The cybersecurity landscape has changed greatly in recent years and continues to be a very fluid situation, forcing governments all over the world to reassess policies. The United States has been at work on this for the past year, and the Cyberspace Solarium Commission has published a 182-page report that makes broad and very significant changes. Some of these changes are things that you would expect; some are very much not.
The broad strokes
The report makes a series of recommendations that center around the thesis that the United States is far from prepared for coordinated cyber attacks by threat actors. Deterrence is focused on as a measure that can be implemented immediately, shifting to a more speedy and agile posture comparable to the way in which FEMA responds to emergencies. The report also has a strong focus on getting C-suite executives at private companies up to speed in terms of cybersecurity, and on securing elections from foreign interference.
The report consists of about 75 recommendations divided into three “layers” of cyber deterrence: shaping behavior, denying benefits and imposing costs. Behavior-shaping means building partnerships and leveraging “non-military instruments” to influence the actions and policies of other nations in cyberspace, particularly frequent bad actors such as Russia, Iran and North Korea. The “deny benefits” concept basically means setting up stronger defensive walls to prevent the repeat of prior successful attacks, such as meddling in elections and snooping around in the utility grid. The “impose costs” layer is the more interesting one; it appears to signal a stronger shift to a “defense forward” posture.
The report also lines up attack types with deterrent layers. Cybercrime and IP theft would, in most cases, fall under the heading of a “shaping behavior” response. “Imposing costs” would primarily be focused on open military conflicts and as a response to attacks on critical infrastructure.
One of the confusing aspects of the report is the way in which the US will reconcile increased “defense forward” excursions into the networks of foreign rivals with the sort of relationship-building that is intended to deter lower-level cybercrime.
To the end of securing elections in 2020 and beyond, the report advocates for a return to paper-based systems in which citizens can verify the accuracy of their vote.
The report also calls for the creation of a Bureau for Cyberspace Security and Emerging Technologies, and for restoring the White House cyber coordinator position that was eliminated in 2018.
A “public-private partnership” is proposed to ensure the continuity of the economy in the event of a damaging attack on infrastructure or payment networks. However, the report does not go into significant detail about what these partnerships would actually look like. The closest proposal would establish a group composed of representatives from the finance, electricity and telecommunications industries to contribute to risk analysis. The report also recommends establishing a cybersecurity assistance fund when risks to national security are involved.
A number of cybersecurity agencies would also see significant improvements to their available resources: the Cybersecurity and Infrastructure Security Agency, the Cyber Threat Intelligence Integration Center, and the FBI’s Cyber Mission and the National Cyber Investigative Joint Task.
The report also lends weight to the growing movement for a federal data privacy standard. It calls for a national data security and privacy law comparable to the European GDPR, which would unify standards across the entire country.
Encryption in question
The bill calls for measures that should be broadly supported, but it hedges in one key area: a commitment to strong encryption standards that support personal privacy.
It is the position of the current Attorney General’s office that law enforcement organizations should have a permanent backdoor into encrypted devices and communications. The report does not commit in one direction or the other, acknowledging the debate while essentially kicking the can down the road.
This comes during controversy over potential passage of the EARN IT Act, which critics contend will chill the use of end-to-end encryption by communications services. On its face, the EARN IT Act appears to be a laudable effort to reduce the trafficking of child pornography by making platforms it is determined to be “recklessly” hosted on liable in civil court. However, critics argue that it will pressure companies into refusing to offer encryption in the belief that it could be used against them in future lawsuits. The main fear is that Attorney General Barr, an open advocate for law enforcement backdoors, will specifically declare end-to-end encryption to not be one of the established best practices for combating child pornography.
Will these recommendations become real?
Most of the recommendations would require Congressional approval. With the 2020 election imminent these would normally be potential priority items, but the developing coronavirus may cause them to take a backseat for some time.