Cyberspace Solarium report calls for layered cyber deterrence, defend forward strategy

Last week, the US Cyberspace Solarium Commission, a bicameral, bipartisan intergovernmental body created by the 2019 Defense Authorization Act, launched its official report on the organization, policy and technical issues surrounding how to best defend the country against digital security threats. Inspired by a commission established in the Eisenhower Administration to tackle Cold War era problems, the Cyberspace Solarium Commission is co-chaired by Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI). It counts among its 14 commissioners four members from Congress, four senior executive agency leaders and six experts from outside of government.

The objective of the commission is to cut through the thicket of government bureaucracy and terminology and archaic structures surrounding cybersecurity to come up with implementable action plans that address the issues uncovered by the commission’s investigation. The report spells out 75 recommendations for action across the public and private sectors.

Layered cyber deterrence

Most notably, it advocates a new overarching strategic approach the commission calls “layered cyber deterrence,” aimed at reducing the probability and impact of significant cybersecurity attacks. To reach this state of layered cyber deterrence, the Solarium Commission says three things are needed:

• Shape behavior to promote responsible behavior in cyberspace.
• Deny benefits to adversaries who have long exploited cyberspace to America’s detriment.
• Impose costs on actors who negatively interfere with the United States in cyberspace.

(The report acknowledges the limitations and misleading nature of the term “cyberspace,” citing William Gibson, the famed science fiction writer who coined the term, who himself criticized the word he created as “evocative and essentially meaningless.”)

The three layers, in turn, are supported by six policy pillars spelled out in the report. The six pillars organize the 75 recommendations. The policy pillars include:

• Reform the US government’s structure and organization for cyberspace.
• Strengthen norms and non-military tools.
• Promote national resilience.
• Reshape the cyber ecosystem toward greater security.
• Operationalize cybersecurity collaboration with the private sector.
• Preserve and deploy the military instrument of power to deter cyberattacks.

Government cybersecurity reform is key

Central to the entirety of the report’s recommendations is the first policy pillar of reforming the government’s structure and ability to tackle issues in cyberspace. To that end, the commission recommends creating an updated national cybersecurity strategy that reflects layered cyber deterrence and the establishment of a House Permanent Select and Senate Select Committees on Cybersecurity, along with a senate-confirmed national cyber director.

The report emphasizes that a strengthened Cybersecurity and Infrastructure Security Agency (CISA), the independent arm of the Department of Homeland Security (DHS) charged with overseeing the government’s cybersecurity needs, should be coordinating the range of efforts needed to establish the new approach to cybersecurity. “We need to elevate and empower existing cyber agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA), and create new focal points for coordinating cybersecurity in the executive branch and Congress,” Senator King and Representative Gallagher wrote in their preface to the Commission’s Report.

Recommendation to “defend forward”

Of particular note is that the deterrence strategy outlined in the report incorporates the controversial concept of “defend forward,” which was first embraced by the Department of Defense (DoD) in its 2018 Cyber Strategy and then later adopted as one of the authorities granted to the Secretary of Defense in the National Security Presidential Memorandum-13 (NSPM-13). As the report states, defend forward holds “that to disrupt and defeat ongoing adversary campaigns, the United States must pro-actively observe, pursue and counter adversaries’ operations and impose costs short of armed conflict.” In other words, defend forward might mean the US takes actions first to preempt adversarial action in the cybersecurity arena.

To this end, the commission recommends that the congress direct the DoD to conduct a “force structure assessment of the Cyber Mission Force: to ensure that the United States has the appropriate force structure and capabilities in light of growing mission requirements and increasing expectations, in both scope and scale.”

The need to boost spending on the military’s Cyber Mission Force is demonstrated by the fact that its current operating capabilities were set in 2013 before Russia took down Ukraine’s power grid or conducted cyber attacks against the US during the presidential election. “The Cyber Mission Force is tasked with conducting a diverse set of missions, at scale, and must also have sufficient capacity to maintain steady-state operations while surging to respond to an emerging crisis,” Erica Borghard, senior director and lead, Task Force One, for the Cyberspace Solarium Commission and Shawn W. Lonergan, a senior advisor to the US Cyberspace Solarium Commission, wrote in Lawfare.

Whether this or other recommendations by the commission will see the light of day in terms of actual legislation is a question mark. Conservatives in congress may fear any further incursion by the government into the swiftly moving cybersecurity arena.

Megan Brown, Associate Director for Cybersecurity Programs; Partner, Wiley Rein LLP, and Senior Fellow at the National Security Institute at George Mason University said in a statement, “The report is a clarion call for more regulation and government power. It makes several helpful recommendations but includes heavy handed commands to the private sector.”

Senator King, who was instrumental in pushing for the creation of the commission, admitted that he doesn’t yet have the full support of the Oval Office. However, some leading Republicans are proponents of the commission’s recommendations. Ben Sasse (R-NE) said, “This report is the beginning, not the end. Now, it’s time to execute.”

One of the congressional members of the commission, Representative Jim Langevin (D-RI), who co-founded the Congressional Cybersecurity Caucus and chairs the House Armed Services Committee’s Subcommittee on Intelligence and Emerging Threats and Capabilities, urged Congress to take action on the report’s recommendations. Saying that the federal government faces a void in comprehensive cyberspace policy, he called for a “new strategy that will make our nation more resilient for years to come....This report is a clear call to action highlighting specific steps we can take to make America safer.”

Comments are closed.