Cyberspace Solarium Commission Report: Turning Thought to Action
The Cyberspace Solarium Commission recently released a groundbreaking report detailing 75 recommendations for improving the cybersecurity of the nation, including both the private and public sectors. The Commission, bipartisan in both name and spirit, conducted over 300 meetings with industry, academia, U.S. government, think tanks and foreign governments. I had the privilege of participating in this effort. The result is a comprehensive report that urges immediate and concrete action on its recommendations, organized into six pillars”:
- Reform the U.S. Government’s Structure and Organization for Cyberspace
Responsibility for cybersecurity is scattered across numerous agencies in the executive branch and numerous committees in the legislature. The report recommends simplification and consolidation in both branches while urging diversification and enhancement of the Federal Cyberspace Workforce.
- Strengthen Norms and Non-Military Instruments of Power
International norms for behavior in cyberspace and standards for law enforcement are critical for success in cyber warfare. The report recommends a Cyber Bureau under an Assistant Secretary at the Department of State, a measure that would have long-term impact. More concrete and immediate are the recommendations to improve international tools for law enforcement, and to leverage sanctions and enforcement of trade agreements with cybersecurity provisions.
- Promote National Resilience
This pillar offers five recommendations, all of which seek to enhance the nation’s ability to withstand and quickly recover from a major cybersecurity attack. The first is to bolster, through law, the power of sector-specific agencies to manage critical infrastructure risk. A key recommendation is t develop and maintain plans to maintain the economy before, during and after a major cybersecurity event. As Paul Kennedy asserts in the classic book “Rise and Fall of the Great Powers”, a strong economy is the most essential factor in winning a long-term war.
The third recommendation in this pillar is to codify a “cyber state of distress”, and to link it to a response and recovery fund. This proposal is analogous to the state of emergency powers residing in the executive branch.
The fourth and fifth recommendations aim to preserve the integrity of our democratic process. They would address elections directly by increasing funding for the Election Assistance Commission and would diminish the power of misinformation campaigns by building resilience against foreign campaigns.
- Reshape the Cyber Ecosystem
Here, the Commission proposes a National Cybersecurity and Labeling Authority, which would create a “seal of approval” for computing products. The goal is to provide a positive financial incentive for makers to sell secure products: security certification would be a selling point. It introduces the concept of a “Final Goods Assembler”, which is the company that sells products, comprised of multiple parts and software, to customers.
Other initiatives in this pillar are to create a research and development center to certify insurance offerings, to amend the Sarbanes-Oxley Act to require cybersecurity reporting, and to develop a cloud security certification.
- Operationalize Cybersecurity Collaboration with the Private Sector
Public-private collaboration is a major theme in the Commission’s work. The report urges codification of “systematically important critical infrastructure”, seeks to allow intelligence agencies to share threat information and other key information with the private sector, to create an integrated cyber center within Cybersecurity and Infrastructure Security Agency (CISA). This type of collaboration will be essential in creating a resilient cybersecurity posture in the U.S. Our enemies attack public and private sector targets with equal zeal, so we must cooperate to stop them.
- Preserving/Employing the Military Instrument of Power
This initiative looks to employ military methods, along with the military itself, to defend the nation. Key components include funding increases for the U.S. Cyber Command, cooperation with allies to promulgate “defend forward” (proactive defense), and a major emphasis on threat hunting to root out threats and enemies already in our networks.
The Cyberspace Solarium Commission deserves great praise for its candor in identifying our problems and seeking sweeping changes to address them. The members of the commission all emphasize its bipartisan nature and urge tangible action on its recommendations. Clearly, we cannot continue to act as we have, and this effort bears great promise in effecting necessary changes in our cybersecurity posture.