Q1/2020 - Cyberspace Solarium Commission

On 11 March 2020, the “Cyberspace Solarium Commission” presented its final report in Washington. The Commission was established by the US Congress in 2018 with the mandate to develop a long-term strategy of cyber deterrence to strengthen U.S. cyber security. The name of the commission - Solarium - was reminiscent of a similar commission appointed by U.S. President Dwigth D. Eisenhower in the 1950s to develop recommendations on how the U.S. should deal with the nuclear threat from the Soviet Union. The new Solarium Commission was headed by Senator Angus S. King and Michael J. Gallagher, member of the House of Representatives. It further included 12 other high-level parliamentarians, government officials, military and experts, including Christopher A. Wray, Director of the FBI. During its two years of operation, the Commission has conducted some 400 expert interviews. The final report is divided into six sections (pillars) and contains 78 recommendations[1].

The key message of the report is that the United States needs a new deterrence strategy for cyberspace. The status quo is inviting America's enemies to attack U.S. institutions and facilities, steal intellectual property and interfere in internal democratic processes – such as elections – without fear of reprisal. The threat to America is real[2]. The USA is experiencing a “strategic dilemma”: the more the digitalisation of the U.S. economy and society advances, the greater becomes its vulnerability. The risk does not only consist in a “catastrophic cyber attack” but also in the millions of daily intrusions in domestic affairs disrupting everything from financial transactions to the electoral system.

The commission proposes to respond with a “layered deterrence” that includes offensive and  defensive elements. The report comprises five core messages:

  1. Deterrence is possible in cyber space;
  2. Deterrence relies on a resilient economy;
  3. Deterrence requires government reform;
  4. Deterrence will require new forms of cooperation between the government and the private sector, and
  5. Election security in the U.S. must become a priority.

The new deterrence strategy for cyber space outlines three layers to deal with potential adversaries:

  1. Influencing behaviour (Shape Behavior),
  2. Reducing privileges (Deny Benefits), and
  3. Punishing misbehaviour (Impose Costs).

These three layers result in six areas in which the United States must take action:

  1. Reform the U.S. Government's Structure and Organization for Cyberspace;
  2. Strengthen Norms and Non-Military Tools;
  3. Promote National Resilience;
  4. Reshape the Cyber Ecosystem;
  5. Operationalize Cybersecurity Collaboration with the Private Sector;
  6. Preserve and Employ the Military Instrument of National Power[3].

The Commission gives action recommendations for each of the six areas. The proposals include measures like:

  1. Issue an updated National Cyber Strategy,
  2. Establish a Senate-confirmed National Cyber Director in the White House,
  3. Establish two Select Congress Committees in the U.S. House of Representatives and in the U.S. Senate( Committees on Cybersecurity)
  4. Strengthen the existing Cybersecurity and Infrastructure Security Agency (CISA),
  5. Appoint an Assistant Secretary of State for Cybersecurity,
  6. Establish a National Cybersecurity Certification and Labeling Authority, and
  7. Establish a Bureau of Cyber Statistics.

The measures are suggested for the fields of education (Digital Literacy, Civic Education and Public Awareness) and risk impact assessment (Identification, Assessment and Management of National and Sector-Specific Risks). It had to be checked if and to what extent the U.S. military was appropriately protected against cyber attacks and which types of staged reactions were to be applied in response to attacks (defend forward), so the report.

The U.S. Congress will hold a series of hearings on the report of the Cyberspace Solarium Commission in the 2nd quarter of 2020. It will monitor the implementation of the recommendations and present an implementation report in 2022.

Mehr zum Thema
Cyberspace Solarium CommissionQ1/2020
  1. [1] See: Final Report of the US Cyberspace Solarium Commission, Washington, 12 March 2020, in: https://www.solarium.gov/
  2. [2] See: Final Report of the US Cyberspace Solarium Commission, Executive Sumary, p.iii, Washington, 12 March 2020: „The status quo is inviting attacks on America every second of every day. The status quo is a slow surrender of American power and responsibility. We all want that to stop.“, in: https://www.solarium.gov/
  3. [3] See: Final Report of the US Cyberspace Solarium Commission, Washington, 12 March 2020, Executive Summar, Roll Up of Recommendations: „PILLAR 1: REFORM THE U.S. GOVERNMENT’S STRUCTURE AND ORGANIZATION FOR CYBERSPACE; 1.1: Issue an Updated National Cyber Strategy; 1.2: Create House Permanent Select and Senate Select Committees on Cybersecurity, 1.3: Establish a National Cyber Director, 1.4: Strengthen the Cybersecurity and Infrastructure Security Agency, 1.5: Diversify and Strengthen the Federal Cyberspace Workforce; PILLAR 2: STRENGTHEN NORMS AND NON-MILITARY TOOLS, 2.1: Create a Cyber Bureau and Assistant Secretary at the U.S. Department of State; PILLAR 3: PROMOTE NATIONAL RESILIENCE, 3.1: Codify Sector-specific Agencies into Law as “Sector Risk Management Agencies” and Strengthen Their Ability to Manage Critical Infrastructure Risk; 3.2: Develop and Maintain Continuity of the Economy Planning, 3.3: Codify a “Cyber State of Distress” Tied to a “Cyber Response and Recovery Fund”Enabling Recommendation 3.4: Improve the Structure and Enhance Funding of the Election Assistance Commission, 3.5: Build Societal Resilience to Foreign Malign Cyber-Enabled Information Operations; PILLAR 4: RESHAPE THE CYBER ECOSYSTEM TOWARD GREATER SECURITY, 4.1: Establish and Fund a National Cybersecurity Certification and Labeling Authority; 4.2: Establish Liability for Final Goods Assemblers; 4.3: Establish a Bureau of Cyber Statistics; 4.4: Resource a Federally Funded Research and Development Center to Develop Cybersecurity Insurance Certifications; 4.5: Develop a Cloud Security Certification; 4.6: Develop and Implement an Information and Communications Technology Industrial Base Strategy; 4.7: Pass a National Data Security and Privacy Protection Law; PILLAR 5: OPERATIONALIZE CYBERSECURITY COLLABORATION WITH THE PRIVATE SECTOR; 5.1: Codify the Concept of “Systemically Important Critical Infrastructure”; 5.2: Establish and Fund a Joint Collaborative Environment for Sharing and Fusing Threat Information; 5.3: Strengthen an Integrated Cyber Center within CISA and Promote the Integration of Federal Cyber Centers; 5.4: Establish a Joint Cyber Planning Cell under the Cybersecurity and Infrastructure Security Agency; PILLAR 6: PRESERVE AND EMPLOY THE MILITARY INSTRUMENT OF POWER; 6.1: Direct the Department of Defense to Conduct a Force Structure Assessment of the Cyber Mission Force; 6.2: Conduct a Cybersecurity Vulnerability Assessment of All Segments of the NC3 and NLCC Systems and Continually Assess Weapon Systems’ Cyber Vulnerabilities; in: https://www.solarium.gov/