” to enhance its capacity to withstand cyber attacks. To accomplish this, among other recommendations, the CSA suggests for Congress to allocate sufficient resources by codifying responsibilities for the CISA to identify, assess and manage risks, to establish a Cyber Response and Recovery Fund enabling rapid responses to incidents of cyber attack, and to improve the structure of the Election Assistance Commission in order to better support state and local election infrastructures.
Fourth, the US government should “Reshape the Cyber Ecosystem toward Greater Security” to raise the baseline level of security, thus reducing the frequency, scope and scale of US adversaries’ cyber operations. Recommendations toward this policy include the establishment of several new government agencies that would be tasked with collecting data and issuing certifications and labeling for various information and communications technology products. Products targeted for certification by such agencies include cloud security and cybersecurity insurance products. Most notably among this policy goal however is the recommendation for the passage of a national data security and privacy protection law that would standardize requirements for the collection, retention, and sharing of user data.
Fifth, it is recommended that the US government “Operationalize Cybersecurity Collaboration with the Private Sector” by bringing to bear the US government’s “unique authorities, resources, and intelligence capabilities” to support the defensive efforts of the private sector.
Lastly, the CSC recommends to “Preserve and Deploy the Military Instrument of Power—and All Other Options to Deter Cyberattacks at Any Level” by defending against malicious behavior by US adversaries and utilizing the “full spectrum” of US capabilities to impose costs to adversaries that seek to conduct cyber operations targeting things like US elections and intellectual property theft. Recommendations include tasking the Department of Defense with conducting assessments of current vulnerabilities and strengths of the Cyber Mission Force.
Overall the CSC summarized its perspective in stating:
We must get faster and smarter, improving the government’s ability to organize concurrent, continuous, and collaborative efforts to build resilience, respond to cyber threats, and preserve military options that signal a capability and willingness to impose costs on adversaries. Reformed government oversight and organization that is properly resourced and staffed, in alignment with a strategy of layered cyber deterrence, will enable the United States to reduce the probability, magnitude, and effects of significant attacks on its networks.