The U.S. must make significant changes to the way the government and private sector respond to cyber threats that systematically erode its political, economic and security assets, a bipartisan, bicameral commission has found.
Without reforms, the country risks being crippled by a large-scale cyber attack that disrupts the function of its essential and interconnected energy, communication, transportation and financial sectors, it said.
The Cyberspace Solarium Commission on Wednesday released a 122-page report – the product of hundreds of interviews, dozens of meetings and expert consultations over the past year – that called the status quo in cyberspace "unacceptable."
"Our country is at risk," the commission's co-chairs write, "not only from a catastrophic cyberattack but from millions of daily intrusions disrupting everything from financial transactions to the inner workings of our electoral system."
The commission, mandated by the 2019 National Defense Authorization Act as part of a push to better prepare the country for cyber conflict, is conceptually derived from "Project Solarium," a group of task forces charged by President Eisenhower with developing a nuclear deterrence strategy in the 1950s. Its work has come to be viewed as a model for strategic planning.
The Cyberspace Solarium Commission is co-chaired by independent Senator Angus King of Maine and Congressman Mike Gallagher, Republican of Wisconsin. It in total comprised four serving legislators, four representatives from executive branch agencies – including FBI Director Chris Wray – and six private sector appointees, including former NSA deputy director Chris Inglis, former senior DHS official Suzanne Spaulding, and Tom Fanning, CEO of Southern Company, the second-largest utility firm in the United States.
Both co-chairs have described the effort as akin to a "9/11 Commission report without 9/11."
The commission's report offers more than 75 recommendations for the government and private sector, and even includes draft legislation that Congress can effectively copy and paste to speed up implementation.
It elaborates a strategy for establishing, conveying and maintaining deterrence in cyberspace, mainly by ensuring that the government and private sector can address cyberthreats with "speed and agility."
The United States "stands at a strategic inflection point," the report says. "America is facing adversary nation-states, extremists and criminals that are leveraging emerging technologies to an unprecedented degree."
It recounts cyber incursions attempted or perpetrated by known adversaries like Russia, China, Iran and North Korea, all of which have conducted cyber operations over nearly two decades "with impunity," the report says.
"Despite numerous criminal indictments, economic sanctions, and the development of robust cyber and non-cyber military capabilities, the attacks against the United States have continued," the authors write.
Intelligence and national security officials have issued repeated public warnings about the growing threat of cyber attacks on U.S. systems. Former Director of National Intelligence Dan Coats warned in 2018 of a potentially devastating cyberattack, telling an audience in Washington, D.C., that "the warning lights are blinking red."
The Justice Department has issued a number of indictments related to China's theft of intellectual property and charged more than a dozen Russian individuals with federal crimes related to an interference campaign targeting the 2016 presidential election.
As part of necessary government reforms, the commission recommends the creation of a Senate-confirmed national cyber director position within the White House and new, congressional cyber security committees. It also calls for an updated national cyber strategy, a new bureau for cyberspace security and emerging technologies at the State Department, and the strengthening of the Cybersecurity and Infrastructure Security Agency (CISA).
"We want working at CISA to become so appealing to young professionals interested in national service that it competes with the NSA, the FBI, Google, and Facebook for top-level talent (and wins)," the report authors said.
Though the executive branch was represented on the commission, it is unclear how much appetite exists within the administration for structural or even personnel changes. The Trump administration downgraded and then effectively eliminated the position of cyber security coordinator in 2018, under then-national security adviser John Bolton. The current national security adviser, Robert O'Brien, has embarked on a systematic downsizing of National Security Council staff since assuming the role six months ago. The State Department's workforce has also seen staff and funding cuts.
Private sector companies, the report says, will need to strengthen their own security measures and be quicker at mitigating cyberattacks. Among its recommendations is that some product manufacturers be held liable for damages that stem from an unpatched cyber vulnerability. It also calls for closer cooperation with government agencies.
"If the U.S. government cannot find a way to seamlessly collaborate with the private sector to build a resilient cyber ecosystem, the nation will never be secure," the authors say.
The report also singles out election security as a priority, noting that concerns about foreign interference persist to this day. "If we don't get election security right, deterrence will fail and future generations will look back with longing and regret on the once-powerful American Republic and wonder how we screwed the whole thing up," the chairmen write.
They recommend reforming institutions charged with protecting the electoral process and ensuring that voting systems "retain a verifiable, auditable paper trail and paper-based balloting background."
"Going beyond elections, the U.S. government must also seek to better understand and counter broader cyber threats targeting our democratic institutions," the report says.
The commission co-chairs are in the coming weeks expected to testify before several congressional committees and brief other stakeholders. The report calls on Congress to monitor and assess the implementation of the report's recommendations over the next two years.