The Cyberspace Solarium Commission is the creation of two Congressmen, Senator Angus King of Maine, and Representative Mike Gallagher of Wisconsin. Its goal was to develop consensus among DC elites about cybersecurity policy. For better or worse, its main focus is on the military and foreign policy aspects of cybersecurity.
Sunny side up?
The odd name – Solarium – is a kind of inside joke. In the early days of the US-USSR Cold War, President Eisenhower convened a group of military strategists and foreign policy experts to develop strategy. It was called Project Solarium because they met in the Solarium Room of the White House. The Cyberspace Commission only gets a metaphorical Solarium, but the historical reference it contains tells you lots about the attitudes of those who created it. Apparently, a substantial portion of the DC-based cyber community thinks we are entering something like a new Cold War. This time, there is no cozy sunny room with a few gray-haired senior officials gathered around. This was a Congressional initiative, not a Presidential one. It assembled a staff, held hearings and interviewed a wide variety of cybersecurity experts.
I intend to do a more systematic and complete review of the report, but for now I can summarize my initial reactions thus:
Snazzy Start
The report starts with Peter Singer and August Cole pretending to be science fiction writers. They put us in the shoes of an intrepid mid-level Washington insider, a guy who “spent his whole career on Capitol Hill hoping for an office with a window.” Inspiring character here. Now why would a prestigious and expensive Congressional Commission preface its report with a story from that point of view?
The answer to that question comes as the sci-fi unfolds. Tune your heads into the vibe of a high-financed alien invasion movie, like “Independence Day.” Now imagine the attackers using cyber vulnerabilities, not spaceships. Suddenly, our rivers are polluted, drones are attacking innocent Americans (instead of foreigners), dams are being programmed to flood and all hell is breaking loose. And, all these plagues are happening at once. It is coordinated. The sci-fi writing doesn’t tell us who is responsible for that attack, how they pulled it off, and what they expected to gain from it. (It could be aliens, for example, but a report from a federal Commission is unlikely to make one of its recommendations: “we should prepare for an alien attack.”)
All we know is that there is a crisis that we are not prepared for, and as a result the mighty government intervenes. The guy who spent his whole career on Capitol Hill now has a chance to save the world. And his response is to cut and paste the Patriot Act into powerful new legislation that centralizes power and money in the federal government. But just as it comes time to issue this new set of Commandments it is paralyzed because…it doesn’t know what to put into that law. Damn.
Hidden assumptions
As public relations, this is brilliant. The scenario makes two key assumptions. Both of them are wrong, but you get so caught up in the story you don’t notice.
Assumption 1)
- Cybersecurity vulnerabilities create an interdependent, systemic risk in every cyber or cyber-physical system, and the exploitation of these vulnerabilities could be readily coordinated across multiple infrastructures and organizations to take down an entire society;
Assumption 2)
- Strong legislation that centralizes power and discretion at the federal level could prevent this, if only we knew what to do. Let this expert commission tell us.
After reading this fable at the beginning, you don’t even have to read the whole report. You’ve gotten the message.
The message is that cybersecurity presents catastrophic risks on the order of the Covid-19 virus, or a full-out nuclear war. And we need centralization of power in the federal government to prepare for that.
By sheer coincidence, the release of that message overlaps with the outbreak of the Pandemic. This is both a curse and a blessing. On one hand, it might be able to ride the crest of the wave of fear and uncertainty spawned by the coronavirus. The spread of CoVID-19 is a real systemic threat, so we now know what that feel like. Maybe the cyber folks can piggyback on that, as it were. On the other hand, neither the media nor the public are paying much attention to a Commission report on cybersecurity these days, for obvious reasons. And the Report’s attempt to make cyber threats appear forbidding pales in comparison to the real threat we are experiencing.
Deterrence is possible.
Deterrence is The Way
Those two lines express the main finding of the report. There is a debate among cyber-oriented foreign policy specialists as to whether deterrence as we know it from past wars actually works in cyberspace. Deterrence seems like a questionable strategy mainly because it never seems to happen. We shake our fist, attribute acts, maybe even retaliate here and there, but the attacks keep coming. The cyber-attacks, however, always seem to stay well below the threshold of an act of war. Which means a proportionate response would not be strong enough to deter.
Those who think deterrence doesn’t work believe in something called persistent engagement (PE). The PE guys said we are always engaged in cyberspace, so let’s make the most of it and skirmish at will. They won over some decision makers, and got their approach to be declared official doctrine by some branches of the military. With the release of this report, however, the PE guys seem to have been overthrown. The report declares definitively that deterrence is possible. The Commission declares this a settled issue. (My next blog will take a hard look at the evidence they cite for this.) Not only is deterrence possible, it is going to be the backbone of the American approach.
This means that mainstream Washington thinking about cyberspace has been taken over entirely by those who see cyberspace as a territorial domain. The US defends its “cyber-territory” by “deterring” others from attacking it. This means that we develop the means to do the most horrible things to the enemy’s data, cyber-infrastructure and robots, in the expectation that they would never consider attacking us and triggering our use of those capabilities.
There are a number of problems with this. First, cyberspace is not territorial, so this approach cannot avoid maintaining the kind of continuous probing and interacting the PE guys speak of, only in a less transparent and more aggressive way. Second, deterrence opens the door to linking cyber attacks to conventional retaliation. If they can’t be deterred by purely cyber means, then Big D turns to conventional weapons. Why not? Deterrence is deterrence, whatever the means.
Deterrence also suffers from the security dilemma. One party’s development of stronger and stronger cyber-deterrence tools provokes the adversary’s efforts to match them. The inevitable result is to create a cyber-arms race. It is literally a competition to see who can be more destructive of the other. At best, an equilibrium is reached in which it makes no sense for either country to initiate an attack. Mutually assured disruption. Peace at last! Nostalgic for the 1970s, yet?
An obvious problem with the notion of deterrence in cyberspace is that nasty threshold problem. Cyber attacks are more like nagging than fist blows, more akin to espionage and isolated acts of sabotage than full-on war. Yet deterrence is a baby who is always hungry, always crying to be fed. One can never precisely define any limits on what kind of imbalance in power would be sufficient to deter. With cyber threats, you don’t even know how much power the enemy really has, because it is easy to conceal weapons. So the military can build up its cyber capabilities indefinitely. It also has license to “defend forward” – because globalizing one’s reach, getting closer and closer to the enemy’s territory, makes a deterrence threat that much stronger.
Scold the Private Sector
The section on private sector relations is shockingly weak. Its understanding of how the private sector reacts to and implements cybersecurity is woefully inadequate. Legislators seem to think that a government certification scheme is going to make us all more secure. Do they not know how complex cybersecurity practices permeate all levels of an organization, not just hardware or cloud storage? Do they not know that there are all kinds of certifications out there already? Applicants to our Masters program submit them by the half dozen in their applications.
Security at the organizational level is not about ticking boxes. It’s an ongoing process of vigilance, aided by good long term planning decisions regarding tech acquisition, expert implementation of ICT infrastructures, alertness, experience, and, lest we forget, the insurance market. Nationalizing certification (of a potentially endless number of things relevant to cybersecurity) would likely not advance our cybersecurity, but it would be costly. Uniformity in procedures, standards and criteria is difficult to achieve in software-driven industries. Aside from that, any uniformity imposed on diverse industries by a federal bureaucracy might actually prove to be easier to hack in the long term.
The Encryption Debate
An important signal in this report: the Commission members could not come to an agreement about the trade-off between private use of encryption and mandatory lawful access. That is probably the most important cybersecurity policy issue we face today. Because of America’s leadership in internet standards and information services, whatever decision we make about encryption will have global repercussions. Yet they had nothing to say about it. No consensus. It’s unfortunate that we cannot come to consensus on that one most important cybersecurity issue. Note that even though it will have global impact, this is largely an internal issue. The lack of consensus comes from conflicting interests in the US polity.
If grappling with a real problem made consensus elusive, an artificial one did better. It is a bad sign that it was easy for the Commission to agree that cybersecurity is not only a catastrophic, coordinated threat, but a threat that is entirely external. The threat comes from Them, not Us. That distortion of the threat model is troublesome. Just like the generals and their Maginot line, if we prepare and invest heavily in strategies based on the wrong threat model, we will be helpless when the actual threat comes.
Do something about elections.
That is another recommendation of the Solarium report. It is justified but not very interesting because it repeats things people have been saying for years. Efforts are already underway at the state level. It is better for Congress to stay out of that, lest centralization of the highly disparate state election authorities create a more easily attacked, centralized system. But the report does manage to say something very interesting about this. It says that election security is related to deterrence. Deterrence will fail without election security. So this means that the members of this Commission believe a foreign power can undermine a nation’s political will, and thus eliminate deterrence, by hacking elections.
Well, at least we can now rule out aliens as the threat actor. No creatures in the alien-invasion movies have ever needed to manipulate votes in the 12th precinct of Columbus, Ohio to take over the planet.
