Parsing the Cyberspace Solarium Commission Report

On March 10, Congress released the bipartisan Cyberspace Solarium Commission Report, which warned that “For over 20 years, nation-states and non-state actors have used cyberspace to subvert American power, American security and the American way of life.” The 122-page report, the result of a year of work and more than 300 expert interviews, received well-deserved praise for thoroughness and frankness. It’s worth taking the time to read the full report. If you want to know how serious people in the government treat the issue of national security and cybersecurity, this is an essential guide.

The report contains over a hundred specific recommendations for how the government can and should improve its ability to defend the US from digital attacks. Some require Congressional measures. Others would need executive branch actions. These included calls for strategic cyber deterrence along with the giving new powers to agencies like the Cybersecurity and Infrastructure Security Agency (CISA). The Commission advocates for layer cyber deterrence. The goal is to shape the behavior of America’s adversaries by denying them the benefits of cyber attacks against the US and imposing costs on them for trying.

To achieve this desired deterrence, the Commission lays out three implementation pillars: 1) Reform the US government’s structure and organization for cyberspace; 2) Strengthen norms and non-military tools; and, 3) Promote national resilience. One recommendation that I particularly like, given my recent focus on inherent cybersecurity flaws in popular technology, is the suggestion that that government establish a “labelling authority” akin to Underwriter’s Labs. This authority would test and certify technologies such as IoT devices for their security quality.

Speaking with Jamil Jaffer, SVP for Strategy, Partnerships & Corporate Development at IronNet Cybersecurity, offered additional insights into the potential—and challenges—of the Commission’s ideas. Jaffer, along with his colleague Gen. Keith Alexander, the former NSA chief who is Founder and Co-CEO of IronNet, consulted with the Commission on its work. According to Jaffer, one of the most notable aspects of the report is its call for a collective cyber defense posture from government and industry.

“The reality is that we defend individually today even though attackers often focus on us as a nation,” Jaffer said. “Given this situation, collective defense is a common-sense recommendation from the Commission. It’s based on the idea that individual organizations cannot be expected to effectively defend themselves against well-resourced nation states and global criminal gangs, to mention just two of many asymmetric threat vectors.” IronNet’s threat discovery, correlation and sharing technology could be part of a collective cyberdefense solution.  “If we are going to get ahead of this threat, as the Commission has recommended, the key is to move from sharing threats–which is a key starting point–to then using information to collaborate in real time,” said Jaffer.

As Jaffer and other experienced observers have acknowledged, however, the report is just a list of recommendations. The government will now have to implement them, and that’s not a sure thing. In fact, the seriousness and maturity of the Commission’s work stood in stark contrast to the events that were unfolding at the moment of its publication—the government’s inaction and confusion about the Coronavirus pandemic.

“Collective defense is a common-sense recommendation from the Commission. It’s based on the idea that individual organizations cannot be expected to effectively defend themselves against well-resourced nation states and global criminal gangs, to mention just two of many asymmetric threat vectors.” – Jamil Jaffer, SVP for Strategy, Partnerships & Corporate Development at IronNet Cybersecurity

As Jaffer and other experienced observers have acknowledged, however, the report is just a list of recommendations. The government will now have to implement them, and that’s not a sure thing. In fact, the seriousness and maturity of the Commission’s work stood in stark contrast to the events that were unfolding at the moment of its publication—the government’s inaction and confusion about the Coronavirus pandemic.

At the same time the public was reading the Commission’s well-reasoned suggestions for new laws, strategies and government structures to mitigate major cyber risks, the real-life President of the US was busy sending out contradictory, false and arguably racist messages about the pandemic. The Coronavirus response was further compounded by short sighted earlier decisions to fire disease experts and disband the very teams that would have led the pandemic response efforts.

Furthermore, the sober suggestions of the report, which assume the highest levels of professionalism and responsibility in government, were laughably at odds with the Trump administration’s decision to fire the Director of National Intelligence (DNI) weeks earlier merely for suggesting that Russia was interfering in the 2020 election. The week before the report came out, the new, Acting DNI refused to testify before Congress about suspected Russian cyber interference in the election.

The sub-optimal response to the Coronavirus and politically-driven manipulation of the nation’s intelligence services show how ill-prepared the government actually is for a cyber crisis. And, with the pandemic, we at least have access to all the digital tools we need to communicate and coordinate government and civilian process. Imagine what the current national lock down would look like if we had no phones, Internet, electricity, hospitals or law enforcement. Then, imagine that Russia decides it’s a good moment to inject disinformation into the situation to amplify the fear, as they are accused of doing in Europe. The likely resulting chaos is more like what we can expect from a cyber crisis, not the sober, “can do” attitude of the well-intentioned but naïve Cyberspace Solarium Commission.

Even the Commission’s very identity speaks to a charming nostalgia for a different era of federal power and wisdom.

Even the Commission’s very identity speaks to a charming nostalgia for a different era of federal power and wisdom. It’s named after a 1953 Eisenhower administration national security project, where leading experts met in the solarium on the roof of the White House to develop the best thinking on how to deal with the nuclear threat of the USSR. (Ike cooked barbecue for them up there, to keep their creative juices flowing.) It was a best-and-the-brightest moment, one that transformed US national security policy in the 1950s. As we know, though, we’re not in Eisenhower’s home state of Kansas anymore.

Experienced hands like Jaffer recognize the current challenges to implementing the Commission’s ideas. However, he is hopeful that the bipartisan nature of the project augurs well for its success. “Obviously, there are a lot of personalities and difficulties that could impede progress,” he said. “At the same time, with the right people in positions of trust and the right policies in place, you’d be amazed at what can be accomplished in a government-industry partnership.”