In an era of sclerotic government, where hyperpolarization clogs up debate on even the simplest issues, the bipartisan acceptance of the Cyber Solarium Commission's final report attests to its extraordinary value. At least 19 recommendations are now law, and several of its authors now occupy influential positions within President Joe Biden’s administration. The Solarium report, along with the Aspen Institute’s National Cyber Agenda, which was released in December of 2020, could catalyze the beginning of lasting reforms.
The Aspen report contains a number of accessible recommendations, and it was designed for public consumption and education. The Solarium report is deliberately dense, but it reads like a thriller more than a typical policy brief. (Indeed, it starts with a fictional cyber attack written by Peter Singer!). Its proposals range from edge-tinkering to more transformational. At QOMPLX, we took notice of the Solarium’s foregrounding of resilience and risk management. The report does not use the words as mere concepts. It adds significant meat to the bone, exploring alternative approaches to achieving real resiliency as an end goal -- and defining what resilience entails -- and cuts through a lot of the confusion about cyber risk. Importantly, the report does not fetishize optimization or efficiency as ends in themselves. A country that takes heed of these recommendations will build extra capacity, add redundancy, allow for error, provide a cushion for uncertainty -- and will turn this fleshed-out continuity into a strategic asset.
Equally as important, the Solarium report incorporates resilience and risk management into its discussion of a global deterrence strategy. Skeptics of cyber deterrence have long noted that a highly interconnected economy designed for efficiency and ease of use, with security seen as an accessory, provides an adversary with virtually no excuse not to relentlessly target the networks that link it together. The U.S. government, borrowing from the metaphorical world of nuclear deterrence, latched on to the idea that offense, not resilience, could impose significant enough costs: if an adversary knew that we were capable of screwing with their financial or operational technology systems at will, they would be less inclined to screw with ours. (So far, not so.). Indict attackers and attribute their malign influence to their country? (They’re still attacking.) We’re also playing public victim in cases like SolarWinds despite such behavior remaining largely consistent with existing norms for cyber espionage if reviewed carefully.
Pundits are now asking, what if an adversary knew we were willing to respond to cyber intrusions with kinetic force? Would they be less inclined to burrow into non-defense critical infrastructure? So far, this concept is both untested and ill-advised -- we ourselves are deterred from pursuing the course of action that would deter, for good reason. Even moreso when we consider the norms under which we already operate under both Title 50 and Title 10 authorities. Jason Healey’s “Rough and Ready” metrics, which propose to assess a range of potential and actual responses to cyber attacks -- and may even help conceive of the counterfactuals that deterrence -- a policy designed to not have things happen -- make difficult to use as instruments of policy in practice.
While the Solarium report endorses a range of exploitation campaigns and its authors are somewhat sanguine about linking them to deterrence, the real innovation comes in realizing how resilience can be an offensive multiplier. First, and simplest: what’s our own posture? What do we say in public and private about how acceptable it is for specific types of infrastructure to be infringed upon? Which agencies say it? What specifically do different agencies each say about the immediate and long-term consequences? What can we promise, given the state of our own capabilities for in-kind response and detection of such activities defensively? The answer is, right now, aside from occasional speeches and diplomatic flare-ups, we don’t say all that much. NSA and CISA have made notable strides in the past two years, but not in comparison to other domains. Our nuclear doctrine defines clear consequences to specific behaviors to adversaries, despite the veil of nuclear secrecy. Our cyber doctrine remains much hazier, despite a set of U.S. cyber tools having been exposed to the world by Edward Snowden and another separately stolen from intelligence agencies and then distributed by other malicious actors.
The Solarium report then notes that a doctrine which implies resilience is all well and good, but it is useless if the underlying things that it seeks to protect are easily attacked. Building resilience amplifies the practical ability to assert our will, rather than undermine it. It turns a signal into a warning light. “Despite U.S. progress in shifting to a more aggressive posture in cyberspace, adversarial states and non-state actors find cyber operations ideal low-cost, high pay-off methods for eroding U.S. power that do not risk direct counterattacks.” Cyber remains highly asymmetric, largely decoupling cost and consequence when compared to major combat operations or high intensity conflict.
So what are the bones that hold up the Solarium report’s concept of resilience?
Early on, the report advises the government to significantly pulse up U.S. research and development into AI and machine learning, and then apply these technologies to data management across the government and private sector, standardizing language and maximizing utility. The framing of AI in the report belies some naivete about the practical challenges of applying such technology in the domain and the considerable economic implications associated with the investment in data collection, ingestion, integration, storage and downstream processing and analysis this implies is completed already - despite SolarWinds and Microsoft Exchange related breach investigations definitively demonstrating otherwise. For almost all private and public sector organizations, walking before running comes to mind.
Synchronizing standards and improving defender visibility will also allow the U.S. to speak with a clearer voice as global cyber norms and standards are being settled using more available and consistent data. “Because the domain relies disproportionately on private-sector networks, this strategy must incentivize public and private-sector collaboration and deny adversaries the ability to hold America hostage in cyberspace.” Cyber exposure and loss data is key - but it must be comparable and based on breach notification requirements ensuring more transparency than those now in-force.
A key pillar is what the Solarium report calls Continuity of the Economy. First, analyze national level functions -- the stock market, power distribution, the transport of goods, and public health infrastructure by asking what it would take to keep them operating during a cyber cataclysm; then, identify the specific companies and entities and physical plants that would need to have their functions duplicated or otherwise hardened to keep the national level functions afloat; third, create a national data preservation strategy; fourth, investigate air-gapping virtually every industrial control network identified as a continuity priority - which should be caveated as poorly and unrealistic as worded (Olympic Games anyone) but in directional terms aspirationally advisable if phrased as minimizing connectivity; provide a mechanism for liquidity that the government can extend to the private sector instantly during a declared emergency -- and finally, ensure that the public actively participates in this strategy. The Solarium report would use the Defense Production Act to identify alternative private companies who could quickly recapitalize and rebuild the architecture of national level functions, and endorses the concept of signing stand-by contracts, much in the way that early nuclear war continuity programs leveraged the production capacity of the American industrial base.
Based on our own experience, a robust cyber insurance market can catalyze innovation and enhance resilience by supporting companies not just in more accurately assessing, quantifying and managing risk but in putting risk financing in place to aid them in funding recovery efforts when under duress. Exceptional loss deterioration and rate increases for insurance demonstrates just how few insurers have real cyber expertise or risk selection capabilities that are up to the task - better data from outside and insider organizations is required. “This has had the combined effect of creating an opaque environment for enterprises attempting to purchase coverage and undermining the effectiveness of insurance as an incentive to push enterprises towards better security behavior,” the report notes. It endorses a plethora of changes we would welcome to support cyber insurance market development but lacks sufficient clarity regarding how to enable product innovation and adoption of telematics, parametric policies, and risk backstops to guard against systemic challenges to private insurability. Suggestions like federal underwriter training and certification, cyber product certification processes, a public-private partnership recommending a basic set of coverage standards might be good, but could also do irreparable harm considering that current industry and government performance in assessing and managing this risk remains insufficient at best.
Overall, if the government follows the bulk of the Solarium’s pillars and interventions, we believe it will move the debate in the right direction. We need more focus on transparency and the broad breach notification requirements and gradual moves towards superior clarity on liability for shoddy software or security and IT operations must be at the forefront of any real progress.