Cyber Solarium Report Calls For Tougher Deterrence, Stronger CISA, Busy Congress

The Cyberspace Solarium Commission’s long-awaited report on how the United States can better defend itself against cyber threats focuses on a handful of major themes:

Adopting a harder national deterrence strategy that will inflict more pain on attackers, sufficient to change their attack calculus;
Creating cybersecurity-dedicated committees in Congress to cut down on current jurisdictional conflicts;
Establishing a Senate-confirmed National Cyber Director in the White House;
Strengthening the Cybersecurity and Infrastructure Security Agency (CISA) to ensure national resilience of critical infrastructure, and to serve as a national cybersecurity coordination hub;
Taking action to better recruit, train, and retain talent in the cybersecurity workforce; and
Building and enforcing international norms in cyberspace.

The commission released its formal report today, but has spent the past few weeks telegraphing its major themes, and the official release mostly follows along with those.

Even though the commission was created by Congress, its report and recommendations do not carry any force of law. But since the commission has members from both sides of the aisle in Congress, as well as administration representation, the recommendations are likely to carry significant weight with Federal policy makers.

Sen. Angus King, I-Maine, co-chair of the commission, said today, “We want to do something serious to defend this country before something catastrophic happens,” adding, “I think we are at a tipping point on cyber.”

Here’s a quick guide to the major themes, and some of the more prominent actions recommended to achieve them.

The Biggest Picture

The commission’s primary goal is to create a more robust strategy to deter nation-state cyber attacks against the U.S.

Getting to that goal rests on two big steps: 1) building up the U.S. defense of cyberspace through better resilience and collaboration between the government and the private sector, and 2) adopting the Defense Department’s “defend forward”approach announced in 2018 to reduce the severity and frequency of attacks on the U.S.

“Defend forward posits that to disrupt and defeat ongoing adversary campaigns, the United States must proactively observe, pursue, and counter adversaries’ operations and impose costs short of armed conflict,” the commission said. “This posture signals to adversaries that the U.S. government will respond to cyberattacks, even those below the level of armed conflict that do not cause physical destruction or death, with all the tools at its disposal and consistent with international law.”

Enabling Rapid Response

A major benefit that the commission says its proposals will yield is enabling quicker responses to threats.

“The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace,” the commission said. “We must get faster and smarter, improving the government’s ability to organize concurrent, continuous, and collaborative efforts to build resilience, respond to cyber threats, and preserve military options that signal a capability and willingness to impose costs on adversaries.

“Reformed government oversight and organization that is properly resourced and staffed, in alignment with a strategy of layered cyber deterrence, will enable the United States to reduce the probability, magnitude, and effects of significant attacks on its networks,” the commission said.

At the White House

The commission recommends the White House issue an updated National Cyber Strategy “that reflects the strategic approach of layered cyber deterrence and emphasizes resilience, public-private collaboration, and defend forward as key elements.”

In Congress

The commission said Congress should establish permanent select committees on cybersecurity in the House and Senate “to provide integrated oversight of the cybersecurity efforts dispersed across the federal government.” This recommendation would address long-standing complaints that claims over cybersecurity jurisdiction by numerous committees in Congress makes it very difficult for lawmakers to take action on security issues.

It also said Congress should establish in law a Senate-confirmed National Cyber Director (NCD), supported by an Office of the NCD, within the executive branch. The NCD would serve as the President’s principal advisor for cybersecurity-related issues, and “lead national-level coordination of cybersecurity strategy and policy, both within the government and with the private sector,” the commission said.

Further, it said Congress should create an Assistant Secretary of State with a new State Department Bureau of Cyberspace Security and Emerging Technologies, that will lead U.S. efforts to develop and reinforce international norms in cyberspace.

The commission’s report features a lengthy list of additional congressional recommendations, including:

Codifying additional responsibilities for CISA;
Creating “continuity of the economy” planning in the event of cyber disruptions;
Codifying a “cyber state of distress” tied to a Cyber Response and Recovery Fund;
Improving funding for the Election Assistance Commission;
Establishing a National Cybersecurity Certification and Labeling Authority, and directing it to develop a cloud security certification;
Establishing a Bureau of Cyber Statistics to inform policy-makers;
Directing establishment of an “industrial base strategy for information and communications technology” to ensure trusted supply chains;
Directing DoD to conduct a force structure assessment of the Cyber Mission Force; and
Directing DoD to conduct a cyber vulnerability assessment of nuclear control systems and nuclear weapons systems.

At CISA

The commission recommended that Congress take action to “strengthen” CISA “in its mission to ensure the national resilience of critical infrastructure, promote a more secure cyber ecosystem, and serve as the central coordinating element to support and integrate federal, state and local, and private-sector cybersecurity efforts.”

“Congress must invest significant resources in CISA and provide it with clear authorities to realize its full potential,” the commission said.

Internationally

The commission urged the U.S. to take a lead role in creating and enforcing international norms in cyberspace, predicting that that “effective norms will not emerge without American leadership.”

“For this reason, the United States needs to build a coalition of partners and allies to secure its shared interests and values in cyberspace” in order to promote responsible behavior and “over time,” dissuade “adversaries from using cyber operations to undermine any nation’s interests,” it said.

“The United States and others have agreed to norms of responsible behavior for cyberspace, but they go largely unenforced today. The United States can strengthen the current system of cyber norms by using non-military tools, including law enforcement actions, sanctions, diplomacy, and information sharing, to more effectively persuade states to conform to these norms and punish those who violate them,” it said.

“Such punishment requires developing the ability to quickly and accurately attribute cyberattacks. Building a coalition of like-minded allies and partners willing to collectively use these instruments to support a rules-based international order in cyberspace will better hold malign actors accountable,” the commission said.

Private Sector Collaboration

“The status quo in cyberspace is unacceptable,” the commission warned. “The current state of affairs invites aggression and establishes a dangerous pattern of actors attacking the United States without fear of reprisal. Adversaries are increasing their cyber capabilities while U.S. vulnerabilities continue to grow.”

“There is much that the U.S. government can do to improve its defenses and reduce the risk of a significant attack, but it is clear that government action alone is not enough. Most of the critical infrastructure that drives the American economy, spurs technological innovation, and supports the U.S. military resides in the private sector. If the U.S. government cannot find a way to seamlessly collaborate with the private sector to build a resilient cyber ecosystem, the nation will never be secure.”

“And, eventually, a massive cyberattack could lead to large-scale physical destruction, sparking a response of haphazard government overreach that stifles innovation in the digital economy and further erodes American strength,” the commission warned.

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.