March 11, 2020
WASHINGTON, D.C. – U.S. Senator Angus King (I-Maine) and Congressman Mike Gallagher (R-Wis.), co-chairs of the Cyberspace Solarium Commission (CSC), today announced the release of the CSC’s report on how to best protect the nation’s critical infrastructure from a cyberattack of significant consequence. In today’s report, the CSC lays out a comprehensive strategy to restore deterrence in cyberspace and provides extensive policy and legislative actions to enable this strategy. The report recommends a strategy of “layered cyber deterrence” that seeks to: shape behavior in cyberspace, deny benefits to adversaries who would seek to exploit cyberspace to their advantage, and impose costs against those who would nonetheless choose to target America in and through cyberspace.
The report details the extensive threats to our security, from nation states like China, Russia, Iran, and North Korea, but also from non-state actors like criminals and extremist groups. It highlights the unique challenges in defending the nation’s cyberspace, which is largely owned and operated by the private sector, and is intended to provide a path forward to building the robust public-private collaboration that is needed to establish effective cybersecurity. Unlike the previous model of many major policy reports, the Commission's recommendations serve more as a roadmap for the U.S. to improve its posture in cyberspace. Major recommendations contained in the report include establishing a Senate-approved National Cyber Director to lead the federal government’s work in cyberspace, the development of a continuity of the economy plan to ensure the rapid recovery of national critical functions following a major disruptive cyber event, and the creation of House Permanent Select and Senate Select Committees on Cyber to provide integrated oversight of the federal government’s cybersecurity efforts.
In recent weeks, Commissioners have briefed Congressional leaders and members, and the staffs of relevant committees. In the coming months the Commissioners will work with Congress, the Administration, and private sector partners to implement the CSC’s recommendations. Congressional hearings are already on the calendar for the Commission to share its views with relevant Committees in both chambers.
The full report can be read HERE.
“The reality is that we are dangerously insecure in cyber,'' write King and Gallagher in the report’s Chairmen’s Letter. “Your entire life—your paycheck, your health care, your electricity—increasingly relies on networks of digital devices that store, process, and analyze data. These networks are vulnerable, if not already compromised. Our country has lost hundreds of billions of dollars to nation-state-sponsored intellectual property theft using cyber espionage. A major cyberattack on the nation’s critical infrastructure and economic system would create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast.”
“We didn’t solve everything in this report. We didn’t even agree on everything,” the Chairmen continue. “…Yet every single Commissioner was willing to make compromises in the course of our work because we were all united by the recognition that the status quo is not getting the job done. The status quo is inviting attacks on America every second of every day. The status quo is a slow surrender of American power and responsibility. We all want that to stop.”
The report includes more than 75 specific recommendations, organized into 6 pillars. These include:
1. Reform the U.S. Government’s Structure and Organization for Cyberspace. The U.S government’s existing infrastructure is not up-to-date to meet the opportunities and challenges presented in cyberspace, with fractured responsibilities slowing our response in a domain that is constantly shifting. To that end, recommendations in this pillar include:
· Congress should create House Permanent Select and Senate Select Committees on Cyber to provide integrated oversight of the federal government’s cybersecurity efforts.
· Congress should establish a Senate-confirmed National Cyber Director, and an accompanying office, within the Executive Office of the President. The position will serve as the President’s principal advisor for cyber issues and lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector.
· Congress should strengthen the Cybersecurity and Infrastructure Security Agency (CISA) in its mission to ensure the national resilience of critical infrastructure, promote a more secure cyber ecosystem, and serve as the central coordinating element to support and integrate federal, state and local, and private-sector cybersecurity efforts.
2. Strengthen Norms and Non-Military Tools. A system of norms, built through international engagement and cooperation, promotes responsible behavior and dissuades adversaries from using cyber operations to undermine our nation’s interests. The United States can strengthen the current system of cyber norms by using non-military tools, including law enforcement actions, sanctions, diplomacy, and information sharing, to more effectively persuade states to conform to these norms and punish those who violate them. Recommendations include:
· Congress should create an Assistant Secretary of State in the Department of State, with a new Bureau of Cyberspace Security and Emerging Technologies, who will lead the U.S. government’s effort to develop and reinforce international norms in cyberspace.
3. Promote National Resilience. Resilience – the capacity to withstand and quickly recover from attacks – is key to denying adversaries the benefits of their operations and reducing confidence in their ability to achieve their strategic ends. We must improve our national resilience, in both the public and private sectors, and enhance our ability to accurately identify and mitigate risk across all elements of critical infrastructure. Recommendations include:
· Congress should direct the U.S. government to develop and maintain Continuity of the Economy planning in consultation with the private sector to ensure continuous operation of critical functions of the economy in the event of a significant cyber disruption.
· Congress should codify a Cyber State of Distress tied to a Cyber Response and Recovery Fund to ensure sufficient resources and capacity to respond rapidly to significant cyber incidents.
· The U.S. government should promote digital literacy, civics education, and public awareness to build societal resilience to foreign, malign cyber-enabled information operations.
4. Reshape the Cyber Ecosystem Toward Greater Security. Raising the baseline level of security across the cyber ecosystem will, over time, reduce the frequency, scale, and scope of our adversaries’ cyber operations. This pillar requires partnering with the private sector and adjusting incentives to produce positive outcomes. Recommendations include:
· Congress should establish and fund a National Cybersecurity Certification and Labeling Authority empowered to establish and manage a program on voluntary security certifications and labeling of information and communication technology products (an “Underwriters Laboratories” for cybersecurity products).
· Congress should establish a Bureau of Cyber Statistics charged with collecting and providing statistical data on cybersecurity and the cyber ecosystem to inform policy making and government programs.
· Congress should pass a national data security and privacy protection law establishing and standardizing requirements for the collection, retention, and sharing of user data.
5. Operationalize Cybersecurity Collaboration with the Private Sector. Unlike in other physical domains, in cyberspace the government is often not the primary actor. As a result, it must support and enable the private sector efforts to understand and confront threats. Recommendations include:
· Congress should codify the concept of “systemically important critical infrastructure”, whereby entities responsible for systems and assets that underpin national critical functions are ensured the full support of the U.S. government and shoulder additional security requirements befitting their unique status and importance.
· Congress should direct the executive branch to elevate and strengthen a public-private, integrated cyber center in CISA to support its critical infrastructure security and resilience mission and to conduct a one-year, comprehensive systems analysis review of federal cyber and cybersecurity centers.
6. Preserve and Employ the Military Instrument of Power – And All Other Options to Deter Cyberattacks at Any Level. Cyberspace is already an arena of strategic competition, where states project power, protect their interests, and punish their adversaries. The U.S. must defend forward to limit malicious behavior by our adversaries below the level of armed attack, deter conflict, and, if necessary, prevail by employing the full spectrum of its capabilities. To achieve these goals, the U.S. must demonstrate its ability to impose costs and establish a clear declaratory policy that signals to rival states the costs and risks associated with attacking the U.S. in cyberspace. Recommendations include:
· Congress should direct the Department of Defense to conduct a force structure assessment of the Cyber Mission Force to ensure that the United States has the appropriate force structure and capabilities in light of growing mission requirements and increasing expectations, in both scope and scale.
· Congress should direct the Department of Defense to conduct a cybersecurity vulnerability assessment of all segments of the nuclear control systems and continually assess weapon systems’ cyber vulnerabilities
The Cyberspace Solarium Commission was established by statute in the 2019 National Defense Authorization Act (NDAA), and officially launched in April 2019. Over the last 11 months the Commissioners convened 29 times, and the Staff conducted more than 300 engagements, drawing upon the expertise of corporate leaders, federal, state and local officials, academics, and cybersecurity experts. The goal of this engagement was to understand America’s posture in cyberspace and find opportunities to improve our national preparedness to defend ourselves against cyberattacks.
In addition to Senator King and Representative Gallagher, the Commissioners included Senator Ben Sasse (R-Neb.); Congressman Jim Langevin (D-R.I.); Frank Cilluffo, Director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University; Tom Fanning, Chairman, President and CEO of the Southern Company; Chris Inglis, Professor of Cybersecurity Studies at U.S. Naval Academy and former Deputy Director of the National Security Agency; Patrick Murphy, Former Congressman and former Under Secretary of the Army; Samantha Ravich, Vice Chair of the President’s Intelligence Advisory Board and former principal deputy National Security Advisor to Vice President Dick Cheney; Suzanne Spaulding, Senior Adviser for Homeland Security at the Center for Strategic and International Studies and former Under Secretary of National Protection and Programs Directorate at the Department of Homeland Security; Christopher Wray, Federal Bureau of Investigation; David Norquist, Department of Defense; David Pekoske, Department of Homeland Security; and Andrew Hallman, Office of the Director of National Intelligence.
“Warning lights have been blinking for a long time,” said Senator Sasse. “China and Russia have attacked the United States in cyberspace, and Washington has been caught flat footed without a cyber doctrine. This report lays out a vision for defending the world’s most advanced digital society through a strategy of layered cyber deterrence. There are a lot of recommendations in here – some of them are great and some of them need more work. This report is the beginning, not the end. Now, it’s time to execute.”
“The cybersecurity threats facing our nation have never been more urgent, and they are poised only to grow,” said Congressman Langevin, co-founder and co-chair of the Congressional Cybersecurity Caucus. “In my more than a decade working on cybersecurity issues, I have never felt more optimistic about our path forward than I do with the release of the Solarium report. We have a long way to go as a nation to close our aperture of vulnerability in cyberspace. But the strategy we lay out today will make us much more secure if we have the political will to execute it. I sincerely thank my fellow commissioners, particularly our steadfast co-chairs Senator King and Congressman Gallagher, for their immense dedication to this project, and I thank Speaker Pelosi for giving me this opportunity to serve.”
The CSC was established in the 2019 NDAA in the spirit of the original Project Solarium convened by President Dwight D. Eisenhower in 1953. The original Solarium was created to develop a consensus strategy to counter the Soviet Union as it was threatening the United States and its allies in the early days of the Cold War. This work contributed to the strategies that guided the United States through the Cold War ending with the fall of the Berlin Wall and the collapse of the Soviet Union. The newest iteration of the Solarium seeks to create a path forward that will guide the United States through a new age of warfare.