Three members of the Cyberspace Solarium Commission (CSC) on Feb. 25 hinted at several themes of the group’s upcoming recommendations for U.S. cybersecurity doctrine and policy that is due for public release on March 11. Central to the report’s conclusions will be a rethinking of cyber deterrence strategies, and greater coordination between the Federal government’s several agencies that focus on cyber defense, they indicated.
The CSC, established as part of the 2019 National Defense Authorization Act, is tasked to conduct a bipartisan review of cyber threats to the U.S. and provide strategic guidance and policy recommendations on how to better defend the nation against those threats. It began its review in May 2019.
Speaking at the RSA security conference in San Francisco, the three officials promised to reveal none of the report’s specific recommendations, but in the course of their discussions pointed to some likely outcomes, with recommendations expected to number “in the dozens.”
CSC member Frank Cilluffo, director of the McCrary Institute for Cyber & Critical Infrastructure Security, said the commission’s work has emphasized nation-state threats that can “change the trajectory” of U.S. national security, with a focus on the “high end of the threat spectrum.” He said the commission has concluded that traditional methods of nation-state cyber attack deterrence are not working, but “if you put classic deterrence together..it can work.”
The “foundational thrust” of the organization’s report, said CSC member John “Chris” Inglis, a former deputy director of the National Security Agency (NSA) is “we can defend” infrastructure against cyber attackers if that effort is accompanied by a robust deterrence strategy.
“We all concluded that the deterrence status quo is not cutting it,” said Cilluffo, who said the commission will call for a “layered level of deterrence” made possible by building up the capabilities of the departments of Defense and Homeland Security, the latter’s Cybersecurity and Infrastructure Security Agency component, and the Federal Bureau of Investigation.
Inglis said the commission’s initial work revealed a bias for a bigger military role in a new deterrence strategy, but over time the thinking also included “not just government instruments of power, but also private sector instruments.”
The components of deterrence, he said, include defining “appropriate behaviors and thresholds,” consideration of remedies, the need to make infrastructure “defensible and robust,” and the “need to be willing to impose costs” on attackers. And, he emphasized, “you need to do them all at the same time.” The “most titillating” aspect of the report may be “how do you impose costs” on attackers, Inglis said.
Commission member Suzanne Spaulding said the report also will emphasize infrastructure resilience and the ability to mitigate damage from cyberattacks, including “with analog solutions, like paper ballots.” It also will feature “the idea of a resilient society, and a resilient public” that is “resilient to pernicious messaging.”
The report, she said, will come packaged with an extensive lineup of draft legislation that Congress could pursue to enact the recommendations. She said those drafts are hoped to “help jumpstart the conversation and get things moving.”
Inglis said he hopes for fast Federal action on the report, including Congress approving enacting legislation within one year. Somewhere in the recommendations will be an ask for more funding, the commission members indicated, with Spaulding opining that the U.S. is “so dramatically under-resourced” in cyber deterrence methods.
Commenting on the tone of the commission’s 30-plus meetings since last year, Cilluffo called it “the least partisan room I’ve been in D.C.”