Cyber Solarium and the Sunset of Cybersecurity
March 13, 2020
The new Cyber Solarium Commission report will be the focal point for the discussion of cybersecurity for some time. It makes recommendations in six areas: reforming government, strengthening norms, promoting resilience, operationalizing work with the private sector, and using military power. Although many of its recommendations are valuable, there are also shortcomings, chiefly because of an emphasis on defending against catastrophic cyberattack.
This is perhaps the sixth effort since 1998 to develop a national cyber strategy. The project's name derives from Dwight Eisenhower's Solarium Project, which had two teams of experts develop competing strategies. Eisenhower's Solarium was essentially a guided debate on whether to pursue the confrontational strategy of World War II or to develop a new strategy, deterrence, to contain the Soviet threat while minimizing the risk of warfare. The debate's results went to a president with deep strategic experience who faced a true existential threat, not a fictional one. The new Cyber Solarium report differs from the original not only in that it did not use competing concepts, but in that it has neither an attentive president in office nor faces an existential threat.
Pundits have regularly predicted a catastrophic cyberattack since the 1990s, yet it has never happened, making the report's lachrymose introduction of looking onto a ruined Washington from the wilds of Rosslyn frivolous. It is easy to confuse cyberattack for nuclear war, but the differences should be obvious. Understanding why a disastrous cyberattack is unlikely and how our opponents will actually use cyber operations is essential for developing effective cybersecurity, but this cannot be predicated on fictitious catastrophes. The report’s recommendations that address imaginary catastrophes should receive a low priority or be ignored.
The report models itself on the 9/11 Commission and its long laundry list of recommendations. The 9/11 report received its political impetus from the deep dismay Americans felt from the surprising and humiliating success of a handful of zealots. It could not be ignored. 9/11 forced a rethinking of U.S. strategy and security organization. The Cyber Solarium does not have the same emotional and political impetus behind it, and by endorsing deterrence it did not take full advantage of the opportunity to rethink U.S. strategy.
The report boldly states that "deterrence is possible in cyberspace." There are two problems with this statement. The first is that cyber deterrence has failed regularly and routinely since the dawn of the internet. While deterrence worked between 1953 and 1990, it failed both before and after this golden age (in 1939, for example). U.S. adversaries have developed ways to circumvent U.S. deterrent power using new tactics and technologies in Ukraine, the South China Sea, and in cyberspace. These opponent actions render precedents from nuclear strategy (like deterrence and signaling) less than useful for a new strategic environment.
More importantly, attempting to resurrect deterrence is a central strategic failure for the United States. The utility of deterrence remains a subject of intense debate, but if we recall Paul Kennedy's statement that empires fail not because they do not recognize the problems they face but because they continue to apply old solutions to problems where they are ineffective, a strong endorsement of deterrence is questionable. One way to think about this is to ask what would have happened if the United States had announced it would deter Imperial Japan and Nazi Germany in 1940? This would have been a recipe for defeat. Deterrence is a passive strategy that yields the initiative, and U.S. opponents in the present are not the geriatric Soviets.
The section on norms is one of the strongest parts of the report. The central tenet, that the United States should build a coalition of democracies to impose penalties on those who violate the norms agreed to in 2015, is exactly right. The report correctly states that "[e]ffective norms will not emerge without American leadership," and its call for a new bureau and assistant secretary of state for cybersecurity and emerging technologies should be acted upon immediately. But long experience shows that the secretary of state and the president must lead major international initiatives if they are to succeed in protecting norms. This section is an example of how the role of the president is downplayed throughout the report. Although understandable in a bipartisan commission today, it will be hard if not impossible to make progress on international cybersecurity without presidential leadership.
Not discussing internet governance along with norms was a missed opportunity for the report. This reflects an older and increasingly outmoded approach. Governance and cybersecurity are merging, and weak governance contributes to weak cybersecurity. U.S. opponents plan to capture internet governance to make cyberspace more amenable to their strategic objectives and to reduce political risk to their regimes. A broad discussion that links cybersecurity to governance is unavoidable since it touches on data protection, digital commerce, and information operations. How we expand the discussion of cybersecurity to reflect the growing centrality of digital technologies is a growing challenge for analytical work. This means inherited "stovepipes" for governance, privacy, commerce, and security need to be shattered.
Recommendations for reforming government suggest that Congress streamline its cyber committees (a noble but hopeless request) and "establish a Senate-confirmed National Cyber Director (NCD) supported by an Office of the NCD, within the Executive Office of the President." This echoes several earlier reports and is a mistake. The thinking behind an NCD is to create something like the U.S. trade representative, but an NCD would more likely follow the trajectory of the drug czar, exiled to a satellite office and struggling for influence. This administration unwisely eliminated the position of special assistant to the president and cybersecurity coordinator on the National Security Council staff, a position that by being integrated in the center of national security and foreign policy decisionmaking and direction, was much more effective. The NCD recommendation should not be acted upon.
Other recommendations on federal administration are much more useful. The report calls for strengthening the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Cyber Threat Intelligence Integration Center, the National Institute of Standards and Technology (NIST), and the FBI. It has recommendations on building the cyber workforce and on reviewing the federal approach to critical infrastructure (which dates back to the 1990s).
Another recommendation calls for operationalizing public-private partnership by having Congress "codify" critical infrastructure risk. Codification would be unhelpful at a time when cloud computing, artificial intelligence, and 5G networks are rapidly reshaping the technologies for infrastructure. Certification of critical infrastructure software could be useful but not in a process led by the Department of Defense and the Department of Homeland Security, neither of which are standards bodies nor command the enthusiastic support of the private sector in standards setting. This task should be given to NIST.
Recommendations to increase resilience are part of a larger strategy of "layered deterrence" that involves improved attribution, signaling, and collective action. One goal is to create "continuity of the economy" plans to restore critical functions after a "disastrous cyberattack." But if a disastrous cyberattack is unlikely, this will undercut calls to spend on resilience. A discussion of resilience needs to acknowledge the vast scale of the U.S. economy (and hence the vast cost). There is an echo of the civil defense efforts of the 1960s. Congress never provided sufficient funds for that program, and it will not do so now. Another obstacle is that getting the private sector to invest in resilience is difficult; companies are being asked to spend money on things that do not generate returns. Resilience is consistent with the logic of deterrence but not the logic of the market. The report recognizes this problem but struggles in addressing it.
The report repeats the charge that the United States is losing the standards battle. This charge is inaccurate. Standards are a battleground, but the Unites States is holding its own. China is politicizing the standards process, and it inundates meetings with participants. It leads in some bodies like the International Telephony Union (ITU but not in the 3rd Generation Partnership Project (3GPP), the standards body responsible for 5G, which blocks efforts by one government to seize control. Chinese technology is also often inferior, making people reluctant to use it as a standard. Interviews with leading U.S. 5G companies show that the 3GPP standards process is still led by Western companies, not China. The key element for a stronger U.S. presence is financial support for researchers to participate in standards discussions.
A final category of recommendations looks at electoral risks. Some of the suggested actions, such as reforming laws on political advertising, are important. Others perpetuate the misunderstanding found in many elites’ assessments of 2016. The Russians did not hack voting machines or voter lists; they "hacked" American minds by exploiting attitudes on populism, nationalism, and racism to manipulate politics. Hardening the electoral machinery, while useful, would have failed to prevent the interference of 2016 and will be ineffective against threats that take advantage of increasing discontent. Election security touches on First Amendment freedoms and sensitive political issues that fall outside the scope of the traditional concepts of cybersecurity but must necessarily be considered to protect democracy.
The first Solarium was a product of its times—and is probably unrepeatable. A new “Solarium” faces complicated problems, the most important of which is defining our vital interests in cyberspace in a post-triumphalist era. This is not an easy task, but centering the report on interests rather than an imaginary catastrophe would have helped. Keynes' remark that “the difficulty lies not so much in developing new ideas as in escaping from the old ones” suggests that this rethinking may need to wait for an entirely new generation of strategists and scholars untainted by nuclear concepts.
Cyber Solarium was an immense effort that builds upon its predecessors and moves the debate significantly forward. If we strip out the recommendations motived by a desire to deter catastrophic attacks, there is much of value.
James Andrew Lewis is a senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2020 by the Center for Strategic and International Studies. All rights reserved.