In 1953, Project Solarium represented a significant “consensus exercise” among US senior officials responsible with national security. Given the plenitude of US agencies involved, consensus had to be met so as a properly respond to the Soviet communist threat, in the wake of the Cold War. The project ended up with a national strategy that guided US actions until the end of the Cold War.
There are certain similarities between the Cold War and what is happening now in cyber space. More than that, if superpowers would have had the Internet (developed globally) during the Cold War, it would have been probably their main field of combat.
The Cyberspace Solarium Commission (CSC) was established to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences.” The finished report was presented to the public recently, on March 11, 2020.
The objective of the CSC was to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences.”
Members of the CSC comprise representatives from major bodies responsible for governance upon the cyber field in US. The report can be read here. But enough with the context, let’s jump into the content.
The whole strategy circles around the concept of “layered cyber deterrence”. The authors believe that adversaries can be discouraged to attack US entities through multiple measures aiming at empowering US government, increasing nationwide resilience, improving security posture in the private sector and secure the election process. Three ways are outlined into how to achieve the objectives: shape behavior (promote responsible behavior in cyber space), deny benefits (hardening systems) and impose costs (retaliation).
The strategy comes with 75 recommendations, divided in 6 big policy pillars. We’re going to dive into each of the pillars and discuss them generically and we will be touching some of the concrete recommendations that captured my attention.
A brief summary
USA is one of the strongest players in cyber space. They have a long history in the field and many patents on their side, supported by a strong industry. American companies basically dominate the field globally. US is a country that takes cyber security very seriously but are also facing big risks due to the increased reliance on computer systems and digital services.
It’s a known fact that US based intelligence agencies poses great capabilities in cyber security. Just have a look at how much damages the Eternal Blue exploit did. The US has managed to assert itself as a great power when it comes to intelligence related operations. Nevertheless, according to the report, the nation’s critical infrastructure is not in such good shape. US companies are targeted and breached on a big scale, the election system has been proved to be tampered with (source) and apparently their military systems seem to be vulnerable. Appearances are deceiving in this case, turning out that despite their good developments in some areas the US are among the top vulnerable countries in the world, a fact proven by the existence of report under debate here.
Pillar 1: Reform US Government’s structure and organization for cyberspace
Pillar 1 focuses on the Government’s reform, mostly by strengthening some agencies and adding a coordination layer on top. Among the recommendations, we can find:
- Updating the National Security Strategy, in line with the Solarium Report.
- Establish cyber security committees at Congress level, to “provide integrated oversight […] across the federal government”.
- Establish a National Cyber Director within the Executive Office of the President, to advise President and “lead national level coordination of strategy and policy”.
- Strengthen the Cyber Security and Infrastructure Security Agency (CISA) to ensure the resilience of the critical infrastructures.
Pillar 2: Strengthen norms and non-military tools
Pillar 2 represents a clear acknowledgement that achieving cyber security is a shared responsibility and cannot be done individually or only at national level. It must have a global dimension to become effective. Going into the “shape behavior” layer, this pillar focuses on the importance of international norms and standards and on other methods that can be used to achieve responsible behavior in cyber-space.
Pillar 3: Promote National Resilience
US considers that having good cyber resilience at national level, mainly in case of critical infrastructure, represents a sort of “deny benefits” policy, that will discourage adversaries in achieving their strategic end. “The nation must be sufficiently prepared to respond to and recover from an attack, sustain critical functions […]”.
Again, the important role of CISA is emphasized. Along with that, a Continuity of the Economy Planning should be developed, so as to assure continuous operation in the event of cyber disruption and a Cyber State of Distress should be codified, tied to a special fund to ensure sufficient resources and capacity for rapid response.
The election system managed by the Election Assistance Commission, is acknowledged to be critical for the country, and the recommendation goes into assuring the proper funding to increase operational capacity and resilience.
Pillar 4: Reshape the cyber ecosystem toward greater security
I must be honest, this is probably the most ambitious pillar, as it strikes to touch areas where regulation is considered to be very delicate. Here is a summary of what this pillar consist of:
- Establishment of a National Cybersecurity Certification and Labeling Authority, to manage a program on certification and labeling in IT&C. A cloud certification scheme is mentioned. Common Criteria is already a well-established certification scheme, but much too complex and expensive, making it unfit for many commercial products. The EU has made a similar move recently through the EU cybersecurity certification framework.
- Promote a vendor liability law for damages due to known and unpatched vulnerabilities. This could be a game changer in the industry as many products/software are left unpatched.
- Report recognizes the importance of having the ability of a nation to accurately collect data and produce statistics on cyber security; a Bureau of Cyber Statistics will be created. Good statistics are more than necessary for developing healthy evidence-based policies.
- The importance and fragility of the insurance industry is also recognized. A federal center for R&D is proposed along with a certification scheme for cyber insurance products. This is indeed a first, but understandable considering the momentum within the American insurance industry.
- Develop a strategy for ensuring trusted supply chains and the availability of critical infrastructures. This goes somewhere along with the lines of the NIS Directive, that the EU has adopted a couple of years ago. Going into the supply chains will not be an easy task, considering how much is made (or coded) outside US.
- Pass a national data security and privacy protection law, similar to the EU GDPR approach.
Pillar 5: Operationalize cyber security collaboration with the private sector
Through this pillar the crucial importance of the private sector is being recognized. Most critical infrastructures and services across US are owned and operated by private entities, that bear the responsibility for protecting their assets. Private sector must act indeed, but government is supposed to support them through a better use of their diplomatic and intelligence related capabilities. Several actions to increase the collaboration are being proposed.
Pillar 6: Preserve and employ the military instrument of power – and all other options to deter cyber-attacks at any level
The pillar focuses on the importance of having a strong military, supporting in cyber space also.
First of all, US should strengthen its Cyber Mission Force, the part of DoD responsible for countering, disrupting and imposing costs on adversaries in cyber space. Considering that within an armed conflict US can properly handle threats, the same should happen in cyber space, where attacks happen also during peace time.
Second of all, assure the cyber security of conventional and nuclear weapons systems. The same technologies that drive critical infrastructures are used also in military, so a thorough vulnerability assessment should be done on those systems.
Drawing some conclusions
Without a doubt building up the Cyber Solarium Report was a tremendous effort. This is, by far, the most comprehensive and ambitious cyber policy proposal that I have ever seen. It reminds me of Microsoft’s 2002 trustworthy computing initiative, when the company stopped developing new code, so that they can fix the old one. Similarly, it’s like the US paused, waiting for a redesign and a restart of the system. The proposal is a game changer, in many aspects, that will definitely improve their posture in cyber space, but not sure how much. There are some aspects that need to be considered here, before jumping to conclusions.
First thing that comes into my mind, is that this report has been made public in its entirety. Many of the recommendations go into the sensitive areas, related to government or military reforms as the report openly states that “we are dangerously insecure in cyber”. I do understand the reasoning behind making a strategy public, but the report contains several recommendations that go into specific details.
However, within the multitude of ideas and recommendations there are few takeaways of real strategic importance.
On top of the list we have the government’s reform. Besides strengthening some agencies, it creates a coordination layer through the National Cyber Director. This might be a very useful measure, but it depends a lot of how it will be implemented. A bad implementation can lead to just an extra layer of bureaucracy. A coordination layer must be sure to have the necessary powers to manage law enforcement and intelligence agencies.
Secondly, what got my attention is the proposed concept of national resilience. When considering large countries, such as US, achieving large scale resilience can be very expensive. Critical infrastructure is mainly operated (and owned) by the private sector, and as we all know cyber security is merely a cost center, meaning that CEO’s might not see ROI so easily.
Norms and international standards are more than necessary in all domains of activity, cyber not being excluded here. There have been such initiatives in the past, quite successful ones, such as the Budapest Convention, the ISO 27000 series of standards or the Common Criteria. More is needed for sure and I am glad that the US is planning to invest here. I have always looked at the US as a cyber security power horse, very pragmatic, hands-on and driven by their mighty industry, at least in the last two decades. On the contrary, the EU, while left a bit behind in the entrepreneurial race, has focused more on how to protect themselves through regulations (e.g. see the impact of GDPR).
Another important part of the report focuses on the private sector. But most of the recommendations in pillars 4 & 5 can impose many costs towards the industry, making cyber security even more expensive. As mentioned before, seeing ROI in security is a bit difficult, especially in traditional companies that are not natively digitalized. Also, the US government has shown us in the past that they do have a quite uncommon view upon public-private collaboration (e.g. encryption backdoors). US is strong, as a nation, but also their corporations are strong. Since corporations have a global interest nowadays, nationalism could enter into conflict with globalization. For sure, we will have debates around these topics.
Nevertheless, the strategy is a really good read, giving you a glimpse into what the US are facing at this moment. Judging by how the report was conceived and who are the authors, it should be endorsed on a large scale. Still, I doubt this will happen quickly, as the first that might want to debate a bit is the private sector.
While reading different analyses on the report, one got my attention, written by James Andrew Lewis from the US think tank Center for Strategic & International Studies. The author remarks that the whole idea of the Cyber Solarium Report is based on a potential catastrophic cyber-attack that might hit US and that such attacks are being predicted regularly since 1990. Would have benefited more if the report was based on real interests rather than an imaginary event. I couldn’t agree more!