U.S. Intelligence Should Embrace Sasse’s Cyber Solarium Commission

Busy officials in the Defense Department and the Office of the Director of National Intelligence could be forgiven for reacting to provisions in the National Defense Authorization Act that create a panel to review cybersecurity policies as yet another congressionally directed imposition on the energies of experts already straining daily to deal with the threat. That would be a mistake. We sorely need new thinking, broader consensus, and greater urgency on cyber policy. Here is why U.S. intelligence, in particular, should proactively support the new Cyberspace “Solarium” Commission even in the face of likely White House indifference.

A Policy Vacuum

The FY2019 National Defense Authorization Act signed by the president earlier this week establishes a bipartisan commission to evaluate alternative strategies for protecting America’s vital interests in cyberspace. Sen. Ben Sasse (R-NE), the sponsor of the Cyberspace Solarium Commission, described its purpose as developing a doctrine that informs “how, when, and where we play offense and defense… how best to organize our government, increase coordination between agencies, [and] recruit and retain top talent.”

Policy consensus has proven dangerously elusive in the decade-plus since the U.S. intelligence community began energetically warning of risks to U.S. infrastructure and competitiveness from foreign cyber attacks. Notwithstanding sincere efforts in the public and private sectors to address this challenge, cyber attacks by foreign actors have only grown more frequent, complex, and costly.

While the responsibility to develop sound public policies rests with other arms of government, America’s intelligence professionals are uniquely qualified — and should feel highly incentivized — to work for the success of any process (however unconventional) with the potential to generate new ideas, forge a broader consensus, or add missing urgency to the development of a national strategy that protects our interests in the cyber domain.

Cyber Solarium Project?

Sasse’s approach derives its name and inspiration from the exercise launched in 1953 by newly-elected President Dwight Eisenhower to resolve internal disagreements and unify his cabinet behind a strategy that responded to the Soviet Union’s growing nuclear arsenal and aggressive expansionism. Eisenhower secretly charged three panels of government experts armed with identical intelligence information and assessments to present him with response options. Of course, he ultimately decided on a variation of the existing “containment” doctrine. Eisenhower’s decision and the underlying reasoning were subsequently enshrined in a classified national security directive that more or less guided U.S. actions through the Cold War.

In a January Lawfare article, Klon Kitchen suggested this Cold War model as a means to help overcome bureaucratic obstacles that were preventing us from developing more coherent cyber policies, although Kitchen argued that the exercise should ideally be privately organized, funded, and directed to ensure participants had full access to expertise that resides outside of government. Last month, Bobby Chesney analyzed the legislative proposal that was ultimately included in the NDAA. In Foreign Policy, Peter Feaver and Will Inboden endorsed the initiative while providing valuable historical context on Eisenhower’s iconic Project Solarium.

The relevant section in the NDAA calls for a 13-member bipartisan commission that includes members of Congress, senior executive branch officials, and private citizens. Chesney highlighted the three (presumably non-exclusive) strategic frameworks that the commissioners will be tasked to evaluate — “deterrence, norms-based regimes, and cyber persistence” — as well as the charge to propose resource reallocations and “new or revised government structures and authorities.”

There are at least three reasons why current and former intelligence officers should welcome this commission, proactively staff, inform, and facilitate its work, and drive the panel toward an unambiguous statement of policy. Such a clear statement of national policy would serve to guide the intelligence community’s collection, analysis, and covert action missions in the cyber domain in the medium-term. First, this commission cannot succeed without the unique information and insights available to U.S. intelligence agencies. Second, the intelligence community’s mission to provide “strategic warning,” in this case on cyber vulnerabilities, is not complete until policymakers act in response to the threat. And finally, structural reforms and resource shifts in the intelligence agencies — some of which may be overdue — cannot be made in the absence of a broad, bipartisan consensus on the nature of the cyber threat and the U.S. national response.

Expertise

Any deliberation on the merits of competing cybersecurity strategies must start with an informed understanding of the environment — the who, what, and how of past intrusions and an objective assessment of our adversaries’ capabilities, plans, and intentions. Of course, the most damaging cyber intrusions against U.S. targets were perpetrated by state or non-state actors who attempted to conceal their identities. Therefore, what is known about their actions, motives, and future plans is found principally in classified intelligence databases and the collective wisdom of specialized intelligence analysts. There are fewer authentic experts in this field than most Americans might expect.

The architects of Eisenhower’s Project Solarium faced similar challenges discerning Soviet capabilities, intentions, and decision-making processes. They turned for answers to an immature, only marginally capable, and largely unproven U.S. intelligence community. Recent scholarship, including by Captain Mike Gallagher in Intelligence and National Security, helped to clarify the full extent of the intelligence community’s involvement in Project Solarium through its people, written products, and analytic processes. For example, the Working Group that drafted terms of reference for the exercise included Director of Central Intelligence Allen Dulles as well as his predecessor W. Bedell Smith. At least one veteran intelligence officer was assigned to each of the three formal task forces. Finally, and notwithstanding large acknowledged gaps in collection on the Soviet Union, the task forces were assigned a series of customized National Intelligence Estimates (NIEs) and Special Estimates — most prominently NIE-65 “Soviet Bloc Capabilities Through 1957.”

To the extent that Project Solarium was indeed “the best example of long-term strategic planning in the history of the American Presidency,” as it was characterized by Shawn Brimley and Michele Flournoy, the information and expert insights contributed by U.S. intelligence must share in that acclaim. Today’s intelligence community should prepare to play a similarly central role in the potentially important work of the Cyberspace Solarium Commission.

Incomplete Warning

It is hard to disagree with the claim in a declassified CIA training primer that the “central mission of intelligence analysis is to warn US officials about dangers to national security interests…” That same primer explains that tactical warning seeks to prevent “incident surprise” by detecting and disrupting a specific threat while strategic warning addresses dangers in broader terms to aid policymakers in their general security preparedness. To be effective, though, strategic warning must be sufficiently credible to “facilitate policymaker decision and action to protect against these dangers.” It is therefore not enough for the intelligence community to warn policy officials. Rather, Americans expect their intelligence professionals to persist until policymakers take action to blunt the threat.

For obvious reasons, the public is not aware of how often or how intensely the intelligence community delivers threat warnings to its elected and appointed consumers. However, the so-called “worldwide threat” hearing hosted annually by multiple congressional committees affords the director of national intelligence the opportunity to describe in general terms the hazards confronting the United States, its allies, and its interests. Notwithstanding a boilerplate disclaimer that the order in which threats are described in that testimony does not signal their relative significance, insiders know that great care is taken in sequencing and characterizing the principal threats in this setting.

The vulnerability of America’s information infrastructure to cyber attack first appeared in 2008 testimony delivered by Director of National Intelligence Michael McConnell. By 2010, McConnell’s successor, Dennis Blair, warned at the top of his testimony of severe threats to critical infrastructure from a “dangerous combination of known and unknown vulnerabilities.” In each of the succeeding years, with a single exception, cybersecurity has headlined the DNI’s worldwide threat testimony. Earlier this year, Director of National Intelligence Dan Coats warned of an increase in “[the] potential for surprise in the cyber realm” and the testing of more aggressive cyber techniques by Russia, Iran, and North Korea. A graph that accompanied his statement for the record illustrated how the number of states with cyber attack capabilities had grown from less than five in 2007 to almost 35 in 2017.

In later public remarks on Russia’s continuing efforts to interfere in U.S. electoral processes, Coats punctuated the intelligence community’s warning with a calculated reference to George Tenet’s characterization of a system that was “blinking red” in the months before the 9/11 terror attacks. The intelligence community’s experience documenting and warning of al-Qaeda’s emergence in the 1990s is an imperfect but useful analogy to today’s cybersecurity challenge. U.S. intelligence agencies have provided ample strategic warning of cyber vulnerabilities to three successive administrations, but it cannot yet consistently detect, deter, or disrupt sophisticated attacks on our infrastructure. And, the government has so far been unable to craft a strategy that balances competing societal interests, fosters a stable climate for long-term investment (in technology, talent, or normative processes), and that is regarded seriously by our allies and adversaries.

The intelligence community should work hard now to avoid a foreseeable post-attack contest to apportion blame between its inadequate warnings and policymakers’ failure to act.

Structural Change and Resource Shifts

The NDAA directs the Cyberspace Solarium Commission to recommend needed changes to government structures, authorities, or resource reallocations. In the absence of a war or national emergency, it is unrealistic to expect the recommendations of any advisory panel to reshape the federal bureaucracy. It would, however, be useful for the commission to assess the efficacy of restructuring that has already taken place and also engage in “blue-sky” thinking about institutional changes that may only be plausible after a catastrophic attack.

Perhaps because of their intimacy with the threat streams, intelligence leaders recognized early that digital technology was reshaping the intelligence discipline. They knew that new structures, new tradecraft, and new people would be needed to maintain the intelligence community’s slim advantage over our adversaries in the cyber realm. In early 2015, Direct of National Intelligence James Clapper implemented a White House order by standing up a Cyber Threat Intelligence Integration Center. Born in part out of the White House’s frustration with the intelligence community’s inability to reach a consensus judgment on the source of the Sony Pictures Entertainment hack, this center is a modestly resourced cousin to the National Counterterrorism Center. The Cyber Threat Intelligence Integration Center has earned high marks for collaboration and responsiveness, but is it scaled appropriately to “attribute” the waves of cyber attacks now being directed at our infrastructure?

Later in 2015, CIA Director John Brennan ordered a reorganization at Langley designed, in part, to emphasize digital technology through the establishment of a new operating directorate. The next year, the National Security Agency moved to integrate its offensive and defensive missions. It is still unclear whether the Defense Department will carry out the long-anticipated final act of separating the posts of NSA director (an intelligence-gatherer) and commander, Cyber Command (a “war-fighter”) that have been held by a single individual since 2009. Frank assessments by the Cyberspace Commission of the intelligence community’s new cyber structures, and similar institutional adjustments made across government, could embolden farsighted agency heads to take even more transformational steps.

An Indifferent Administration?

Even highly professional, well-informed, bipartisan work by this new Commission will not guarantee that its recommendations will have an immediate policy impact. This will be particularly true if the president and his administration prove to be hostile or indifferent to the exercise. In this regard, the recent decision to dismiss and not replace the two most senior White House officials with cyber expertise and responsibilities is dispiriting. In Washington, though, it is impossible to foresee how and when a good idea may be translated into national policy.

Consider, for example, the June 2000 report of the National Commission on Terrorism, popularly known as the “Bremer Commission.” The serious-minded members and staff of this congressionally mandated, bipartisan panel were charged with investigating the “laws, policies, and practices for preventing and punishing terrorism.” The commission’s final report recommended, inter alia, more aggressive U.S. actions abroad against terrorists, relaxing restrictions on intelligence gathering against suspected terrorists, and disrupting terrorist finances. Tragically, the short-term policy impact of this commission’s work was negligible, but its analysis and policy recommendations — along with those of other panels that studied terrorism before 2001 — helped inform the more consequential Commission on Terrorist Attacks Upon the United States (9/11 Commission), and Congress’s own legislative response to the terrorist attacks in the landmark 2004 Intelligence Reform and Terrorism Prevention Act.

Even without the promise of immediate impact, intelligence professionals should work earnestly on behalf of the Cyberspace Solarium Commission. The U.S. intelligence community will remain handicapped in anticipating and warning against threats to our digital infrastructure without the stability offered by a durable, bipartisan policy framework. An approach borrowed from a warrior-statesman from the last century may help move us in the direction of sound cybersecurity policy.

Steve Slick is the Director of the Intelligence Studies Project at the University of Texas at Austin. He is a former CIA officer who served as a special assistant to President George W. Bush and the National Security Council’s Senior Director for Intelligence Programs and Reform. This essay was reviewed by CIA’s Publications Review Board.

Image: Flickr