For over 20 years, nation-states and non-state actors have used cyberspace to subvert American power, American security, and the American way of life. Despite numerous criminal indictments, economic sanctions, and the development of robust cyber and non-cyber military capabilities, the attacks against the United States have continued. The perpetrators saw that their onslaught damaged the United States without triggering a significant retaliation. Chinese cyber operators stole hundreds of billions of dollars in intellectual property to accelerate China’s military and economic rise and undermine U.S. military dominance.3 Russian operators and their proxies damaged public trust in the integrity of American elections and democratic institutions.4 China, Russia, Iran, and North Korea all probed U.S. critical infrastructure with impunity. Criminals leveraged globally connected networks to steal assets from individuals, companies, and governments. Extremist groups used these networks to raise funds and recruit followers, increasing transnational threats and insecurity. American restraint was met with unchecked predation.5
The digital connectivity that has brought economic growth, technological dominance, and an improved quality of life to nearly every American has also created a strategic dilemma. The more digital connections people make and data they exchange, the more opportunities adversaries have to destroy private lives, disrupt critical infrastructure, and damage our economic and democratic institutions. The United States now operates in a cyber landscape that requires a level of data security, resilience, and trustworthiness that neither the U.S. government nor the private sector alone is currently equipped to provide. Moreover, shortfalls in agility, technical expertise, and unity of effort, both within the U.S. government and between the public and private sectors, are growing.
The 2019 National Defense Authorization Act chartered the U.S. Cyberspace Solarium Commission to address this challenge. The President and Congress tasked the Commission to answer two fundamental questions: What strategic approach will defend the United States against cyberattacks of significant consequences? And what policies and legislation are required to implement that strategy?
After conducting an extensive study including over 300 interviews, a competitive strategy event modeled after the original Project Solarium in the Eisenhower administration, and stress tests by external red teams, the Commission advocates a new strategic approach to cybersecurity: layered cyber deterrence. The desired end state of layered cyber deterrence is a reduced probability and impact of cyberattacks of significant consequence. The strategy outlines three ways to achieve this end state:
Each of the three ways described above involves a deterrent layer that increases American public- and private-sector security by altering how adversaries perceive the costs and benefits of using cyberspace to attack American interests. These three deterrent layers are supported by six policy pillars that organize more than 75 recommendations. These pillars represent the means to implement layered cyber deterrence.
While deterrence is an enduring American strategy, there are two factors that make layered cyber deterrence bold and distinct. First, the approach prioritizes deterrence by denial, specifically by increasing the defense and security of cyberspace through resilience and public- and private-sector collaboration. Reducing the vulnerabilities adversaries can target denies them opportunities to attack American interests through cyberspace. Second, the strategy incorporates the concept of “defend forward” to reduce the frequency and severity of attacks in cyberspace that do not rise to a level that would warrant the full spectrum of retaliatory responses, including military responses. Though the concept originated in the Department of Defense, the Commission integrates defend forward into a national strategy for securing cyberspace using all the instruments of power. Defend forward posits that to disrupt and defeat ongoing adversary campaigns, the United States must pro-actively observe, pursue, and counter adversaries’ operations and impose costs short of armed conflict. This posture signals to adversaries that the U.S. government will respond to cyberattacks, even those below the level of armed conflict that do not cause physical destruction or death, with all the tools at its disposal and consistent with international law.
The three layers of cyber deterrence rest on a common foundation: the need to reform how the U.S. government is organized to secure cyberspace and respond to attacks. The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace. We must get faster and smarter, improving the government’s ability to organize concurrent, continuous, and collaborative efforts to build resilience, respond to cyber threats, and preserve military options that signal a capability and willingness to impose costs on adversaries. Reformed government oversight and organization that is properly resourced and staffed, in alignment with a strategy of layered cyber deterrence, will enable the United States to reduce the probability, magnitude, and effects of significant attacks on its networks.
Pillar: Reform the U S Government’s Structure and Organization for Cyberspace While cyberspace has transformed the American economy and society, the government has not kept up. Existing government structures and jurisdictional boundaries fracture cyber policymaking processes, limit opportunities for government action, and impede cyber operations. Rapid, comprehensive improvements at all levels of government are necessary to change these dynamics and ensure that the U.S. government can protect the American people, their way of life, and America’s status as a global leader. Major recommendations in this pillar are:
In the first layer, the strategy calls for shaping responsible behavior and encouraging restraint in cyberspace by strengthening norms and non-military instruments. Effective norms will not emerge without American leadership. For this reason, the United States needs to build a coalition of partners and allies to secure its shared interests and values in cyberspace.
Pillar: Strengthen Norms and Non-military Tools A system of norms, built through international engagement and cooperation, promotes responsible behavior and, over time, dissuades adversaries from using cyber operations to undermine any nation’s interests. The United States and others have agreed to norms of responsible behavior for cyberspace, but they go largely unenforced today. The United States can strengthen the current system of cyber norms by using non-military tools, including law enforcement actions, sanctions, diplomacy, and information sharing, to more effectively persuade states to conform to these norms and punish those who violate them. Such punishment requires developing the ability to quickly and accurately attribute cyberattacks. Building a coalition of like-minded allies and partners willing to collectively use these instruments to support a rules-based international order in cyberspace will better hold malign actors accountable. The major recommendations in this pillar are:
In the second layer, the strategy calls for denying benefits to adversaries by promoting national resilience, reshaping the cyber ecosystem, and advancing the government’s relationship with the private sector to establish an enhanced level of common situational awareness and joint collaboration. The United States needs a whole-of-nation approach to secure its interests and institutions in cyberspace.
Pillar: Promote National Resilience Resilience—the capacity to withstand and quickly recover from attacks that could cause harm or coerce, deter, restrain, or otherwise shape U.S. behavior—is key to denying adversaries the benefits of their opera- tions and reducing confidence in their ability to achieve their strategic ends. National resilience efforts rely on the ability of the United States, in both the public and private sectors, to accurately identify, assess, and mitigate risk across all elements of critical infrastructure. The nation must be sufficiently prepared to respond to and recover from an attack, sustain critical functions even under degraded conditions, and, in some cases, restart critical functionality after disruption. Major recommendations in this pillar are:
Pillar: Reshape the Cyber Ecosystem toward Greater Security Raising the baseline level of security across the cyber ecosystem— the people, processes, data, and technology that constitute and depend on cyberspace—will constrain and limit adversaries’ activities. Over time, this will reduce the frequency, scope, and scale of their cyber operations. Because the vast majority of this ecosystem is owned and operated by the private sector, scaling up security means partnering with the private sector and adjusting incentives to produce positive outcomes. In some cases, that requires aligning market forces. In other cases, where those forces either are not present or do not adequately address risk, the U.S. government must explore legislation, regula- tion, executive action, and public- as well as private-sector investments. Major recommendations in this pillar are:
Pillar: Operationalize Cybersecurity Collaboration with the Private Sector Unlike in other physical domains, in cyberspace the government is often not the primary actor. Instead, it must support and enable the private sector. The government must build and communicate a better understanding of threats, with the specific aim of informing private-sector security operations, directing government operational efforts to counter malicious cyber activities, and ensuring better com- mon situational awareness for collaborative action with the private sector. Further, while recognizing that private-sector entities have primary responsibility for the defense and security of their networks, the U.S. government must bring to bear its unique authorities, resources, and intelligence capabilities to support these actors in their defensive efforts. Major recommendations in this pillar are:
In the final layer, the strategy outlines how to impose costs to deter future malicious behavior and reduce ongoing adver- sary activities short of armed conflict through the employment of all instruments of power in the defense of cyberspace, including systemically important critical infrastructure. A key, but not the only, element of cost imposition is the military instrument of power. Therefore, the United States must maintain the capacity, resilience, and readiness to employ cyber and non-cyber capabilities across the spectrum of engagement from competition to crisis and conflict. The United States needs ready and resilient capabilities to thwart and respond to adversary action.
Pillar: Preserve and Employ the Military Instrument of Power—and All Other Options to Deter Cyberattacks at Any Level Cyberspace is already an arena of strategic competition, where states project power, protect their interests, and punish their adversaries. Future contingencies and conflicts will almost certainly contain a cyber component. In this environment, the United States must defend forward to limit malicious adversary behavior below the level of armed attack, deter conflict, and, if necessary, prevail by employing the full spectrum of its capabilities, using all the instruments of national power. Examples of adversary actions below armed attack include cyber-enabled attacks on the U.S. election systems or cyber-enabled intellectual property theft. To achieve these ends, the U.S. government must demonstrate its ability to impose costs, while establishing a clear declaratory policy that signals to rival states the costs and risks associated with attacking the United States in cyberspace. Furthermore, conventional weapons and nuclear capabilities require cybersecurity and resilience to ensure that the United States preserves credible deterrence and the full range of military response options. The United States must be confident that its military capabilities will work as intended. Finally, across the spectrum of engagement from competition to crisis and conflict, the United States must ensure that it has sufficient cyber forces to accomplish strategic objectives in and through cyberspace. This demands sufficient capacity, capabilities, and streamlined decision-making processes to enable rapid and effective cyber response options to impose costs against adversaries. Major recommendations in this pillar include:
The status quo in cyberspace is unacceptable. The current state of affairs invites aggression and establishes a dangerous pattern of actors attacking the United States without fear of reprisal. Adversaries are increasing their cyber capabilities while U.S. vulnerabilities continue to grow. There is much that the U.S. government can do to improve its defenses and reduce the risk of a significant attack, but it is clear that government action alone is not enough. Most of the critical infrastructure that drives the American economy, spurs technological innovation, and supports the U.S. military resides in the private sector. If the U.S. government cannot find a way to seamlessly collaborate with the private sector to build a resilient cyber ecosystem, the nation
will never be secure. And, eventually, a massive cyberattack could lead to large-scale physical destruction, sparking a response of haphazard government overreach that stifles innovation in the digital economy and further erodes American strength.
To avoid these outcomes, the U.S. government must move to adopt the new strategy detailed in this report—layered cyber deterrence—and the more than 75 recommendations designed to make this approach a reality. The executive branch and Congress should give these recommendations and the associated legislative proposals close consideration. Congress should also consider ways to monitor, assess, and report on the implementation of this report’s recommendations over the next two years.