A major congressional study of U.S. preparedness in cyberspace released this week found that the U.S. needs to catch up, and fast—or run the risk of being caught off guard by an adversary.
“The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace,” the final version of the Cyberspace Solarium Commission’s report, which was mandated by Congress, warned. “We must get faster and smarter, improving the government’s ability to organize concurrent, continuous, and collaborative efforts to build resilience, respond to cyber threats, and preserve military options that signal a capability and willingness to impose costs on adversaries.”
Key findings include that the U.S. military is short on qualified personnel, as well as that the private and public sectors must quickly build layered defenses to keep the economy functional during cyber attacks. It also recommended that Congress authorize a number of new organizations and posts. Those include House and Senate cybersecurity committees, a dedicated assistant secretary of state to lead a new Bureau for Cyberspace Security and Emerging Technologies to strengthen ties with allied nations’ cyberdefense and cyberwarfare institutions, and a national cyber director at the White House.
As Wired noted, Donald Trump’s former national security adviser John Bolton terminated that last role in 2018 to much confusion from the outside the White House. Bringing it back is a no-brainer, as are the report’s recommendations to safeguard elections via increased Election Assistance Commission support for states and localities and “voter-verifiable, auditable, and paper-based voting systems.” But Wired also wrote that other recommendations in the report such as having the Pentagon form a “multitiered signaling strategy” to “defend forward” are vague, while others are conspicuously absent, like anything to do with end-to-end encryption. (The FBI and Department of Justice have been waging a war on encryption for some time, demanding tech companies build surveillance backdoors into their products and platforms.)
“The idea with nuclear deterrence is you’ve either deterred it or you haven’t,” committee member and former homeland security official Suzanne Spaulding said last week, according to Reuters. “With cyber you’re trying to reduce the level of malicious cyber activity. This is not going to be ‘we’re going to eliminate cyber.’ This is about mitigating the consequence and reducing the level of activity.”
Another major blank spot, per the New York Times, was that the report calls for the National Security Agency and U.S. Cyber Command to probe deeper into networks run by Russia, China, Iran, and North Korea; this implicitly requires that the U.S. sign off on international agreements as to what techniques should be mutually declared off limits, as well as verify that it is in compliance. The report doesn’t address how such a system would work, the Times wrote. Democratic Representative Jim Langevin, a commission member who chairs an intelligence subcommittee, told the paper that “I don’t think we should take any options off the table if we are attacked.”
“We will not in peacetime take down infrastructure,” Lagevin added. “... Those that would violate those norms should be held accountable, with public shaming and sanctions or indictments, using all tools of national power.”