And This Is A Good Thing

The long awaited U.S. Cyberspace Solarium Commission Report came out and received very little attention given more pressing pandemic events. And this is a good thing. I’ll provide some critique and then, to be fair, provide my two-part prescription for this difficult question.

While I appreciate the sincere effort and the intention to improve the situation and make progress, the theme of putting all actions under a program and the banner of deterrence is a big mistake. The successful deterrence example we have with the global destruction nuclear deterrence working in the USSR / USA context is dwarfed by deterrence failure examples in history. This is well chronicled in Graham Allison’s Destined for Warand his 16 examples of what he calls the Thuycidides Trap.

When a rising power threatens to displace a ruling power, alarm bells should sound: danger ahead.

US deterrence efforts vis-a-vis China, and to a lesser extent Russia, as defined in this report, including defend forward and retaliation, are more likely to escalate to high level conflict based on historical precedent. Especially when even “cyber enabled IP theft” would trigger defend forward and retaliation actions. I cover the focus on offense and deterrents leading to more attacks in this Defense Will Win video. US deterrence efforts on non-state actors face a different problem that the non-state actor has much less to lose, asymmetric consequences and risk, than the US.

I could write a thirty page rebuttal to this report, but I’ll just cover three major points here.

  1. US Has Proven Unwilling To Live By Desired Cyber Norms

The report puts every action under a Layered Cyber Deterrence umbrella, even creating international cyber norms. The concept of cyber norms has merit, but to date the US has been unwilling to restrict its own options in the cyber realm. As I recently discussed with Sandworm author Andy Greenberg, ex-high ranking government officials Tom Bossert and Michael Daniel said to Andy in interviews that the US Government shouldn’t take any cyber operations off the table. It’s all situational, and they don’t want to lose an option. Without judging the merit of this position, the US can’t expect others to follow a cyber norm, such as not taking out a civilian critical infrastructure, if they are not willing to follow this norm. The activities required to “defend forward” will also make cyber norms extremely difficult.

The report also has boxed off examples of “Major Cyber Operations Publicly Attributed to xx” for China, Russia, Iran, North Korea and Non-State Actors. It conveniently leaves off Major Cyber Operations Publicly Attributed to the US. I’m not claiming equivalence, but the US hands are not clean. The report indicates the US should get their hands dirtier.

2. Government Is Not The Solution For Most Of The Problems

It is not a surprise that a report commissioned by the US Congress relies primarily on US Government bureaucracy and Government efforts. Others are better equipped than I to judge whether a National Cyber Director, a new Assistant Secretary of State for Cyberspace Security, and Permanent House and Senate Select Committees on Cybersecurity will make a difference. 

There is scant evidence that the US Government could effectively create a useful National Cybersecurity Certification and Labeling Authority, develop certifications for cybersecurity insurance products, ensure trusted supply chains, and develop a cloud security certification. We are 10+ years into ICS-CERT’s existence, and it still provides little value in a core mission such as vulnerability disclosure despite feedback of what is needed from the community. 

Most of the proposed government efforts in the report that are important and areas where government can, in my opinion, take the lead have been in DHS and the sector specific agencies’ mission for years. The report provides new names and perhaps more emphasis, and it really comes down to the government doing what it says it is does better. For example, increased efforts to increase public awareness and information sharing make sense if there are sensible metrics, not mere activity counting stats, to measure progress. Defining what is critical infrastructure is important, public / private partnerships, … these are all things that DHS has been telling us they have been doing for years. 

3. Specific Recommendations Are Better Than The Strategy

While the deterrence focus, layers and pillars strategy as described in the Executive Summary would take the US in the wrong direction and fail, in my judgment, some of the 75 specific recommendations in the report have merit. A quick, back of the envelope tally showed one-third of the recommendations made sense and would make a difference, again in my judgment. Practically it is unlikely that someone coming from a .gov perspective would agree with my selection.


My Short Two-Part Recommendations For The US Government

It is only fair that I provide a prescription for effective US government action rather than just point out what is wrong. 

Foster or Force Enlightened Self Interest in Private Industry

Companies will spend money to address risks they are aware of, understand and believe to be real. All sorts of risks including cyber related risk and regulatory risk. Since most of the critical infrastructure is run by public companies, the SEC should increase their cyber disclosure requirements. This will require the Board and Officers to go on the record as knowing and accepting ICS cyber risk, or doing something about it. If the right disclosure requirements are selected, this could raise shareholder pressure on the company and potentially affect the stock price. 

Some suggested disclosure requirements:

  1. Disclose all ICS that are insecure by design and whose loss could cause a material event for the company. (Insecure by design would need to be defined, such as a system using protocols lacking authentication for control or administration or a system that has hard coded credentials that would allow for control or administration). 
  2. Disclose all ICS where an attacker with access to the ICS could cause a material event for the company. (This would push companies to reduce the consequences of a successful attack.)
  3. Disclose the time and cost to recover operations from a worst case cyber attack on ICS if that worst case would be a material event. 

The other way the government could foster enlightened self interest has been around for at least 15 years … use the bully pulpit. For better or worse, DHS has always been considered, in the US, the authoritative source for ICS security information. Forcefully highlighting a small number (1 to 3) clearly stated key security controls or other actions that are the highest priority would put tremendous pressure on companies to do those tasks. Instead we consistently get a long list of soft recommendations, often with explanations why it may not be possible and softening words.

For example if DHS said, “Every Director and every Corporate Officer with an ICS should be asking the CISO and VP of Operations if … and the answer you should hear is …” Then DHS builds articles, videos, posters, interviews all around these 1 to 3 high priority tasks. It would be a topic in executive management. Of course the key is to choose those 1 to 3 key things carefully (and please don’t say patching all cyber assets).

Regulation On True Critical Infrastructure Recovery & Resilience

There is one regulation the government should enact: making sure the critical infrastructure can recover. The identification of the ‘systematically important critical infrastructure’ is part of the Solarium report. Once they are identified, there should be a regulatory requirement that the organizations that run these systems provide a recovery time for the capabilities (providing water, power, fuel) assuming worst case compromise of the ICS. Worst case would include any equipment damage that could be caused if a skilled engineering and automation team had full access to the ICS.

The recovery plan should be subject to governmenaudit and verification if it is not deemed to be credible. Then the government can determine if from a nation state perspective these recovery times are acceptable.