The Cyberspace Solarium Commission: A Timely Proposal

On Monday, night the Senate passed its version of the John S. McCain National Defense Authorization Act for Fiscal Year 2019. It now heads to conference for reconciliation with the House version. The Senate version is packed with interesting provisions relating to military operations in the cyber domain, and I’ll be writing separately about most of those items shortly.

For now, I want to draw attention to one particular provision: Sen. Ben Sasse’s timely call for a bipartisan national commission to assess the best path forward for U.S. cyber strategy, which appears as Section 1634 in the Senate bill.

Sasse’s proposal is modeled on President Eisenhower’s Project Solarium, which sought to resolve persistent differences regarding the optimal path forward for U.S. strategy in relation to the Soviet Union. With an emphasis on establishing a careful deliberative process focused on exploring and contrasting competing strategies, Project Solarium aimed to generate a thoughtful consensus that could then drive policy going forward. (For more, see Klon Kitchen’s Lawfare post.)

In the same spirit, Section 1634 of the Senate bill calls for creation of the “Cyberspace Solarium Commission” charged with “develop[ing] a consensus on a strategic approach to protecting the crucial advantages of the United States in cyberspace against the attempts of adversaries to erode such advantages.” Note that this is not limited to cybersecurity, though it certainly encompasses that topic. It is framed, instead, as a study of the full spectrum of factors that generate and sustain American capabilities in the cyber domain and of the corresponding spectrum of threats and challenges thereto. Something of a SWOT analysis, in short, but with a special emphasis on identifying and kicking the tires on a variety of competing strategic paradigms.

The case for conducting a high-profile strategic assessment of this kind rests, in my view, on two propositions. First, we are at an inflection point of sorts. The United States has tremendous public- and private-sector cyber capabilities, but we also have tremendous vulnerabilities (as Jack Goldsmith and Stuart Russell explain so well in their recent Hoover paper). As a result, the U.S.’s net comparative advantage over adversaries is much less than it is accustomed to having in more traditional domains. Moreover, the capabilities and resolve of the U.S.’s adversaries are growing by leaps and bounds, while the ability of the United States to draw on the traditional wellspring of our technological capabilities—our incomparably innovative private sector—has been disrupted to some extent by (i) growing private-sector distrust of the U.S. government (think Snowden, Going Dark, Project Maven, etc.) and (ii) the increasingly global orientation of some U.S.-based companies.

Second, we do seem to lack strategic focus regarding the best path forward for the United States in relation to these challenges (though the government as a whole has long recognized the importance of this general topic, and though there have been many individual government officials who appreciated the problem in depth). There is little reason to believe, moreover, that the current policymaking process in the executive branch will remedy this situation.

So what precisely would the Cybersecurity Solarium Project involve?

Section 1634 provides for a 13-member commission consisting of the principal deputy director of national intelligence, the deputy homeland security secretary, the deputy secretary of defense, three members selected by the Senate majority (only one of whom can actually be a senator), two members selected by the Senate minority (again, only one senator), three members selected by the House majority (only one can be a representative), and two members by the House minority (one can be a representative). The commission would have a co-chair from each party. Section 1634 also provides for a staff director and supporting staff as needed, with options both to hire people for this purpose and to accept detailees (including a directive to the Pentagon to provide staff and support as needed, and options to call on the Office of the Director of National Intelligence for the same purposes as well). The commission would have full subpoena power, and the legislative proposal pointedly requires full cooperation by all government agencies while also forbidding effort to without information on classification grounds. The model is more or less like the 9/11 Commission, in short, but arguably with greater clarity on access to government-held information.

In the course of its work, Section 1634 would require the commission to account for a number of subtopics associated with its general charge. Specifically, it would have to address:

1. The pros and cons of strategic frameworks including (but not limited to) “deterrence, norms-based regimes, and cyber persistence,” including how these frameworks compare in relation to the need to protect various aspects of our system including the “national security industrial sector,” the “innovation base,” and our “political system.”
2. The “strategies and intentions” of our adversaries in comparison to the United States’s current programs to protect our advantages (including as well a study of our current capability to understand whether and to what extent we are succeeding in deterring or disrupting those adversary efforts).
3. Whether we should change the current allocation of resources devoted to understanding and responding to these challenges.
4. Whether we need new or revised government structures or authorities.

The commission and its staff would have until Sept. 1, 2019, to deliver its report. Interestingly, the legislation calls for the report to be delivered not to the president directly, but instead to the director of national intelligence, the defense secretary, and the homeland security secretary, as well as the congressional armed services and intelligence committees.

I’ll close by noting that no one thinks task forces like this are cure-alls. But that doesn’t mean they can’t be useful. This one can be. And in the current environment, it falls to Congress to insist on it.