Federal Strategy to Defend Against Cyberattacks

There has been a bunch of play about a recent article on TheHill.com on social media in the last 24-hours; Lawmakers close to finalizing federal strategy to defend against cyberattacks. People who only read the headline, or casually read the article are to be forgiven for thinking that congressional action on a new cybersecurity initiative is imminent. Unfortunately, the truth is not quite that bright.

The article is about the Cyberspace Solarium Commission which was established by Congress in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (PL 115–232). Section 1652 (132 STAT. 2140). I briefly discussed the Commission when it was first suggested in 2017. As it was outlined in the 2018 bill the Commission was tasked with developing “a commission to develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences” {§1652(a)(1)}.

Commission Members

The Commission consists of 16 members, only four of which were members of Congress; two from the Senate and two from the House; a Republican and a Democrat from each. Four would be from the Executive Branch; DNI, DHS, DOD and FBI. The remaining eight would be appointed by House and Senate Leadership but could not be member of either body.

Those eight members were to be people who were “nationally recognized for expertise, knowledge, or experience in” {§1652(b)(1)(B)}:

• Cyber strategy or national-level strategies to combat long-term adversaries;

• Cyber technology and innovation;

• Use of intelligence information by national policymakers and military leaders; or

• The implementation, funding, or oversight of the national security policies of the United States.

Commission Duties

Section 1652(f) set forth the duties of the Commission. Those include:

• To define the core objectives and priorities of the strategy described in subsection (a)(1).

• To weigh the costs and benefits of various strategic options to defend the United States, including the political system of the United States, the national security industrial sector of the United States, and the innovation base of the United States. The options to be assessed should include deterrence,

norms-based regimes, and active disruption of adversary attacks through persistent engagement.

• To evaluate whether the options described in paragraph are exclusive or complementary, the best means for executing such options, and how the United States should incorporate and implement such options within its national strategy.

• To review and make determinations on the difficult choices present within such options, among them what normsbased regimes the United States should seek to establish, how the United States should enforce such norms, how much damage the United States should be willing to incur in a deterrence or persistent denial strategy, what attacks warrant response in a deterrence or persistent denial strategy, and how the United States can best execute these strategies.

• To review adversarial strategies and intentions, current programs for the defense of the United States, and the capabilities of the Federal Government to understand if and how adversaries are currently being deterred or thwarted in their aims and ambitions in cyberspace.

• To evaluate the effectiveness of the current national cyber policy relating to cyberspace, cybersecurity, and cyber warfare to disrupt, defeat and deter cyberattacks.

• In weighing the options for defending the United States, to consider possible structures and authorities that need to be established, revised, or augmented within the Federal Government.

Commentary

The Commission was patterned after Eisenhower’s 1953 National Security Council’s Solarium Special Committee that was used to help formulate Eisenhower’s containment strategy vis-à-vis the Soviet Union. It was established to provide a strategic vision on how to deal with cyberattacks by nation state adversaries. It was not intended to formulate tactical doctrine on how to respond to specific attacks, but rather to provide a framework under which such doctrine can be developed.

Not wanting to belittle this work, it is very important, but it will not directly guide anyone on how to protect government or private sector information technology or operational technology systems from attack. Instead, what it should do is to provide Congress and the President with a workable guide on how to develop governmental policy and define interagency cooperative responsibilities to organize and fund the Federal government’s attempts to defend national and critical infrastructure systems from organized cyberattacks by enemies overseas.

The report from the Commission will be but a first step in this process. Unfortunately, it will land in Congress at a most inopportune time; in a Presidential election year at the start of the spending bill introduction process. There will be little time this year for Congress to review (and there will be numerous hearings about this report), much less act on the recommendations of the Commission. It will likely fall to the 117^th Congress to start to take whatever actions will be necessary to begin the implementation of the ideas that the Commission generates. And, more congresses down the road will have to continue to work the problems identified as our adversaries continue to change their strategies, tactics and operational objectives. This is just the start of a new cold war.