Commission Delivers U.S. Cybersecurity Roadmap

In the midst of our growing COVID-19 pandemic crisis, a major new U.S. cybersecurity strategy was released by a bipartisan commission on March 11, 2020.  This ground-breaking report outlines a strategy to fundamentally reshape the U.S.’s approach to cybersecurity and prepare for resiliency and response before a major cyber incident occurs.

Despite everything going on right now with the global pandemic, this report is a must-read for any serious cybersecurity leader, policy-maker and planner.   

AppSec/API Security 2022

“In studying this issue,” begins the letter from Sen. Angus King and Rep. Mike Gallagher, the chairmen of the commission, “it is easy to descend into a morass of classification, acronyms, jargon, and obscure government organization charts. To avoid that, we tried something different: an unclassified report that we hope will be found readable by the very people who are affected by the very people who are affected by cyber insecurity – everyone. This report is also aimed squarely at action; it has numerous recommendations addressing organizational, policy, and technical issues, and we included an appendix with draft bills that Congress can rapidly act upon to put these ideas into practice and make America more secure.

The reality is that we are dangerously insecure in cyber. Your entire life—your paycheck, your health care, your electricity—increasingly relies on networks of digital devices that store, process, and analyze data. These networks are vulnerable, if not already compromised. Our country has lost hundreds of billions of dollars to nation-state-sponsored intellectual property theft using cyber espionage. A major cyberattack on the nation’s critical infrastructure and economic system would create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast. …”

The Cyberspace Solarium Commission’s proposes a strategy of layered cyber deterrence. The report consists of over 75 recommendations to implement the strategy. These recommendations are organized into 6 pillars:

  1. Reform the U.S. Government’s Structure and Organization for Cyberspace.
  2. Strengthen Norms and Non-Military Tools.
  3. Promote National Resilience.
  4. Reshape the Cyber Ecosystem.
  5. Operationalize Cybersecurity Collaboration with the Private Sector.
  6. Preserve and Employ the Military Instrument of National Power.

Background on Cyberspace Solarium Commission

The Cyberspace Solarium Commission (CSC) was established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” described the commission’s background this way: “The commission took its name from Project Solarium, a secret study comparing options for confronting the Soviet Union early in the Cold War. Rep. Michael Gallagher, the commission’s co-chair, has written extensively about the Eisenhower-era project, describing it as a model of incorporating intelligence into a competitive analytic exercise. The Eisenhower administration invited strategists to flesh out three options for confronting Soviet power in the shadow of nuclear weapons: containment, deterrence, and rollback. It believed that introducing competition would force advocates of each approach to sharpen and improve their arguments, and ultimately produce a more coherent grand strategy.

The administration organized three task forces to write reports describing each option. Each task force had seven members, who spent six weeks working in secret at the National War College. …

The Cyberspace Solarium Commission originally planned something similar, with separate task forces conducting a “deliberate, structured debate” among different approaches to cybersecurity. These options roughly paralleled the public debate, where commentators have alternately championed a more robust commitment to international norms, more credible deterrent threats against adversaries, and what U.S. Cyber Command calls persistent engagement. Those favoring norms warn that cyberspace will remain vulnerable to predators until the international community gets serious about setting limits on acceptable behavior. Those favoring deterrence argue that predators will continue to operate, norms notwithstanding, until they face serious consequences for their actions. Those favoring persistent engagement, however, argue that continuous contact among rivals is built into the structure of the domain, and “setting the conditions for security” is only possible by being proactive. They explicitly reject deterrence.

A structured debate among these three perspectives may have been illuminating. But that is not what the Cyberspace Solarium Commission delivered. Unlike that of the original Project Solarium, the commission’s report is a consensus product that includes all of them. …”

The reports summary webpage, which can be found at, says this about the outcomes:

After conducting an extensive study including over 300 interviews, a competitive strategy event modeled after the original Project Solarium in the Eisenhower administration, and stress tests by external red teams, the Commission advocates a new strategic approach to cybersecurity: layered cyber deterrence. The desired end state of layered cyber deterrence is a reduced probability and impact of cyberattacks of significant consequence. The strategy outlines three ways to achieve this end state:

Shape behavior. The United States must work with allies and partners to promote responsible behavior in cyberspace.

Deny benefits. The United States must deny benefits to adversaries who have long exploited cyberspace to their advantage, to American disadvantage, and at little cost to themselves. This new approach requires securing critical networks in collaboration with the private sector to promote national resilience and increase the security of the cyber ecosystem.

Impose costs. The United States must maintain the capability, capacity, and credibility needed to retaliate against actors who target America in and through cyberspace.

Each of the three ways described above involves a deterrent layer that increases American public- and private-sector security by altering how adversaries perceive the costs and benefits of using cyberspace to attack American interests. These three deterrent layers are supported by six policy pillars that organize more than 80 recommendations. These pillars represent the means to implement layered cyber deterrence.

The introduction to the full report begins with a “what if things go wrong” mini-story of what life might be like if the country does not act. Here is that paragraph:

“The rainbow of colors in the window paints how everything went so wrong, so fast. The water in the Potomac still has that red tint from when the treatment plants upstream were hacked, their automated systems tricked into flushing out the wrong mix of chemicals. By comparison, the water in the Lincoln Memorial Reflecting Pool has a purple glint to it. They’ve pumped out the floodwaters that covered Washington’s low-lying areas after the region’s reservoirs were hit in a cascade of sensor hacks. But the surge left behind an oily sludge that will linger for who knows how long. That’s what you get from deciding in the 18th century to put your capital city in low-lying swampland and then in the 21st century wiring up all its infrastructure to an insecure network. All around the Mall you can see the black smudges of the delivery drones and air taxis that were remotely hijacked to crash into crowds of innocents like fiery meteors. And in the open spaces and parks beyond, tiny dots of bright colors smear together like some kind of tragic pointillist painting. These are the camping tents and makeshift shelters of the refugees who fled the toxic railroad accident caused by the control system failure in Baltimore. FEMA says it’s safe to go back, now that the chemical cloud has dissipated. But with all the churn and disinfo on social media, no one knows who or what to trust. Last night, the orange of their campfires was like a vigil of the obstinate, waiting for everything to just return to the way it was.

But it won’t….”

Sample of Key Recommendations

The full commission report calls for an urgent call to action with substantial government reorganization to implement their recommendations.

The first five key recommendations include (with detailed sub-bullets under each in the report):

The executive branch should issue an updated National Cyber Strategy.

Congress should create House Permanent Select and Senate Select Committees on Cybersecurity to consolidate budgetary and legislative jurisdiction over cybersecurity issues, as well as traditional oversight authority.

Congress should establish a National Cyber Director (NCD), within the Executive Office of the President, who is Senate-confirmed and supported by the Office of the National Cyber Director. The NCD would serve as the President’s principal advisor for cybersecurity and associated emerging technology issues; the lead for national-level coordination for cyber strategy, policy, and defensive cyber operations; and the chief U.S. representative and spokesperson on cybersecurity issues.

Congress should strengthen the Cybersecurity and Infrastructure Security Agency (CISA) in its mission to ensure national resilience of critical infrastructure, to promote a more secure cyber ecosystem, and to serve as the central civilian cybersecurity authority to support federal, state and local, and private-sector cybersecurity efforts.

Congress and the executive branch should pass legislation and implement policies designed to better recruit, develop, and retain cyber talent while acting to deepen and diversify the pool of candidates for cyber work in the federal government.

Other key recommendations are not listed here due to length of the report. does a nice summary piece with interviews here.  

Final Thoughts

This report is impressive in its scope and in the number of recommendations included.

I was frankly overwhelmed by the amount and complexity of the ideas and opportunities. If I have one central criticism, it is this: The genius may be lost by offering too much information.

Nevertheless, I will definitely spend more time reading through the details in the months ahead, and I strongly urge readers of this blog to do the same.

Also, I think the timing of this report’s release is unfortunate.  Many colleagues around the country were unaware of the existence of this report, and the global pandemic continues to “suck all of the oxygen out of the room” regarding media, political and economic attention. This new reality is sad due to the urgent nature of this cybersecurity topic.

Indeed, cyberattacks are happening now within our current Cocid-19 pandemic.

My advice, take some of your ample “social distancing time” at home and read the report – or at least the executive summary.