About the time that pandemic lockdowns began, the U.S. Cyberspace Solarium Commission issued its final report. Because the media’s attention was focused on COVID-19, the report’s release was not well publicized, but the work of the Commission under the guidance of Co-Chairmen Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI), is important.
The Commission was established by the 2019 National Defense Authorization Act to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.”
The Commission advocates a new strategic approach to cybersecurity that they term: “layered cyber deterrence,” with the desired end state being a reduced probability and impact of significant cyberattacks.
The Commission’s strategy outlines three ways to achieve this end state:
Shape behavior. The US must work with allies and partners to promote responsible behavior in cyberspace.
Deny benefits. The US must deny benefits to adversaries who exploit cyberspace to their advantage at little cost to themselves. This requires working with the private sector to secure critical networks to promote resilience and increase the security of the cyber ecosystem.
Impose costs. The US must maintain the capability, capacity, and credibility needed to retaliate against actors who target America in and through cyberspace.
As outlined in the report, each of the three involves a deterrent layer that increases American public- and private-sector security by altering how adversaries perceive the costs and benefits of using cyberspace to attack American interests.
Though deterrence has long been American strategy, there are two factors that make layered cyber deterrence distinct.
First, it prioritizes deterrence by denial, specifically by increasing the defense and security of cyberspace through resilience and public- and private-sector collaboration.
Second, the strategy incorporates the concept of “defend forward,” a concept first used in the Department of Defense, to reduce the frequency and severity of attacks in cyberspace that do not rise to a level that would warrant the full spectrum of retaliatory responses, including military responses.
Defend forward posits that to disrupt and defeat ongoing adversary campaigns, the US must proactively observe, pursue, and counter adversaries’ operations and impose costs short of armed conflict. This posture signals to adversaries that the U.S. government will respond to cyberattacks, even those below the level of armed conflict that do not cause physical destruction or death, with all the tools at its disposal and consistent with international law.
The three deterrent layers outlined above are further supported by six policy pillars with more than 75 recommendations. Together, these seven pillars represent the means to implement layered cyber deterrence.
Reform the US Government’s Structure and Organization for Cyberspace. While cyberspace has transformed the American economy and society, the government has not kept up. Existing government structures and jurisdictional boundaries fracture cyber policymaking processes, limit opportunities for government action, and impede cyber operations.
Strengthen Norms and Non-Military Tools. A system of norms promotes responsible behavior and dissuades adversaries from using cyber operations to undermine American interests. The US can strengthen the current system of norms by using non-military tools, including law enforcement actions, sanctions, diplomacy, and information sharing, to more effectively persuade states to conform to these norms and punish those who do not.
Promote National Resilience. Resilience, the capacity to withstand and quickly recover from attacks that could cause harm or coerce, deter, restrain, or otherwise shape US behavior, is key to denying adversaries the benefits of their operations and reducing confidence in their ability to achieve their strategic ends. National resilience efforts rely on the ability of both the United States public and private sectors to accurately identify, assess, and mitigate risk across all elements of critical infrastructure. The nation must be sufficiently prepared to respond to and recover from an attack, sustain critical functions even under degraded conditions, and, in some cases, restart critical functionality after disruption.
Reshape the Cyber Ecosystem. Raising the baseline level of security across the cyber ecosystem will constrain and limit adversaries’ activities. This will reduce the frequency, scope, and scale of their cyber operations. Because the vast majority of this ecosystem is owned and operated by the private sector, scaling up security means partnering with the private sector and adjusting incentives to produce positive outcomes.
Operationalize Cybersecurity Collaboration with the Private Sector. In cyberspace the government is often not the primary actor. It must support and enable the private sector by building and communicating a better understanding of threats, with the specific aim of informing private-sector security operations, directing government operational efforts to counter malicious cyber activities, and ensuring better common situational awareness for collaborative action with the private sector.
Preserve and Employ the Military Instrument of National Power. Future crises and conflicts will almost certainly contain a cyber component. The US must defend forward to limit malign adversary behavior below the level of armed attack, deter conflict, and, if necessary, prevail employing the full spectrum of its capabilities.
The Cybersecurity Solarium Commission’s report is an important first step in thinking about how we need to secure cyberspace, and the Commission’s leadership, members and staff should be commended.
We have some reservations about aspects of this report, and in our next op-ed, we will address those and suggest areas of improvement.
Michael Krull is President & CEO of CRA, Inc., and an adjunct professor teaching politics and public policy at Georgetown University. He also participates as a lecturer for the Georgetown Global Education Institute, which brings senior government leaders from the Pacific Rim to the United States for short-term study tours.
Jeremy Turner is a cyber security researcher, dedicated and addicted to finding and solving new challenges in the cyber security world. His experience spans public, private, defense and intelligence organizations, both in the US and with many partners abroad. Currently, he is working to solve cyber risk by building advanced analytic tradecraft at San Francisco-based Coalition Inc.
All opinion articles are the opinion of the author and not necessarily of American Military News. If you are interested in submitting an Op-Ed, please email [email protected]