Today, the US Cyberspace Solarium Commission published its final report. The 182-page document is the culmination of a year-long, bipartisan process to develop a new cyber strategy for the United States. Established by the 2019 Defense Authorization Act, the commission draws its inspiration from one set up by President Dwight Eisenhower in the 1950s, as he stared down the barrel of new strategic challenges necessitating a policy overhaul.
“What we’re trying to do here is a 9/11 Commission report without 9/11,” Senator Angus King, one of the commission’s two cochairs, told me. “We’re trying to solve a problem before it turns into a catastrophe.”
Justin Sherman (@jshermcyber) is an op-ed contributor at WIRED and a fellow at the Atlantic Council’s Cyber Statecraft Initiative.
In reading the report, three categories of recommendations stand out: the common-sense and specific, the decidedly vague, and the absent. For each proposal in the report, there will inevitably be political and bureaucratic hurdles—raising the question of just how to measure the commission’s success in rebuilding US cyber strategy.
Underpinning the Cyberspace Solarium Commission’s more than 75 recommendations is a conviction that the status quo cybersecurity policy is failing. “Adversaries suspect that the US government would retaliate for turning off the power in a major city,” the report reads, “but doubt American resolve” to respond to events like election interference and intellectual property theft. “The result has been a kind of death by a thousand cuts,” said Senator King.
First up are common-sense, specific recommendations that try to move the needle. Many election-security measures fall into this category.
The commission recommends, for example, the use of “voter-verifiable, auditable, paper-based voting systems.” If the 2016 election wasn’t enough to give you pause, the debacle in Iowa in February should’ve been a wake-up call: Pushing untested technology into elections is reckless and undermines both electoral processes and public confidence. Paper voting with the listed conditions is a robust answer, and it’s also a specific one.
Reinstating a White House cyber coordinator is a similarly common-sense proposal made by the commission. John Bolton’s elimination of the position in 2018 (along with many now-vacant National Security Council roles) damaged the executive branch’s ability to manage cyber policy. Restoring the coordinator recognizes the need for cyber policy to be a national priority with a comprehensive US cyber strategy coordinated through a senior White House official. “There needs to be a focal point for action in cyberspace in the executive branch,” Representative Mike Gallagher, the commission’s other cochair, told me.
Another common-sense recommendation is the creation and adequate resourcing of a Bureau for Cyberspace Security and Emerging Technologies at the State Department, led by an assistant secretary of state. This is sharp; funding for cyber diplomacy is much-needed. Congress and multiple White House administrations have continued to decimate the US’ diplomatic capabilities on a number of fronts, and it has hampered America’s ability to engage on cyber issues. “Long-term change in norms enforcement requires engagement from the larger international community,” the report says, “a process that starts with appropriate leadership, resources, and personnel within the State Department.”
“We are cognizant of the fact that norms will not emerge in a laboratory designed by cyber diplomats—they require constant action and a willingness to impose costs,” said Representative Gallagher. But “we believe that over time, working in concert with our allies, we can push back on the digital authoritarianism that China is at the vanguard of, and the cyber meddling that Russia is at the vanguard of.”
Beyond the common-sense specifics is the second group of proposals—those that are helpful but decidedly vague. While many in this camp are well-aimed, overuse of jargon and lack of specificity risk clouding the path to implementation.
The commission recommends, for instance, the Pentagon develop a “multitiered signaling strategy” around the “defend forward” concept put forth in the Defense Department’s 2018 Cyber Strategy. (According to the Pentagon, this entails disrupting or halting malicious cyber activity at its source, including below the threshold of armed conflict.) When the strategy dropped, excitement in military- and deterrence-focused sectors of the national security community about the “defend forward” concept was widespread. There was equal if not greater perplexity, though, among other countries as to what on earth “defend forward” meant.