- Reform the U.S. Government's Structure and Organization for Cyberspace. While cyberspace has transformed the American economy and society, the government has not kept up. Existing government structures and jurisdictional boundaries fracture cyber policymaking processes, limit opportunities for government action, and impede cyber operations. Rapid, comprehensive improvements at all levels of government are necessary to change these dynamics and ensure that the U.S. government can protect the American people, their way of life, and America’s status as a global leader.
- Strengthen Norms and Non-Military Tools. A system of norms, built through international engagement and cooperation, promotes responsible behavior and dissuades adversaries from using cyber operations to undermine American interests. The United States and others have agreed to norms of responsible behavior for cyberspace, but they go largely unenforced. The United States can strengthen the current system of cyber norms by using non-military tools, including law enforcement actions, sanctions, diplomacy, and information sharing, to more effectively persuade states to conform to these norms and punish those who defect from them. A coalition of like-minded allies and partners willing to collectively support a rules-based international order in cyberspace will better hold malign actors accountable.
- Promote National Resilience. Resilience, the capacity to withstand and quickly recover from attacks that could cause harm or coerce, deter, restrain, or otherwise shape U.S. behavior, is key to denying adversaries the benefits of their operations and reducing confidence in their ability to achieve their strategic ends. National resilience efforts rely on the ability of both the United States public and private sectors to accurately identify, assess, and mitigate risk across all elements of critical infrastructure. The nation must be sufficiently prepared to respond to and recover from an attack, sustain critical functions even under degraded conditions, and, in some cases, restart critical functionality after disruption.
- Reshape the Cyber Ecosystem. Raising the baseline level of security across the cyber ecosystem—the people, processes, data, and technology that constitute and depend on cyberspace—will constrain and limit adversaries’ activities. Over time, this will reduce the frequency, scope, and scale of their cyber operations. Because the vast majority of this ecosystem is owned and operated by the private sector, scaling up security means partnering with the private sector and adjusting incentives to produce positive outcomes. In some cases, that requires aligning market forces. In other cases, where those forces either are not present or do not adequately address risk, the U.S. government must explore legislation, regulation, executive action, and public-as well as private-sector investments.
- Operationalize Cybersecurity Collaboration with the Private Sector. Unlike in other physical domains, in cyberspace the government is often not the primary actor. It must support and enable the private sector. The government must build and communicate a better understanding of threats, with the specific aim of informing private-sector security operations, directing government operational efforts to counter malicious cyber activities, and ensuring better common situational awareness for collaborative action with the private sector. While recognizing that private-sector entities have primary responsibility for the defense and security of their networks, the U.S. government must bring to bear its unique authorities, resources, and intelligence capabilities to support these actors in their defensive efforts.
- Preserve and Employ the Military Instrument of National Power. Future crises and conflicts will almost certainly contain a cyber component. In this environment, the United States must defend forward to limit malign adversary behavior below the level of armed attack, deter conflict, and, if necessary, prevail employing the full spectrum of its capabilities. Conventional weapons and nuclear capabilities require cybersecurity and resilience to ensure that the United States preserves credible deterrence and the full range of military response options. Across the spectrum from competition to crisis and conflict, the United States must ensure that it has sufficient cyber forces to accomplish strategic objectives through cyberspace.
- Congress should direct the U.S. government to develop and maintain Continuity of the Economy planning in consultation with the private sector to ensure continuous operation of critical functions of the economy in the event of a significant cyber disruption.
- Congress should codify the concept of “systemically important critical infrastructure,” whereby entities responsible for systems and assets that underpin national critical functions are ensured of the full support of the U.S. government and shoulder additional security requirements befitting their unique status and importance.
The full report is at https://www.solarium.gov.