10.2 C
New York
Wednesday, February 28, 2024

Giant Report Lays Anvil on US Cyber Policy

Today, the US Cyberspace Solarium Commission published its final report. The 182-page document is the culmination of a year-long, bipartisan process to develop a new cyber strategy for the United States. Established by the 2019 Defense Authorization Act, the commission draws its inspiration from one set up by President Dwight Eisenhower in the 1950s, as he stared down the barrel of new strategic challenges necessitating a policy overhaul.

“What we’re trying to do here is a 9/11 Commission report without 9/11,” Senator Angus King, one of the commission’s two cochairs, told me. “We’re trying to solve a problem before it turns into a catastrophe.”


In reading the report, three categories of recommendations stand out: the common-sense and specific, the decidedly vague, and the absent. For each proposal in the report, there will inevitably be political and bureaucratic hurdles—raising the question of just how to measure the commission’s success in rebuilding US cyber strategy.

Underpinning the Cyberspace Solarium Commission’s more than 75 recommendations is a conviction that the status quo cybersecurity policy is failing. “Adversaries suspect that the US government would retaliate for turning off the power in a major city,” the report reads, “but doubt American resolve” to respond to events like election interference and intellectual property theft. “The result has been a kind of death by a thousand cuts,” said Senator King.

First up are common-sense, specific recommendations that try to move the needle. Many election-security measures fall into this category.

The commission recommends, for example, the use of “voter-verifiable, auditable, paper-based voting systems.” If the 2016 election wasn’t enough to give you pause, the debacle in Iowa in February should’ve been a wake-up call: Pushing untested technology into elections is reckless and undermines both electoral processes and public confidence. Paper voting with the listed conditions is a robust answer, and it’s also a specific one.

Reinstating a White House cyber coordinator is a similarly common-sense proposal made by the commission. John Bolton’s elimination of the position in 2018 (along with many now-vacant National Security Council roles) damaged the executive branch’s ability to manage cyber policy. Restoring the coordinator recognizes the need for cyber policy to be a national priority with a comprehensive US cyber strategy coordinated through a senior White House official. “There needs to be a focal point for action in cyberspace in the executive branch,” Representative Mike Gallagher, the commission’s other cochair, told me.

Another common-sense recommendation is the creation and adequate resourcing of a Bureau for Cyberspace Security and Emerging Technologies at the State Department, led by an assistant secretary of state. This is sharp; funding for cyber diplomacy is much-needed. Congress and multiple White House administrations have continued to decimate the US’ diplomatic capabilities on a number of fronts, and it has hampered America’s ability to engage on cyber issues. “Long-term change in norms enforcement requires engagement from the larger international community,” the report says, “a process that starts with appropriate leadership, resources, and personnel within the State Department.”

“We are cognizant of the fact that norms will not emerge in a laboratory designed by cyber diplomats—they require constant action and a willingness to impose costs,” said Representative Gallagher. But “we believe that over time, working in concert with our allies, we can push back on the digital authoritarianism that China is at the vanguard of, and the cyber meddling that Russia is at the vanguard of.”

Beyond the common-sense specifics is the second group of proposals—those that are helpful but decidedly vague. While many in this camp are well-aimed, overuse of jargon and lack of specificity risk clouding the path to implementation.

The commission recommends, for instance, the Pentagon develop a “multitiered signaling strategy” around the “defend forward” concept put forth in the Defense Department’s 2018 Cyber Strategy. (According to the Pentagon, this entails disrupting or halting malicious cyber activity at its source, including below the threshold of armed conflict.) When the strategy dropped, excitement in military- and deterrence-focused sectors of the national security community about the “defend forward” concept was widespread. There was equal if not greater perplexity, though, among other countries as to what on earth “defend forward” meant.

Chinese military analysts were also confused, and even within the Pentagon itself it was unclear to what extent strategists and operators had agreed on the risks of this strategic shift (i.e., that a foreign country takes “defend forward” as code for “attack”). The commission’s recommendation is certainly well-directed. Yet a vague proposal to signal internationally—with the military still encumbered by internal uncertainty about “defend forward”—is one with an unclear path to implementation and little means to benchmark success.

The recommendation for the executive branch to “develop and maintain Continuity of the Economy planning in consultation with the private sector” has comparably vague elements. The recommendation appears to focus on ensuring critical economic functions, like civilian cellular communication and maritime shipping, are maintained in the event of a cyber crisis. It’s an example of building out public-private partnerships—the beloved and extremely vague phrase that seems to be a de facto requirement in all government cyber documents.

In this way, economic continuity planning recognizes two points: National security and economic risks are increasingly entangled, and the private sector increasingly influences national security through maintenance of digital infrastructure. However, a core challenge is adequately managing that web of risks in ways that don’t, say, overextend the government’s security authorities. The report is quite light on addressing those real concerns.

And then some recommendations are just absent.

Perhaps most notably, the report takes no real stance on the importance of end-to-end encryption. “There is broad consensus across industry and the government on the importance of strong encryption,” the narrative section of the report reads. Three paragraphs later, however, the report says, “this form of encryption is a double-edged sword,” topped off by flat language about a “quest for solutions” informed by “core values.”

At present, Attorney General William Barr continues to advocate for building “backdoors” into encrypted devices like smartphones. Where the Justice Department has historically used terrorism as justification for this view, it increasingly turns to child exploitation. Meanwhile, the EARN IT Act was introduced into the Senate last week to weaken encryption to better curb online child exploitation, with seemingly little appreciation for the massive negative effects undermining commercial encryption would have.

Robust commercial encryption is critical to protecting everything from intellectual property to industrial control systems (i.e., water treatment systems, traffic grid monitors) to the communications and geolocation of journalists and diplomats. Many of the same cryptographic standards used in commercial products are integrated into technology sold to government users; weakening that becomes a direct national security threat. The commission’s unwillingness to advocate for encryption, which gives defenders such scalable leverage over attackers, doesn’t comport with the aim of bolstering US cybersecurity.

Overall, as Washington Post reporter Ellen Nakashima recently commented, the past decades have seen a plethora of commissions and studies on US cyber strategy. As with any commission, there are no guarantees that the Solarium’s final proposals are passed.

Recommendations made on paper can quickly catch political headwinds. Election security, for example, should have bipartisan consensus. Though clearly, it doesn’t—despite some movement on this front in Congress, Senate Majority Leader Mitch McConnell continues to resist the full spectrum of election defense measures advised by experts. Commission proposals in this vein, like modifying the Federal Election Campaign Act of 1971 to let companies provide free and reduced-cost cybersecurity services to political campaigns, might face similar headwinds.

Other trends may be even more stoutly resistant, like the militarization of US foreign policy. The Trump administration’s budget for fiscal year 2021 continues to slash State Department funding. Paradoxically, the very same reason the Solarium’s proposal for greater diplomatic resources is so vital may render it difficult to achieve in practice—even for a limited solution to a shrinking footprint for American digital diplomacy.

But the notable representation of serving legislators on the commission (four of them) should hopefully increase the likelihood of implementation, Mark Montgomery, the commission’s executive director, said to me. Senator King concurred, telling me he’s hoping about half of the recommendations will fit within the National Defense Authorization Act due for consideration in May. Rather than a “fancy report that sits on a shelf,” added Representative Gallagher, the commission hopes this is “a blueprint for action.”

All told, many of the Solarium’s final recommendations are sensible despite the bulk being unoriginal. To the extent that the commission was meant to overhaul US cyber strategy—to “be forward looking and prescriptive, rather than a snapshot report that sits on a shelf”—then it’s worth wondering how exactly that objective should be assessed.

Is the overhaul a success if a bipartisan group of legislators and other stakeholders widely publicize measures to improve cybersecurity across the public and private sectors? Is this an exercise in converting the advice of think tank policy wonks and academics into law, and only a success if that actually happens with specific recommendations? Or can there be a strategy overhaul that fails to suggest many novel ways of thinking about problems and solutions?

As we head into another decade—already marred by election interference and a continued Huawei saga, among other issues—the yardstick is evolving and will be defined in part by what commission members and other stakeholders say in coming weeks. We all ought to pay attention.

WIRED Opinion publishes articles by outside contributors representing a wide range of viewpoints. Read more opinions here. Submit an op-ed at opinion@wired.com.

Related Articles

Latest Articles