One of the byproducts of the coronavirus pandemic is that a number of important events, understandably, get overlooked. The release in mid-March of the Cyberspace Solarium Commission report on making sweeping changes to guide U.S. cybersecurity policy is one of those events.

The congressionally authorized commission was chartered to make recommendations for how the federal government should improve its ability to respond in the event of a cyberattack. The resulting final report included more than 75 recommendations from three task forces, composed of members of Congress, the military, the executive branch, the private sector and the former deputy director of the National Security Agency, Chris Inglis.

“The report advances the point that we need to strengthen all of the instruments that we have,” Inglis said during a virtual panel discussion on Tuesday, organized by the endpoint detection and protection technology company Cybereason Inc. “COVID-19 has drowned out just about everything in America.”

Escalating threats

While the country remains focused on a very serious human virus, the threats posed by computer viruses remain ever-present. Cybercriminals now have the largest online community to attack in recorded history, thanks to the physical plant closure of most large businesses, forcing millions of employees to work from home.

That has triggered a spike in phishing attack emails disguised as health advice from government or nonprofit organizations. Another online resource, sports betting and online gaming platforms, was affected last week when major provider SBTech Ltd. was taken down by a still unidentified cyberattack.

Congressional hearings on the commission’s report were scheduled to take place last week, but the government’s preoccupation with the impact of coronavirus forced a delay until May, according to Inglis. More than half of the commission’s recommendations require legislative action and Inglis indicated that bills have already been drafted in preparation for when Congress can resume focusing on other non-virus-related matters.

Commission Co-Chair Senator Angus King emphasized the parallels between the current pandemic and the threat of global cyberattack in a statement last week. “If you cross out ‘coronavirus’ and write in ‘destruction of the electric grid,’ we’re in a very similar position,” Angus said.

Cyber deterrence and industry liability

The final report runs 182 pages and offers a detailed plan for what is described as “layered cyber deterrence,” shaping behavior with allies and partners, denying benefits to nation states that place the U.S. at a disadvantage and imposing costs on those who target the country.

The country’s cybersecurity coordinator position was eliminated by the Trump administration in 2018, and the commission called for a Senate-confirmed national cyber director who would report to the president.

One of the report’s recommendations, contained in Section Four, would probably be the current subject of extensive tech industry debate were it not for the pandemic. The Commission proposed that “Congress should pass a law establishing that final goods assemblers of software, hardware and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.”

Holding companies responsible for writing secure code would mark a major shift in the government’s approach to cybersecurity policy.

“Section Four is where things start to get interesting,” Ari Schwartz, former White House special assistant on cybersecurity to President Barack Obama, said during the virtual Cybereason event. “It’s where tangible benefits really start to happen. Everybody seems to be for liability, but they don’t want it on themselves.”

Consensus versus debate

Notwithstanding attempts by the government to enforce liability on the tech industry, the report has encountered some criticism for both its approach and what was not included in the recommendations.

The commission name originated from “Project Solarium,” a secret study conducted in the 1950s by diplomats and military strategists to provide options in response to Cold War threats by the Soviet Union. As Joshua Rovner, associate professor and former scholar-in-residence at the U.S. Cyber Command and the NSA, has pointed out, the Eisenhower-era commission used three competing task forces to foster an informed debate and present competing views.

That’s not what was delivered last month. Instead, the Commission focused on commonly agreed positions for international standards, threats against adversaries and persistent cybersecurity engagement.

“A structured debate among these three perspectives may have been illuminating,” Rovner wrote last month. “Unlike that of the original Project Solarium, the commission’s report is a consensus product that includes all of them.”

Perhaps more significant is what is missing from the report. There are no specific recommendations to deal with influencing documented actions by nation states and malicious actors to sow seeds of discontent and disinformation in cyberspace.

“There are a whole bunch of influence operations taking place,” said commission member Inglis. “You still have to fight the battle of the competition of ideas and we’re not doing that really well.”

It’s expected that once the U.S. can get past the worst of the coronavirus pandemic, the government will begin to address many of the recommendations brought forth in the Solarium Commission report. It’s also a safe bet that not all of them will be implemented, but even if half become reality, it will represent a much more significant effort by the U.S. government to deal with cyberthreats than has been seen to date.

“When it’s all said and done, there must be accountability based on a clear rendering of who’s doing what,” Inglis said. “This strategy attempts to make it such that if you’re an adversary in cyberspace you’re going to have to beat all of us.”

Image: PellCenter.org