Did the Cyberspace Solarium Commission Live Up to its Name?

Last week, as a real virus upstaged computer viruses, the congressionally mandated Cyberspace Solarium Commission released a sweeping plan to organize and guide U.S. cybersecurity policy. The commission took its name from Project Solarium, a secret study comparing options for confronting the Soviet Union early in the Cold War. Rep. Michael Gallagher, the commission’s co-chair, has written extensively about the Eisenhower-era project, describing it as a model of incorporating intelligence into a competitive analytic exercise. The Eisenhower administration invited strategists to flesh out three options for confronting Soviet power in the shadow of nuclear weapons: containment, deterrence, and rollback. It believed that introducing competition would force advocates of each approach to sharpen and improve their arguments, and ultimately produce a more coherent grand strategy.

The administration organized three task forces to write reports describing each option. Each task force had seven members, who spent six weeks working in secret at the National War College. Everyone involved had access to the same data. Although many of the participants were obscure, there were notable exceptions. George Kennan, the diplomat who famously urged a “patient but firm” approach to the Soviet Union, led the task force on containment. The task force on rollback included two future NATO commanders, Col. Andrew Goodpaster and Lt. Gen. Lyman Lemnitzer. In June 1953, each group presented its findings in extended briefings to President Dwight Eisenhower, Secretary of State John Foster Dulles, the Joint Chiefs of Staff, and other principals.

The Cyberspace Solarium Commission originally planned something similar, with separate task forces conducting a “deliberate, structured debate” among different approaches to cybersecurity. These options roughly paralleled the public debate, where commentators have alternately championed a more robust commitment to international norms, more credible deterrent threats against adversaries, and what U.S. Cyber Command calls persistent engagement. Those favoring norms warn that cyberspace will remain vulnerable to predators until the international community gets serious about setting limits on acceptable behavior. Those favoring deterrence argue that predators will continue to operate, norms notwithstanding, until they face serious consequences for their actions. Those favoring persistent engagement, however, argue that continuous contact among rivals is built into the structure of the domain, and “setting the conditions for security” is only possible by being proactive. They explicitly reject deterrence.

A structured debate among these three perspectives may have been illuminating. But that is not what the Cyberspace Solarium Commission delivered. Unlike that of the original Project Solarium, the commission’s report is a consensus product that includes all of them. The conceptual heart of the plan is called “layered cyber deterrence,” an approach that seeks to reduce the risk of serious cyberspace attacks while simultaneously combating operations below the line of armed conflict. It recommends a combination of U.S. instruments — military, diplomatic, and economic — to reduce the benefit of cyberspace operations to hostile foreign adversaries. It also promises to increase the credibility of U.S. retaliatory threats by investing more in U.S. offensive cyberspace capabilities.

Strangely, the report also supports persistent engagement, and describes how to operationalize U.S. Cyber Command’s current activities under the rubric of layered cyber deterrence. It accepts the logic of cost imposition, the need for continuous action below the line of armed conflict, and the practical requirement for operating outside of DOD information networks in order to get reliable intelligence on new threats. All of this sits comfortably within the Pentagon’s “Defend Forward” posture, which it unveiled in its 2018 Cyber Strategy.

All of this may be confusing for observers who have kept up with the cyber debate. The commission concludes that current efforts should continue in the service of a deterrence strategy, even though those efforts were designed to overcome the weakness of deterrence in cyberspace. The commission deals with this apparent contradiction by arguing that different forms of deterrence operate at different “layers” of competition: forward defenses bolster deterrence by denial by making it harder for adversaries to succeed, and cost imposition bolsters deterrence by punishment if military conflict looms. But these categories overlap in practice. Indeed, “layer 3” includes action both below and above the line of armed conflict, making room for day-to-day competition, deterrence, and warfighting.

Using deterrence as an umbrella category is dubious, because most activities in the digital domain — crime, propaganda, and intelligence gathering — fall outside the realm of deterrence theory. Individuals are relatively tolerant of cyber attacks, making cyberspace a poor venue for coercion. For this reason, a broad national effort based on layered deterrence is bound to fail. There are some areas where deterrence is useful, however. Retaliatory threats to fend off damaging attacks on critical infrastructure are inherently credible. In this case, deterrence makes sense. However, expanding the concept to cover unrelated activities may dilute its usefulness in cases where it is most needed.

In addition to deterrence and persistent engagement, the commission also emphasizes the importance of norms and recommends expanded international engagement. An energized diplomatic effort will enable better and more durable cooperation among like-minded states, easing collective action problems and contributing to stability in cyberspace. Better yet, it will isolate authoritarian states that are on the wrong side of a new normative regime, causing them to think twice about their behavior.

At some point the commission clearly abandoned its original concept. Rather than setting up rival task forces to advocate for distinct approaches, in the style of the original Project Solarium, it merged the recommendations of different task forces operating more or less independently. The final report is not a unified approach to cybersecurity. Instead, it is a laundry list of recommendations. In addition to deterrence, persistent engagement, and norms, the commission recommends efforts to improve defenses and resiliency. It is unclear what, if anything, it rejects.

To implement its recommendations, the commission calls for substantial government reorganization. In an effort to centralize oversight, it calls for the creation of new House and Senate cybersecurity committees. In an effort to improve Congress’s understanding of the many issues at stake, it calls for reestablishing the Office of Technology Assessment. Turning to the White House, the commission calls for the creation of a Senate-confirmed national cyber director, who would “serve as the President’s principal advisor for cybersecurity and associated emerging technology issues; the lead for national-level coordination for cyber strategy, policy, and defensive cyber operations; and the chief U.S. representative and spokesperson on cybersecurity issues.” As the focal point for cybersecurity in the executive branch, this new office would be supported by an Office of the National Cyber Director. Meanwhile, to lead the renewed diplomatic push, the commission calls for a new cyber bureau and assistant secretary at the U.S. Department of State.  And to improve resiliency, it calls for a bureau for cyber statistics within the Department of Commerce.

The original Project Solarium adjudicated a debate among competing strategies, under the assumption that resources were finite and tradeoffs were inevitable. It required the task forces to submit a budget alongside every proposal. Such was the case in Eisenhower’s White House, which put a premium on sustainable budgets. As the secretary of the Treasury put it, “if we mean to face this Soviet threat over a long time, we must spend less than we now are spending and do less than we now are doing.”

The Cyberspace Solarium Commission, by contrast, wants to spend more and do more. It accepts a variety of proposals, even those that seem to be contradictory, and calls for a massive government and private-sector implementation effort. This is necessary because the existence of society as we know it is at stake. The commission invites readers to imagine the worst-case scenario. The report opens with an ominous vision of Washington in the aftermath of a series of cyber attacks:

The water in the Potomac still has that red tint from when the treatment plants upstream were hacked, their automated systems tricked into flushing out the wrong mix of chemicals. By comparison, the water in the Lincoln Memorial Reflecting Pool has a purple glint to it. They’ve pumped out the floodwaters that covered Washington’s low-lying areas after the region’s reservoirs were hit in a cascade of sensor hacks. But the surge left behind an oily sludge that will linger for who knows how long. That’s what you get from deciding in the 18th century to put your capital city in low-lying swampland and then in the 21st century wiring up all its infrastructure to an insecure network. All around the Mall you can see the black smudges of the delivery drones and air taxis that were remotely hijacked to crash into crowds of innocents like fiery meteors. And in the open spaces and parks beyond, tiny dots of bright colors smear together like some kind of tragic pointillist painting. These are the camping tents and makeshift shelters of the refugees who fled the toxic railroad accident caused by the control system failure in Baltimore.

Cybersecurity analysts may roll their eyes at this scenario, having spent many years answering questions about a “cyber Pearl Harbor.” But the commission insists that failure to anticipate the worst would represent a tragic and completely avoidable failure of imagination. The potential for catastrophe rises as government and society become ever more reliant on cyberspace. Mobilizing a whole-of-government and whole-of-society response means reminding everyone of how bad things could get.

The twin themes of coordination and imagination echo the conclusions of the 9/11 Commission Report, which called for a major reorganization of the intelligence community. The 9/11 Commission concluded that while intelligence agencies were independently watching al-Qaeda, they were not effectively coordinating their activities, and they could not imagine the kind of attacks that took place in New York and Washington. The 9/11 Commission included a range of high-profile participants and conducted a high-profile investigation before releasing its final report to great fanfare. It called for a host of changes, most memorably the creation of a director of national intelligence, a cabinet-level position who would serve as the president’s chief intelligence advisor and act as the focal point for reform.

The Cyberspace Solarium Commission is much the same. Indeed, it is much closer to the 9/11 Commission than to its Eisenhower-era namesake. While the original Solarium was conducted in secret, the current version has been a highly public affair from the start. And as described above, it quickly jettisoned the notion of analytical competition among rival task forces. It produced not a choice among alternatives but a wish list of reforms, and a call for new legislation, new organizations, and new offices. Above all it stressed the need for coordination and the danger of any lapse in imagination.

Sen. Angus King, the commission’s co-chair, made this connection clear at Solarium’s launch event. “Our fundamental purpose is to be the 9/11 Commission,” he declared, “without 9/11.” Rather than waiting for tragedy, the Cyberspace Solarium Commission imagined an awful future in the absence of serious change. Improving the government’s ability to implement good policy requires better coordination, and fewer questions about lines of authority. Hence the national cyber director, an official to whom the president could reliably turn for advice, and someone vested with the power to get things done. As King put it, the president should have “one throat to choke.”

Most Americans probably remember the 9/11 Commission fondly, given its effort to put things right after a moment of intense national trauma. But it got a lot wrong.  Its theory of the case — that the terrorist attacks occurred because of a lack of coordination and imagination — rested on very thin empirical and theoretical bases. And its practical recommendations were oddly decoupled from its own logic. In particular, it was not clear why a director of national intelligence would improve coordination, given that it would add a new layer of bureaucracy on top of an already sprawling establishment. The tenuous position of the director of national intelligence today should give us all a moment of pause before we try to replicate it to improve cybersecurity.

Some members of Congress are understandably frustrated with the number of organizations and agencies involved in cybersecurity. But that simply reflects the complexity of the domain. Cyber policy touches everything from commerce and communications to technology, regulations, international security, civil liberties, and human rights. The commission correctly notes that government and society are deeply immersed in cyberspace. Oversight and policy will remain complicated and difficult as long as that remains the case. Efforts to streamline cyberspace policy are likely to disappoint for the same reason. The domain may be allergic to the kind of coordination the commission has in mind.

Over the last decade, the government has repeatedly reorganized itself for cyberspace policy. The military, the intelligence community, and the Department of Homeland Security have all created or enlarged existing organizations dedicated to cyberspace. The Department of Defense, the Department of State, and the National Security Council have created new offices and staff to deal with evolving technologies and associated policy issues. Reorganizing again may not streamline matters so much as add new layers of confusion. Perhaps it is best to let these new outfits grow a little. Resisting the congressional impulse to reorganize is a good way to build knowledge and encourage institutional continuity.

I do not mean to criticize the whole report, which contains many fine recommendations. Particularly noteworthy is the commission’s effort to look beyond government. “National defense,” it rightfully concludes, “takes a very different shape in cyberspace, where the government mainly plays a supporting and enabling role in security and defense and is not the primary actor.” The public internet, for example, is a constellation of overlapping networks organized and maintained by a mish-mash of states, firms, individuals, and private sector groups. It cannot function without ongoing voluntary cooperation among these actors, but their interests are not always the same. Rather than demanding that industry supports national security needs as defined in Washington, it opens the door to a more useful ongoing conversation.

The commission also recommends assessing the value of a cyber reserve force that would relax the manpower crunch by allowing more flexible movement between the military and the private sector. Recruiting and retaining skilled personnel is a central challenge for agency heads, who compete with one another and with the private sector for talent. Novel ideas for managing personnel problems deserve attention. The commission also recommends additional investment in professional military education, with an eye towards institutionalizing cyberspace issues across the services. This is important for integrating cyberspace options with conventional military planning, and for dispelling the notion that commanders can treat cyber weapons like munitions they can stockpile and use as needed.

Practical changes like these are unlikely to make the front page, but they offer substantial benefits for day-to-day operations and for long-term contingencies. The Cyberspace Solarium Commission set its sights high, proposing to unify the national approach to cybersecurity policy and suggesting another round of reorganization. The commission’s lasting legacy, however, may come from its more modest technocratic ideas.

Joshua Rovner is associate professor in the School of International Service at American University. In 2018 and 2019 he was scholar-in-residence at U.S. Cyber Command and the National Security Agency. He served as a contributing expert for the Cyberspace Solarium Commission. The views here are the author’s alone.

Image: U.S. Marine Corps (Photo by Staff Sgt. Jacob Osborne)