General security

Five key lessons from the 2020 U.S. Cyberspace Solarium Commission report

Daniel Dimov
June 1, 2020 by
Daniel Dimov

Introduction

On March 11, 2020, the Cyberspace Solarium Commission (CSC), a governmental commission aiming to identify “a strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences,” published an extensive report outlining a new cyber strategy. The report is based on over 300 interviews and includes more than 80 recommendations for actions across the private and public sectors.

The purpose of this article is to examine five key lessons from the report that provide guidelines on how to improve the cybersecurity of the United States. Those five lessons are: 

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.
  1. Enhancing the deterrence to malicious cyberspace actors
  2. Enhancing the resilience of the US economy to cyber-attacks
  3. Reforming the government in such a way as to increase its deterrence capacity
  4. Strengthening the cybersecurity capacity of private sector entities
  5. Focusing on election security

The five lessons will be examined in more detail below. 

1. Enhancing the deterrence to malicious cyberspace actors

The report argues that, due to the unwillingness or inability of the United States to identify and punish cyberattackers, the attackers feel undeterred and even emboldened to attack US cybersecurity infrastructure. If the United States effectively defends itself against such attacks, it will dissuade potential intruders from engaging in cyber aggression.

The report proposes the creation of a layered cyber-deterrence scheme consisting of three pillars: 

  1. Promoting responsible behavior in cyberspace
  2. Denying benefits to cyberspace adversaries who act or have acted contrary to the US interests 
  3. Maintaining the capability to retaliate against cyberspace actors who target the United States

It is worth mentioning that the concept of deterrence played an important role in the US foreign policy during the Cold War. The report defines the concept as “dissuading someone from doing something by making them believe the costs to them will exceed their expected benefit” and mentions four different types of deterrence: 

  1. Deterrence by punishment (dissuasion through a threat of punishment)
  2. Deterrence by denial (dissuasion through the capacity to impede or reduce the impact of an attack)
  3. Deterrence by entanglement (dissuasion through creating conditions of mutual interdependence)
  4. Deterrence by normative acts (dissuasion through legal sanctions)

2. Enhancing the resilience of the US economy to cyber-attacks

Since deterrence requires a resilient economy, the report proposes the development of governmental plans ensuring that the US economy will recover quickly after a major cyber-attack. Their purpose is to deter adversaries by informing them that cyber-attacks will not be sufficient to paralyze the functioning of the US economy. A major part of such plans includes the restoration of critical functions across corporations and industry sectors. 

3. Reform the government with the aim to increase its deterrence capacity

The adequate defense of US networks requires a legal framework providing governmental institutions with the capacity to take appropriate action in case of cyber-attacks. In this regard, the report proposes the creation of a National Cyber Director. It will coordinate cybersecurity in the executive branch and the Congress. The National Cyber Director will be oversighted by new congressional Cybersecurity Committees.

The proposed reform includes transforming the Cybersecurity and Infrastructure Security Agency (CISA) into a lead US agency for federal cybersecurity. The CISA will also be responsible for cooperating with the private sector with regard to cybersecurity matters. 

The authors of the report note their willingness to make the CISA appealing to young information security specialists by providing remuneration and working conditions that will make the positions at CISA competitive with those at the National Security Agency (NSA), FBI, Facebook and Google.

Without making the work at CISA competitive, it is unlikely that it will succeed to hire enough qualified specialists. The report notes that there are over 33,000 unfulfilled cybersecurity positions in the US government alone and 500,000 unfulfilled positions throughout the entire United States.

4. Strengthening the cybersecurity capacity of the private sector

Most of the US critical structure is owned by the private sector. Hence, the capacity of the private sector to respond to cyber-attacks is of utmost importance for achieving the purposes of the aforementioned layered cyber deterrence scheme. 

To ensure that the private sector is always well prepared against cyber-attacks, the report recommends establishing a cloud security certification as well as updating corporate accountability reporting requirements. The report explicitly mentions that it has no intention to impose too-heavy requirements on the private sector. On the contrary, the government will support private-sector entities in order to allow them to quickly and efficiently prevent cyber-attackers from compromising information networks of national importance.

5. Focus on election security

Considering the alleged Russian interference in the 2016 United States elections, it is not surprising that the report recommends establishing safeguards to protect the US election system from foreign manipulation. More particularly, the report argues that non-profit organizations (NPO) have the capacity to quickly and efficiently ensure fair elections in all 50 states. Such a bottom-up approach is presented as a good supplement to a top-down approach (i.e., the government provides directions). 

Interestingly, the report notes that, irrespective of whether the voting method is electronic or not, it is necessary to keep a paper trail in order to enable an audit of the election results.

Conclusions

The report can be regarded as a bold attempt to create a nation-wide innovative cybersecurity strategy. It does not always provide detailed recommendations on how the ideas of the report can be implemented. Certain ideas (e.g., balancing lawful access to devices versus maximum encryption) are presented in the form of general principles. 

The implementation of the ideas set forth in the report promises to protect the democratic foundations of the United States and ensure that it remains a leading force in the contemporary interconnected world.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

 

Sources

  1. Report, The Cyberspace Solarium Commission
  2. Brantly, A., “The Cyber Deterrence Problem,” Rowman & Littlefield International, 2020
  3. Torrence, J., “Strongpoint Cyber Deterrence: Lessons from Cold War Deterrence Theory & Ballistic Missile Defense Applied to Cyberspace,” Xlibris US, 2020
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.