The Cyberspace Solarium Commission (CSC) is a modern iteration of Eisenhower’s original 1953 Project Solarium. Project Solarium was tasked with developing a national strategy to contain and counter the nuclear threat from the USSR. CSC has a similar task to contain and counter the threat from cyberspace — one that is far more complex than a single threat from a single source, but no less existential.
CSC was formed out of the 2019 National Defense Authorization Act. It is co-chaired by Sen. Angus King and Rep. Mike Gallagher, and has 14 commissioners comprising four legislators, four executive agency leaders, and six cybersecurity experts from outside of government. The staff comprises further experts from the public and private sectors.
For five months, the CSC conducted around 300 interviews with cybersecurity stakeholders, culminating in its March 2020 report (PDF) on recommendations on how the United States can contain and counter the threat from cyberspace, and continue to thrive. It describes its conclusions as the need to implement ‘layered cyber deterrence’, based on three primary pillars: strengthening norms of behavior, denying benefit to the attacker, and imposing costs on the attacker.
Disappointingly, the report starts with a post-apocalyptic cyber fiction. This will frighten the children (the consumers) and dismay the adults (security professionals). It comes over as pure FUD — something not lost on Chris Morales, head of security analytics at threat hunting firm Vectra. “It describes a worst-case scenario, which to me does fall into fear, uncertainty and doubt (FUD),” he told SecurityWeek. The danger in starting a report in this manner is it colors the rest of the content.
“Overall,” continued Morales, “I don’t see anything new and earth shattering in the recommendations. I can’t shake this feeling of another defense strategy built on attack first and have more weapons. Considering the Solarium was the start of the cold war, and this is a copy of that in principles, that would be what could be an unfortunate outcome in policy.”
After the fiction, the report gets more realistic, but Morales’ concerns about nothing new or earth shattering are valid. The three CSC pillars will immediately be recognized by enterprise security leaders — it is what they already do to protect their companies. The CSC proposal is effectively to treat the country like a single entity where the government represents the board. This national board is exhorted to use its full power, authority and resources to protect the whole country, its position in the world, and its way of life. The proposal is supported by more than 75 individual recommendations.
‘Norms’, the first pillar of the proposals, are the accepted international rules of behavior in cyberspace. The concept is not new, and has been heavily promoted by Microsoft. The report states norms already exist but are largely unenforced. It believes the U.S. can help change this with “law enforcement actions, sanctions, diplomacy, and information sharing,” but adds that this will require the ability to quickly and accurately attribute cyberattacks.
The involvement and role of law enforcement in cybersecurity needs to be handled carefully. “Although there is mention of international law enforcement and federal law enforcement,” comments Michael Daly, CTO of cybersecurity and special missions at Raytheon, “as a society, we desperately need to strengthen local law enforcement’s ability to handle cybercrime. We cannot elevate everything to the federal level, nor can we wait until activities rise to the level of a national response. By that time, the adversaries and criminals already have a foothold.” Although nation-state cyber-attacks pose a major theoretical risk, most cybercriminal activity comes from simple, but sophisticated, criminals.
Law enforcement’s role in cybersecurity is further muddied by the Commission’s attitude towards end-to-end encryption. “The Commission does not express a position on the growing adoption of end-to-end encryption,” it says — but then goes on to state its position. Despite the benefits of and need for strong encryption, “appropriately authorized and publicly accountable government officials must also be able to pursue criminal elements exploiting the internet to prey upon innocent persons.” But in the real world, it is not possible to combine strong end-to-end encryption with government access to the encrypted content.
Back to the need for norms, attribution is the stumbling block. It is impossible to provide irrefutable attribution through cyber evidence alone. Even when the aggressor is ‘known’, proving that knowledge in what amounts to an international court of law cannot be done. Governments can know aggressors through the work of their spy agencies, but that action alone can be viewed as a form of aggression by other countries. Distrust between geopolitical rivals will inevitably continue for so long as it is known that individual nations, on both sides of the geopolitical divide, maintain their own stock of zero-day vulnerabilities and exploits for their own ostensibly national security interests. Worldwide agreed and effective norms of international behavior in the current geopolitical climate is a pipedream. The danger here is that the U.S. might start to enforce, through its global might, its own interpretation and attribution of unacceptable behavior. On a global scale, this would be counterproductive.
The remaining pillars are to deny benefit and impose costs on the attacker. Denying benefit is what enterprise security leaders do on a day-to-day basis: protect company assets, and ensure rapid recovery from a breach. Translated to U.S. Corporation, this entails ‘reshaping the cyber ecosystem toward greater security’, and ‘promoting national resilience’. This is the area in which the CSC report is at its strongest and where most benefit might be realized.
The background to many of the proposals is the need to ‘operationalize cybersecurity collaboration with the private sector’. This has become vital in the age of cyber. During Eisenhower’s Project Solarium, the government could lead from the front — the government was the primary driver behind both technology and research. Today it is the private sector that leads technological development and spends the larger budget. “Technological change is outpacing the U.S. government’s ability to adapt,” notes the CSC.
As Tom Gann, chief public policy officer at McAfee comments, “Cybersecurity is everyone’s responsibility. No one industry, sector, government or individual can adequately address the cyber challenges we face from nation-state actors and other adversaries. The Solarium Commission rightly notes that turning the tide on cyber threats must involve federal, state, local and tribal governments as well as industry, academia and individuals.”
“The report’s detailed cyber strategy intends to reform how the government is currently organized to manage security threats,” comments Scott Russ, security architect at Nerdery. Tim Mackey, principal security strategist at the Synopsys cybersecurity research center, adds, “Solving the problem of information flow requires both governmental and private sector cybersecurity cooperation where the goal is a shared purpose of limiting the scope of damage associated by any attack.”
The specific recommendations for improving cybersecurity range from the obvious to the unexpected. Designated critical technology security centers, improving supply chain security, and expanding the role and work of both NIST and CISA are coupled with the imposition of liability for damages on final goods assemblers (that include a known and unpatched vulnerability), and the call for a national data protection and privacy protection law. Resilience focuses on areas such as cyber insurance and security certifications. One glaring omission is any commitment to fund and expand the role of MITRE ATT&CK in sharing attacker TTPs and malware details.
The final pillar, imposing costs on the attacker, goes beyond the capability of the individual enterprise. For the enterprise, imposing cost revolves around making the cost of a breach too expensive so that the attacker goes elsewhere — or using active cyber defense (not to be confused with ‘hackback’) techniques to locate and disrupt the attacker. These still apply, but are augmented by a stronger possibility — the possible use of military force.
The report talks about the use of its layered cyber deterrence to forestall the need for responsive military action, but acknowledges that force is an option. “A key, but not the only, element of cost imposition is the military instrument of power,” states the CSC. However, that capability needs to be maintained and protected. Three important recommendations include the need to ensure the Cyber Mission Force is adequately resourced; that all segments of the nuclear control systems and all conventional weapons systems are continually assessed for cyber vulnerabilities; and the defense industrial base engages in threat intelligence sharing and a threat hunting program.
Part of the task of maintaining a military capability is the need to ensure that secrets encrypted today will not be exposed by the quantum computers of the future. The final recommendation of the CSC report is to ‘assess and address the risk to national security systems posed by quantum computing.’ “The federal government,” it says, “has a central role to play in ensuring that U.S. research remains ahead of that of other countries, particularly China.”
The great achievement of the Cyberspace Solarium Commission report is its attempt to combine both government and private industry in a wide-ranging project to improve the cybersecurity of the whole nation. This is not an attempt to improve a bit here and add a bit there, but to tackle all cybersecurity issues. There will be many security professionals who will not welcome all the proposals, but there will be few who will find nothing of value. It remains to be seen how much of the report will get to implementation, but it is worth noting the view of Tom Kellermann, head cybersecurity strategist at VMware’s Carbon Black business unit. “I appreciate the author’s honesty,” he told SecurityWeek. “We are in the midst of a cyber insurgence in American cyberspace and the need for proactive public policy is a patriotic imperative.”