The global commons are under assault in cyberspace. Ransomware attacks, including North Korea’s WannaCry and Russia’s NotPetya, have disrupted vital medical services and global transportation systems, costing billions of dollars. Iran and China have engaged in similar actions.
These cyberattacks are carried out by states and nonstate actors that seek to undermine global connectivity for their own interests. But like a pandemic, these attacks affect all of society. The world needs a new approach to combating how nations use cyberspace to advance their interests at the expense of people around the world.
The U.S. Cyberspace Solarium Commission was formed by Congress in 2018 to develop a strategic approach to defending the United States in cyberspace. It provided a road map for establishing cooperation and accountability in cyberspace. The commission consisted of four federal legislators, the deputies of the Department of Homeland Security, Department of Defense, office of the Director of National Intelligence and Department of Justice, and six private-sector experts. One of us, Benjamin Jensen, served as the commission’s senior research director.
The commissioners and staff conducted more than 400 interviews with cybersecurity professionals, researchers and officials in the private sector, academia and foreign governments. The commission’s final report, released in March, lays out a comprehensive plan of action based on a new strategy: layered cyber deterrence.
Layered cyber deterrence
The proposed strategy breaks new ground in two ways. First, it asserts that contrary to conventional wisdom, it is possible to deter cyberattacks. Second, the strategy calls for coordinating activities in three layers to secure cyberspace. This won’t eliminate all bad behavior in cyberspace any more than traditional law enforcement has completely banished crime in the physical world. But it will improve how the U.S. government and the private sector respond to cyberthreats.
The first layer calls for the U.S. government to shape behavior in cyberspace through diplomacy and establishing new norms. Too many states quietly condone hacking to steal, spy and threaten their rivals. These attacks rely on illicit marketplaces for malware. The key is promoting responsible behavior in cyberspace and assigning specific expectations for the roles and responsibilities of governments and the private sector.
The second layer calls for the U.S. government to make cyberattacks less effective by promoting national resilience. This approach requires securing critical networks in collaboration with the private sector. It also requires being able to conclusively identify the perpetrators of malicious actions in cyberspace. And it requires increasing the security of the cyber ecosystem. Actions in this layer include working to create more transparency in cyber insurance markets and ensuring economic continuity in the event of a catastrophic cyber incident.
The third layer calls for the U.S. government to impose proportional costs to malicious actions in cyberspace. This requires the U.S., in collaboration with allies, to maintain the capability and credibility needed to retaliate against nations and organizations that target the U.S. in and through cyberspace. The means to retaliate include legal, financial, diplomatic and cyber powers that, applied in combination, assure compelling and unavoidable consequences for transgressors.
Early action with diverse responses
The U.S. Department of Defense “defend forward” policy, laid out in its 2018 strategy, calls for detecting and responding to threats as early as possible. Early action increases effectiveness and minimizes disruption. The commission report calls for this emphasis on early detection and action to be extended to the use of all government powers. It also calls for collaborating with an international coalition that lends strength and legitimacy when responding to cyber attacks.
The three components of this proposed strategy are defined as layers because they need to be applied in combination rather than as separate remedies. In this manner the strategy brings together a diverse array of private and public capabilities, resources and authorities.
The commission’s report includes 80 recommendations for implementing the strategy. For the recommendations that require changes in law, the commission drafted legislative language to assist Congress. The recommendations set the stage for a series of public hearings and outreach to the public. Implementing the strategy will involve changes in procedure, authority, law and ultimately in the behavior of cyberspace stakeholders.
While the commission has transitioned its role to one of advocacy for the report’s recommendations, the work of transforming perceived costs and benefits in cyberspace lies ahead. It will require the work of governments, the private sector and citizens. If the strategy is implemented successfully, nations that contemplate aggression in cyberspace will get the message: if you want to beat one of us, you’ll have to deal with all of us.
Benjamin Jensen, Professor of Strategic Studies, Marine Corps University; Scholar-in-Residence, American University, American University School of International Service and Chris Inglis, Distinguished Visiting Professor in Cyber Security Studies, United States Naval Academy