The Cyberspace Solarium Commission: Illuminating Options for Layered Deterrence
March 20, 2020
The Cyberspace Solarium Commission: Illuminating Options
for Layered Deterrence
In August 2018, Congress authorized the Cyberspace
Commission Findings and Report
Solarium Commission (Commission), a blue-ribbon panel
The Commission found that the nation faces threats in
tasked with examining and developing a strategic approach
cyberspace from nation-state actors (e.g., Russia, China,
to defending the United States in cyberspace and protecting
North Korea, and Iran), extremist groups, and criminals.
its advantages there. The Commission released its report on
Using cyberspace as a medium, these groups are able to
March 11, 2020. This In Focus provides an overview of the
exploit inherent vulnerabilities in devices, networks, and
Commission and its report’s findings and
supply chains to conduct espionage, sabotage, and influence
recommendations.
operations, according to the commission report. They also
commit cybercrime (e.g., ransomware attacks) for illicit
The Cyberspace Solarium Commission
financial gain, steal intellectual property, and compromise
Over the course of nearly a year and a half, the Commission
critical infrastructure. These attacks contribute to a loss in
investigated approaches to defend the nation from
U.S. political, military, and technological leadership, and
significant cyber attacks and ways to implement those
economic advantages; and the safety of systems upon which
approaches. Its authorizing legislation highlighted three
the nation relies, the report noted.
policy options: deterrence, norms-based regimes, and
persistent engagement with adversaries in cyberspace. The
The Commission also observed that cyberspace is a unique
Commission was not bound to those options, and indeed
domain because it is relatively new, mostly owned and
expanded its research. For its work, the Commission
operated by private industry, and operates primarily by
defined priorities, conducted cost-benefit analyses,
market forces—as opposed to the physical domains (i.e.,
evaluated the effectiveness of the current national policy for
land, sea, air, and space) which are more directly controlled
cyberspace, and considered restructuring the federal
by government.
government to manage cyber risks.
The Commission proposed a new national strategic
The Commission was composed of 14 commissioners—
approach to cybersecurity: layered cyber deterrence.
four current Members of Congress (one each from the
Through this approach the Commission seeks to reduce the
majority and minority party in each chamber); four
frequency and severity of significant cyber events and limit
executive branch officers; and six non-legislative, non-
the ability of adversaries. Layered cyber deterrence consists
executive branch members as picked by congressional
of four parts:
leadership.
Foundation—Reform the U.S. government’s organization
The Director of National Intelligence and the Secretary of
and responsibilities.
Defense were required to provide administrative services,
staff, and other support to the Commission without
Shape Behavior—Build a collation of partners who share
reimbursement. Such support included detailees from the
our values and use our powers to influence others.
agencies to staff the work of the Commission. Staff also
included professionals from think tanks and academia. The
Deny Benefits—Improve national security, particularly for
Commission had an authorization to expend $4 million. In
elections and critical infrastructure, so that adversaries are
addition to the 14 commissioners, there were full-time staff
not able to use cyberspace to their advantage. Also, develop
members and part-time staff experts contributing to the
ways to ensure economic resiliency in light of cyber events.
work. The Commission held over 300 meetings, which
included sessions with industry experts, academics,
Impose Costs—Improve cyber offensive and defensive
government officials, and international organizations.
capabilities and capacity.
The Commission borrowed its name from the Solarium
The Commission’s report provides recommendations for
Task Force—an initiative from the Eisenhower
action by the Congress and the executive branch.
Administration which investigated strategies to combat
threats from the Soviet Union. Similar to the Solarium Task
Selected Actions for Congress
Force, the Commission tasked teams to investigate different
The Commission’s report groups recommendations under
strategies and report their findings. Those strategies were
strategic objectives, that are organized under six policy
then tested against opposing thoughts to advance their
pillars. The report contains more than 80 recommendations,
analysis and inform the final report.
of which nearly 50 would potentially need legislation.
(Appendix A of the report provides an overview of all the
https://crsreports.congress.gov
The Cyberspace Solarium Commission: Illuminating Options for Layered Deterrence
recommendations, and Appendix B contains a list of
expanding the role of the Cybersecurity and
recommendations needing legislation).
Infrastructure Security Agency (CISA), improving the
Federal Bureau of Investigation’s (FBI) tools for dealing
The six pillars provide an organizing framework for the
with international partners, and requiring the
report. But as Congress considers legislation, it may be
Department of Defense (DOD) to proactively address
helpful to think about the recommendations with respect to
risks to defense industrial base (DIB) networks.
changes to existing laws. Some recommendations create
something new, others expand existing frameworks, and
References
other seek to clarify previous laws and guidance. Those
Included below are references on the Commission and
recommendations include:
resources policymakers may choose to examine as they
consider some of the recommendations in the report.
Create Cybersecurity Committees. This proposal
borrows the concept from the select intelligence
The Cyberspace Solarium Commission
committees in the House and the Senate. Dedicated
committees would have staff with requisite knowledge
The Cyberspace Solarium Commission website
of cyber issues and would likely require reorganization
https://www.solarium.gov
of the current committee structure.
The John S. McCain National Defense Authorization
Create a National Cyber Director. This proposal would
Act for Fiscal Year 2019—Cyberspace Solarium
create a Senate-confirmed position in the Executive
Commission (P.L. 115-232, Section 1652; H.Rept. 115-
Office of the President to oversee activities across the
874, p. 1059)
government for cybersecurity. The Trade Representative
is a model for this proposal.
Creating Committees
Create national data security and privacy protection
Johnson, Sullivan, Wickham, House Practice, Chapter
laws. This proposal seeks to reduce risk in the cyber
11: Committees (Washington, D.C., 2017),
ecosystem by providing certainty to companies that
https://www.govinfo.gov/content/pkg/GPO-
collect and use personal data, and any obligations they
HPRACTICE-115/pdf/GPO-HPRACTICE-115-12.pdf.
face for doing so.
CRS Reports Pertaining to Selected Recommendations
Expand current risk management models to
cybersecurity. Many proposals fall under this category.
CRS Report R44364, The Federal Cybersecurity
These include improving planning for cyber-related
Workforce: Background and Congressional Oversight
risks, conducting national exercises, and establishing
Issues for the Departments of Defense and Homeland
thresholds for significant events and ways the
Security
government can assist during those events, among
others.
CRS In Focus IF10654, Challenges in Cybersecurity
Education and Workforce Development
Expand current legal frameworks. A few proposals are
included in this category. For example, creating limits
CRS Report R43908, The National Institute of
on online political advertising to address foreign
Standards and Technology: An Appropriations
influence, and expanding financial reporting
Overview
requirements to include cybersecurity.
CRS In Focus IF10677, The Designation of Election
Expand knowledge of cyber risks. Many proposals are
Systems as Critical Infrastructure
included in this category. For example, improving
education on digital media consumption, creating
CRS In Focus IF10043, Introduction to Financial
certification programs for information technology
Services: Insurance
products, collecting and making available information
on cyber attacks, and promoting cybersecurity
CRS Report R45631, Data Protection Law: An
insurance.
Overview
Codify and clarify federal agencies’ roles and
Chris Jaikaran, Analyst in Cybersecurity Policy
responsibilities. Many proposals are included in this
category. For example, the Commission recommends
IF11469
https://crsreports.congress.gov
The Cyberspace Solarium Commission: Illuminating Options for Layered Deterrence
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11469 · VERSION 1 · NEW