Crafting broad State cybersecurity strategy on the example of Cyber Solarium Report
Recently the US has conducted a process modeled over Eisenhower-era Red-Teaming designed to figure out how to tackle the Cold War era risks posed by Soviet Union. Just applied to cybersecurity.
Sounds exciting if not fuzzy? The report is now released and it is an extremely interesting strategic assessment. It contains a lot of recommendations (advertised as “actionable”). Indeed some of them would improve some things (technology-wise). The impact of others would be less simple to predict (policy-wise). I provide an independent and critical summary of selected points and recommendations. It's another if a series of interesting documents I analsed from Ireland, Netherlands, France, NotACountry, again France, Luxembourg, etc.
1) The usual stuff
The report preface obviously includes the usual motivations in a popular-press-like fashion. So the USA is threatened China, Russia, Iran, and North Korea cyberattacks, and so on. 5G, AI cyberattacks, Internet of Things are important, etc. etc. etc. (in 2020 it would be difficult to have a report devoted to cybersecurity without mentioning those terms, right?)
2) Reshape government structure to cyber-enable it
The report perceives the current U.S. government structure as inappropriate for the “cyber era”. So it advocates for restructuring parts of the government, and how it functions, to be more effective in tackling the cyber risk: “the need to reform how the U.S. government is organized to secure cyberspace and respond to attacks.”. Such changes to official policymaking centers would be a testament of importance that cybersecurity gained. We all wanted cybersecurity to be top of the agenda right?
3) Improve government structure by building new bureaucracies
The report advocates creating new posts such as the U.S. House Permanent Select and Senate Select Committees on Cybersecurity, the Senate-confirmed National Cyber Director and other official posts. This means a lot of new jobs and for the good - many universities recently created cyber policy degrees, and the graduates will perhaps be excellent new hirees (unless of course, the people in those offices decide to become open also to people with technology background, which is less likely).
4) The report calls on the US to issue an updated National Cyber Strategy
Structured over the concept of deterrence. It should support increased activity on the cyber diplomacy front but also work towards building cyber attribution capabilities. In general, many countries created and unveiled their cybersecurity strategies, recently.
“Cyberspace is already an arena of strategic competition, where states project power, protect their interests and punish their adversaries. Future contingencies and conflicts will almost certainly contain a cyber component. In this environment, the United States must defend forward to limit malicious adversary behavior below the level of armed attack.”
5) Layered deterrence.
The overarching theme of the report is deterrence, a nuclear-era word. Here this is to be a vehicle contributing to the “altering the cost-benefit calculus of adversaries (e.g., denial and cost imposition)”. Layered cyber deterrence is a creative term describing “build cybersecurity on many levels”
But it’s thought to: “combine different ways to shape adversaries’ decision making. The central idea is simple: increase the costs and decrease the benefits that adversaries anticipate when planning cyberattacks against American interests. This can be achieved by employing multiple deterrent mechanisms concurrently, continuously, and collaboratively across the public and private sectors” Will the lines between the public and the private become blurred. It would sound a bit like cyber sovereignty-inspired thinking
It’s interesting how the report admits that in cyberspace, we all rely on the same networks and underlying infrastructure that supports global connectivity. Cyber operations threaten this connectivity and create shared risks. In other words, cyberattacks and retaliation all increase global risks (I explain these points here)
6) Signaling.
“To change adversaries’ behavior, it is not sufficient to simply counter their campaigns and impose costs. Rather, the United States must signal capability and resolve, as well as communicate how it seeks to change adversary behavior and shape the strategic environment. Signaling is also essential for escalation management. The strategic level of signaling should involve overt, public diplomatic signaling through traditional mechanisms that have already been established for other domains, as well as private diplomatic communications through mechanisms such as hotlines and other nonpublic channels
The operational and tactical levels should involve clandestine, protected, and covert signaling (including through non-cyber means) that is deliberately coupled with cyber operations. An example of this type of signaling is tailored messaging preceding or running concurrently with defend forward cyber operations.
Translation: Cyber operations (here: also offensive) as a means of power projections and influence. Integral means of policy toolkit.
7) Response to cyberattacks both below and above the use-of-force threshold (i.e. armed response)
“... This policy should clearly state that the United States will respond using cyber and non-cyber capabilities to counter and impose costs against adversary cyber campaigns below a use-of-force threshold. These responses would create sufficient costs to alter the adversary’s calculus, but they would be different from responses to adversary actions above the use-of-force threshold”
8) The report speaks about establishing funds for resilience building
Including in the private sector, for example when “market forces do not provide sufficient private-sector incentives to mitigate the risk without government investment”. This can be a real issue because some things are not easy to sell.
9) The report recommends that Congress should establish and fund a National Cybersecurity Certification and Labeling Authority.
It’s interesting how similar legislation was passed in the European Union recently (voluntary certification). This is directly imported from Europe
10) Make companies liable for cybersecurity risk
Idea sometimes seen by others as well.
“(...) To date, there has not been a clearly defined duty of care for final goods assemblers in their responsibilities for developing and issuing patches for known vulnerabilities in their products and services, the timeliness of those patches, and maintaining a vulnerability disclosure policy (...) Congress should therefore enact legislation establishing that final goods assemblers of software, hardware, and firmware are liable for damages from incidents that exploit vulnerabilities that were known at the time of shipment or discovered and not fixed within a reasonable amount of time. The law should establish expectations that final goods assemblers are ”.
Will we see a day when a 0-day vulnerability is defined in the law?
10) Policymaking, evidence-based.
In cybersecurity, this data is lacking. So there’s an idea to establish a cyber statistics bureau, to collect metrics to inform policy. Metrics is a fascinating thing in cybersecurity. But the key is to agree on defining a common set of metrics, and to guarantee that the data will be accurate
11) The report calls for enhancing the Sarbanes-Oxley
An idea of a regulatory requirement to report cybersecurity information and specify corporate responsibility requirements. This would be a requirement for the company Board. It would be a question of compliance. Sarbanes-Oxley (SOX) regulation is treated very seriously. Some actual requirements:
“the security of information systems, including the metrics and records publicly traded companies must keep regarding risk assessments, determinations, and decisions; cyber hygiene; and penetration testing and red-teaming results, including a record of metrics relating to the speed of their detection, investigation, and remediation
Mandate that public companies maintain, as part of this requirement, internal records of cyber risk assessmentss, so that a full evaluation of cybersecurity risks can be judged in acquisition or in legal or regulatory action”
11) The report calls on the US to pass a federal data protection law.
So The American GDPR?
As part of it: a National Breach Notification Law, requiring to notify about breaches. European Union already has this.
12) Transpose the European NIS directive to US law
“Identification and Designation: Congress should direct the executive branch, through the Department of Homeland Security (DHS) and in consultation with the appropriate sector-specific agencies, to develop a process to identify key systems and assets underpinning certain critical functions and designate the entities responsible for their management, operations, and security as “systemically important critical infrastructure.”
Summary
Very interesting report. Recommended reading. Whether its recommendations are actionable remains to be seen, as this depends on how seriously it will be read by US policymakers. To a degree this may be guaranteed because acting policymakers were involved in this work, and there is this feeling that some of the recommendations are, maybe, already pursued? But then again, what you needs is clear timetables and allocated funding.
A word of caution. This report is a unique US-centric assessment. There may be a temptation by some people in other countries to copy&paste some of its recommendations. It would likely fail, it's a US-specific assessment. Even if itself it copies some solutions already known from Europe, for example.
People in various countries are often tempted to copy-paste solutions (concerns, recommendations, analyses, comments…) from debates in other countries. This might not always work.
Did you like this analysis? Want more? Or other kind of help? Feel free to reach out: me@lukaszolejnik.com