Q1/2020 - Cyberspace Solarium Commission
On 11 March 2020, the “Cyberspace Solarium Commission” presented its final report in Washington. The Commission was established by the US Congress in 2018 with the mandate to develop a long-term strategy of cyber deterrence to strengthen U.S. cyber security. The name of the commission - Solarium - was reminiscent of a similar commission appointed by U.S. President Dwigth D. Eisenhower in the 1950s to develop recommendations on how the U.S. should deal with the nuclear threat from the Soviet Union. The new Solarium Commission was headed by Senator Angus S. King and Michael J. Gallagher, member of the House of Representatives. It further included 12 other high-level parliamentarians, government officials, military and experts, including Christopher A. Wray, Director of the FBI. During its two years of operation, the Commission has conducted some 400 expert interviews. The final report is divided into six sections (pillars) and contains 78 recommendations[1].
The key message of the report is that the United States needs a new deterrence strategy for cyberspace. The status quo is inviting America's enemies to attack U.S. institutions and facilities, steal intellectual property and interfere in internal democratic processes – such as elections – without fear of reprisal. The threat to America is real[2]. The USA is experiencing a “strategic dilemma”: the more the digitalisation of the U.S. economy and society advances, the greater becomes its vulnerability. The risk does not only consist in a “catastrophic cyber attack” but also in the millions of daily intrusions in domestic affairs disrupting everything from financial transactions to the electoral system.
The commission proposes to respond with a “layered deterrence” that includes offensive and defensive elements. The report comprises five core messages:
- Deterrence is possible in cyber space;
- Deterrence relies on a resilient economy;
- Deterrence requires government reform;
- Deterrence will require new forms of cooperation between the government and the private sector, and
- Election security in the U.S. must become a priority.
The new deterrence strategy for cyber space outlines three layers to deal with potential adversaries:
- Influencing behaviour (Shape Behavior),
- Reducing privileges (Deny Benefits), and
- Punishing misbehaviour (Impose Costs).
These three layers result in six areas in which the United States must take action:
- Reform the U.S. Government's Structure and Organization for Cyberspace;
- Strengthen Norms and Non-Military Tools;
- Promote National Resilience;
- Reshape the Cyber Ecosystem;
- Operationalize Cybersecurity Collaboration with the Private Sector;
- Preserve and Employ the Military Instrument of National Power[3].
The Commission gives action recommendations for each of the six areas. The proposals include measures like:
- Issue an updated National Cyber Strategy,
- Establish a Senate-confirmed National Cyber Director in the White House,
- Establish two Select Congress Committees in the U.S. House of Representatives and in the U.S. Senate( Committees on Cybersecurity)
- Strengthen the existing Cybersecurity and Infrastructure Security Agency (CISA),
- Appoint an Assistant Secretary of State for Cybersecurity,
- Establish a National Cybersecurity Certification and Labeling Authority, and
- Establish a Bureau of Cyber Statistics.
The measures are suggested for the fields of education (Digital Literacy, Civic Education and Public Awareness) and risk impact assessment (Identification, Assessment and Management of National and Sector-Specific Risks). It had to be checked if and to what extent the U.S. military was appropriately protected against cyber attacks and which types of staged reactions were to be applied in response to attacks (defend forward), so the report.
The U.S. Congress will hold a series of hearings on the report of the Cyberspace Solarium Commission in the 2nd quarter of 2020. It will monitor the implementation of the recommendations and present an implementation report in 2022.