A congressionally mandated report, released March 11, describes a new strategy to reduce the likelihood and impact of significant cyberattacks on the United States.
The approach, dubbed “layered cyber deterrence,” calls for stronger public-private collaboration, reducing vulnerabilities and broader adoption of a Department of Defense concept of working in foreign networks to confront cyber threats as far away from American infrastructure as possible.
Specifically, the strategy relies on three efforts:
- Shaping behavior: America should work with other nations to promote responsible behavior in cyberspace.
- Denying benefits: The strategy requires government and industry secure critical networks.
- Imposing costs: The United States must be able to retaliate against those that target the nation in cyberspace.
While think tanks, cybersecurity experts and academics have made similar suggestions for years, the report marks one of the first time government representatives have gathered with such intensity to study the issue and offer such drastic changes to federal and societal cybersecurity practices. The commission, led by two congressmen, also includes legislative proposals that can be added to the annual defense policy bill as a way to act on the recommendations made by the panel, which described the report as “aimed squarely at action.”
“The status quo in cyberspace is unacceptable,” the report’s executive summary reads. “The current state of affairs invites aggression and establishes a dangerous pattern of actors attacking the United States without fear of reprisal. Adversaries are increasing their cyber capabilities while U.S. vulnerabilities continue to grow. For over 20 years, nation-states and non-state actors have used cyberspace to subvert American power, American security, and the American way of life.”
The report was conducted by the Cyberspace Solarium Commission, a bipartisan organization created in the 2019 defense policy bill to develop a multipronged U.S. cyber strategy.
The executive summary notes two ways in which layered deterrence differs from current procedures.
First, it prioritizes deterrence by denial increasing defense and resilience through stronger public-private collaboration and reducing vulnerabilities.
Second, it adopts the Department of Defense’s new concept of “defend forward,” first articulated in the October 2018 cyber strategy, for the entire government. By integrating the concept throughout the entire federal government, the commission hopes to show a greater amount of force against cyberthreats, the report notes.
The commission interviewed more than 300 individuals and conducted a war game to test its theories.
The commission said the layered deterrence strategy comes by more closely fusing intergovernmental efforts — to include better coordination between federal agencies as well as international partners — and greater partnership between the government and private sector, where much of the cyber infrastructure resides.
The report outlines six policy pillars that are reflected in the commission’s 75 policy recommendations.
- Reform the U.S. government’s structure and organization for cyberspace: Cyber jurisdictions are fractured across government and the report found that the government has “not kept up” with how cyberspace has “transformed” every aspect of American life.
- Strengthen norms and non-military tools: The report makes several recommendations related to diplomatic engagement on cyber issues to promote responsible behavior in cyberspace.
- Promote national resilience: The federal government needs to take steps to ensure the public and private sector are capable of responding and recovering from a cyberattack. Part of that effort includes a recommendation that Congress create a cyber state of distress that is accompanied by a cyber response and recovery fund.
- Reshape the cyber ecosystem toward greater security: The report says that the “baseline level of security” across all aspects of cyberspace — people, tech, data and processes — needs to increase in order to reduce adversaries activities.
- Operationalize cybersecurity collaboration with the private sector: The Solarium Commission called on the federal government to better their threat information sharing and collaboration with the federal government.
- Preserve and employ the military instrument of power — and all other options to deter cyberattacks at any level: The report recommends that the Department of Defense assess vulnerabilities in weapons systems, the Defense Industrial Base and ensure the Cyber Mission Force is prepared.
“The executive branch and Congress should give these recommendations and the associated legislative proposals close consideration,” the report reads. “Congress should also consider ways to monitor, assess, and report on the implementation of this report’s recommendations over the next two years.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.