March 11, 2020

Cyberspace Solarium Commission Report

Executive Summary


For over 20 years, nation-states and non-state actors have used cyberspace to subvert American power, American security, and the American way of life. Despite numerous criminal indictments, economic sanctions, and the development of robust cyber and non-cyber military capabilities, the attacks against the United States have continued. The perpetrators saw that their onslaught damaged the United States without triggering a significant retaliation. Chinese cyber operators stole hundreds of billions of dollars in intellectual property to accelerate China’s military and economic rise and undermine U.S. military dominance.3 Russian operators and their proxies damaged public trust in the integrity of American elections and democratic institutions.4 China, Russia, Iran, and North Korea all probed U.S. critical infrastructure with impunity. Criminals leveraged globally connected networks to steal assets from individuals, companies, and governments. Extremist groups used these networks to raise funds and recruit followers, increasing transnational threats and insecurity. American restraint was met with unchecked predation.5

The digital connectivity that has brought economic growth, technological dominance, and an improved quality of life to nearly every American has also created a strategic dilemma. The more digital connections people make and data they exchange, the more opportunities adversaries have to destroy private lives, disrupt critical infrastructure, and damage our economic and democratic institutions. The United States now operates in a cyber landscape that requires a level of data security, resilience, and trustworthiness that neither the U.S. government nor the private sector alone is currently equipped to provide. Moreover, shortfalls in agility, technical expertise, and unity of effort, both within the U.S. government and between the public and private sectors, are growing.

The 2019 National Defense Authorization Act chartered the U.S. Cyberspace Solarium Commission to address this challenge. The President and Congress tasked the Commission to answer two fundamental questions: What strategic approach will defend the United States against cyberattacks of significant consequences? And what policies and legislation are required to implement that strategy?


After conducting an extensive study including over 300 interviews, a competitive strategy event modeled after the original Project Solarium in the Eisenhower administration, and stress tests by external red teams, the Commission advocates a new strategic approach to cybersecurity: layered cyber deterrence. The desired end state of layered cyber deterrence is a reduced probability and impact of cyberattacks of significant consequence. The strategy outlines three ways to achieve this end state:

  1. Shape behavior The United States must work with allies and partners to promote responsible behavior in cyberspace.
  2. Deny benefits The United States must deny benefits to adversaries who have long exploited cyberspace to their advan- tage, to American disadvantage, and at little cost to themselves. This new approach requires securing critical networks in collaboration with the private sector to promote national resilience and increase the security of the cyber ecosystem.
  3. Impose costs The United States must maintain the capability, capacity, and credibility needed to retaliate against actors who target America in and through cyberspace.

Each of the three ways described above involves a deterrent layer that increases American public- and private-sector security by altering how adversaries perceive the costs and benefits of using cyberspace to attack American interests. These three deterrent layers are supported by six policy pillars that organize more than 75 recommendations. These pillars represent the means to implement layered cyber deterrence.

While deterrence is an enduring American strategy, there are two factors that make layered cyber deterrence bold and distinct. First, the approach prioritizes deterrence by denial, specifically by increasing the defense and security of cyberspace through resilience and public- and private-sector collaboration. Reducing the vulnerabilities adversaries can target denies them opportunities to attack American interests through cyberspace. Second, the strategy incorporates the concept of “defend forward” to reduce the frequency and severity of attacks in cyberspace that do not rise to a level that would warrant the full spectrum of retaliatory responses, including military responses. Though the concept originated in the Department of Defense, the Commission integrates defend forward into a national strategy for securing cyberspace using all the instruments of power. Defend forward posits that to disrupt and defeat ongoing adversary campaigns, the United States must pro-actively observe, pursue, and counter adversaries’ operations and impose costs short of armed conflict. This posture signals to adversaries that the U.S. government will respond to cyberattacks, even those below the level of armed conflict that do not cause physical destruction or death, with all the tools at its disposal and consistent with international law.


Foundation: Government Reform

The three layers of cyber deterrence rest on a common foundation: the need to reform how the U.S. government is organized to secure cyberspace and respond to attacks. The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace. We must get faster and smarter, improving the government’s ability to organize concurrent, continuous, and collaborative efforts to build resilience, respond to cyber threats, and preserve military options that signal a capability and willingness to impose costs on adversaries. Reformed government oversight and organization that is properly resourced and staffed, in alignment with a strategy of layered cyber deterrence, will enable the United States to reduce the probability, magnitude, and effects of significant attacks on its networks.

Pillar: Reform the U S Government’s Structure and Organization for Cyberspace While cyberspace has transformed the American economy and society, the government has not kept up. Existing government structures and jurisdictional boundaries fracture cyber policymaking processes, limit opportunities for government action, and impede cyber operations. Rapid, comprehensive improvements at all levels of government are necessary to change these dynamics and ensure that the U.S. government can protect the American people, their way of life, and America’s status as a global leader. Major recommendations in this pillar are:

  • The executive branch should issue an updated National Cyber Strategy (1.1) that reflects the strategic approach of layered cyber deterrence and emphasizes resilience, public-private collaboration, and defend forward as key elements.
  • Congress should establish House Permanent Select and Senate Select Committees on Cybersecurity (1.2) to provide integrated oversight of the cybersecurity efforts dispersed across the federal government.
  • Congress should establish a Senate-confirmed National Cyber Director (NCD) (1.3), supported by an Office of the NCD, within the Executive Office of the President. The NCD will be the President’s principal advisor for cybersecurity-related issues, as well as lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector.
  • Congress should strengthen the Cybersecurity and Infrastructure Security Agency (CISA) (1.4) in its mission to ensure the national resilience of critical infrastructure, promote a more secure cyber ecosystem, and serve as the central coordinating element to support and integrate federal, state and local, and private-sector cybersecurity efforts. Congress must invest significant resources in CISA and provide it with clear authorities to realize its full potential.
  • Congress and the executive branch should pass legislation and implement policies designed to better recruit, develop, and retain cyber talent (1.5) while acting to deepen the pool of candidates for cyber work in the federal government.

Layer 1: Shape Behavior

In the first layer, the strategy calls for shaping responsible behavior and encouraging restraint in cyberspace by strengthening norms and non-military instruments. Effective norms will not emerge without American leadership. For this reason, the United States needs to build a coalition of partners and allies to secure its shared interests and values in cyberspace.

Pillar: Strengthen Norms and Non-military Tools A system of norms, built through international engagement and cooperation, promotes responsible behavior and, over time, dissuades adversaries from using cyber operations to undermine any nation’s interests. The United States and others have agreed to norms of responsible behavior for cyberspace, but they go largely unenforced today. The United States can strengthen the current system of cyber norms by using non-military tools, including law enforcement actions, sanctions, diplomacy, and information sharing, to more effectively persuade states to conform to these norms and punish those who violate them. Such punishment requires developing the ability to quickly and accurately attribute cyberattacks. Building a coalition of like-minded allies and partners willing to collectively use these instruments to support a rules-based international order in cyberspace will better hold malign actors accountable. The major recommendations in this pillar are:

  • Congress should create an Assistant Secretary of State (2.1) in the Department of State, with a new Bureau of Cyberspace Security and Emerging Technologies, who will lead the U.S. government effort to develop and reinforce international norms in cyberspace. This will help promote international norms that support and reflect U.S. interests and values while creating benefits for responsible state behavior through engagement with allies and partners.
  • The executive branch should engage actively and effectively in forums setting international information and communications technology standards (2.1.2). Specifically, the National Institute of Standards and Technology should facilitate robust and integrated participation by the federal government, academia, professional societies, and industry.
  • Congress should take steps to improve international tools for law enforcement activities in cyberspace (2.1.4), including streamlining the Mutual Legal Assistance Treaty and Mutual Legal Assistance Agreement process and increa ing the number of FBI Cyber Assistant Legal Attachés.

Layer 2: Deny Benefits

In the second layer, the strategy calls for denying benefits to adversaries by promoting national resilience, reshaping the cyber ecosystem, and advancing the government’s relationship with the private sector to establish an enhanced level of common situational awareness and joint collaboration. The United States needs a whole-of-nation approach to secure its interests and institutions in cyberspace.

Pillar: Promote National Resilience Resilience—the capacity to withstand and quickly recover from attacks that could cause harm or coerce, deter, restrain, or otherwise shape U.S. behavior—is key to denying adversaries the benefits of their opera- tions and reducing confidence in their ability to achieve their strategic ends. National resilience efforts rely on the ability of the United States, in both the public and private sectors, to accurately identify, assess, and mitigate risk across all elements of critical infrastructure. The nation must be sufficiently prepared to respond to and recover from an attack, sustain critical functions even under degraded conditions, and, in some cases, restart critical functionality after disruption. Major recommendations in this pillar are:

  • Congress should codify responsibilities and ensure sufficient resources (3.1) for the Cybersecurity and Infrastructure Security Agency and sector-specific agencies in the identification, assessment, and management of national and sector-specific risk.
  • Congress should direct the U.S. government to develop and maintain Continuity of the Economy planning (3.2) in consultation with the private sector to ensure continuous operation of critical functions of the economy in the event of a significant cyber disruption.
  • Congress should codify a Cyber State of Distress tied to a Cyber Response and Recovery Fund (3.3) to ensure sufficient resources and capacity to respond rapidly to significant cyber incidents.
  • Congress should improve the structure and sustain the funding of the Election Assistance Commission (3.4), enabling it to increase its operational capacity to support states and localities in defense of the digital election infrastructure that underpins federal elections and to ensure the widest use of voter-verifiable, auditable, and paper-based voting systems.
  • The U.S. government should promote digital literacy, civics education, and public awareness (3.5) to build societal resilience to foreign, malign cyber-enabled information operations.

Pillar: Reshape the Cyber Ecosystem toward Greater Security Raising the baseline level of security across the cyber ecosystem— the people, processes, data, and technology that constitute and depend on cyberspace—will constrain and limit adversaries’ activities. Over time, this will reduce the frequency, scope, and scale of their cyber operations. Because the vast majority of this ecosystem is owned and operated by the private sector, scaling up security means partnering with the private sector and adjusting incentives to produce positive outcomes. In some cases, that requires aligning market forces. In other cases, where those forces either are not present or do not adequately address risk, the U.S. government must explore legislation, regula- tion, executive action, and public- as well as private-sector investments. Major recommendations in this pillar are:

  • Congress should establish and fund a National Cybersecurity Certification and Labeling Authority (4.1) empow- ered to establish and manage a program on security certifications and labeling of information and communications technology products.
  • Congress should pass a law establishing that final goods assemblers of software, hardware, and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities (4.2) for as long as they support a product or service.
  • Congress should establish a Bureau of Cyber Statistics (4.3) charged with collecting and providing statistical data on cybersecurity and the cyber ecosystem to inform policymaking and government programs.
  • Congress should resource and direct the Department of Homeland Security to fund a federally funded research and development center (4.4) to work with state-level regulators to develop certifications for cybersecurity insurance products.
  • The National Cybersecurity Certification and Labeling Authority should develop a cloud security certification (4.5), in consultation with the National Institute of Standards and Technology, the Office of Management and Budget, and the Department of Homeland Security.
  • Congress should direct the U.S. government to develop and implement an industrial base strategy for information and communications technology to ensure trusted supply chains (4.6) and the availability of critical information and communications technologies.
  • Congress should pass a national data security and privacy protection law (4.7) establishing and standardizing requirements for the collection, retention, and sharing of user data.

Pillar: Operationalize Cybersecurity Collaboration with the Private Sector Unlike in other physical domains, in cyberspace the government is often not the primary actor. Instead, it must support and enable the private sector. The government must build and communicate a better understanding of threats, with the specific aim of informing private-sector security operations, directing government operational efforts to counter malicious cyber activities, and ensuring better com- mon situational awareness for collaborative action with the private sector. Further, while recognizing that private-sector entities have primary responsibility for the defense and security of their networks, the U.S. government must bring to bear its unique authorities, resources, and intelligence capabilities to support these actors in their defensive efforts. Major recommendations in this pillar are:

  • Congress should codify the concept of “systemically important critical infrastructure” (5.1), whereby entities responsible for systems and assets that underpin national critical functions are ensured the full support of the U.S. government and shoulder additional security requirements befitting their unique status and importance.
  • Congress should establish and fund a Joint Collaborative Environment (5.2), a common and interoperable environ- ment for sharing and fusing threat information, insights, and other relevant data across the federal government and between the public and private sectors.
  • Congress should direct the executive branch to strengthen a public-private, integrated cyber center in CISA (5.3) to support its critical infrastructure security and resilience mission and to conduct a one-year, comprehensive systems analysis review of federal cyber and cybersecurity centers.

  • The executive branch should establish a Joint Cyber Planning Cell (5.4) under CISA to coordinate cybersecurity planning and readiness across the federal government and between the public and private sectors.

Layer 3: Impose Costs

In the final layer, the strategy outlines how to impose costs to deter future malicious behavior and reduce ongoing adver- sary activities short of armed conflict through the employment of all instruments of power in the defense of cyberspace, including systemically important critical infrastructure. A key, but not the only, element of cost imposition is the military instrument of power. Therefore, the United States must maintain the capacity, resilience, and readiness to employ cyber and non-cyber capabilities across the spectrum of engagement from competition to crisis and conflict. The United States needs ready and resilient capabilities to thwart and respond to adversary action.

Pillar: Preserve and Employ the Military Instrument of Power—and All Other Options to Deter Cyberattacks at Any Level Cyberspace is already an arena of strategic competition, where states project power, protect their interests, and punish their adversaries. Future contingencies and conflicts will almost certainly contain a cyber component. In this environment, the United States must defend forward to limit malicious adversary behavior below the level of armed attack, deter conflict, and, if necessary, prevail by employing the full spectrum of its capabilities, using all the instruments of national power. Examples of adversary actions below armed attack include cyber-enabled attacks on the U.S. election systems or cyber-enabled intellectual property theft. To achieve these ends, the U.S. government must demonstrate its ability to impose costs, while establishing a clear declaratory policy that signals to rival states the costs and risks associated with attacking the United States in cyberspace. Furthermore, conventional weapons and nuclear capabilities require cybersecurity and resilience to ensure that the United States preserves credible deterrence and the full range of military response options. The United States must be confident that its military capabilities will work as intended. Finally, across the spectrum of engagement from competition to crisis and conflict, the United States must ensure that it has sufficient cyber forces to accomplish strategic objectives in and through cyberspace. This demands sufficient capacity, capabilities, and streamlined decision-making processes to enable rapid and effective cyber response options to impose costs against adversaries. Major recommendations in this pillar include:

  • Congress should direct the Department of Defense to conduct a force structure assessment of the Cyber Mission Force (6.1) to ensure that the United States has the appropriate force structure and capabilities in light of growing mission requirements and increasing expectations, in both scope and scale. This should include an assessment of the resource implications for the National Security Agency in its combat support agency role.
  • Congress should direct the Department of Defense to conduct a cybersecurity vulnerability assessment of all seg- ments of the nuclear control systems and continually assess weapon systems’ cyber vulnerabilities (6.2).
  • Congress should require Defense Industrial Base (DIB) participation in threat intelligence sharing programs (6.2.1) and threat hunting on DIB networks (6.2.2).


The status quo in cyberspace is unacceptable. The current state of affairs invites aggression and establishes a dangerous pattern of actors attacking the United States without fear of reprisal. Adversaries are increasing their cyber capabilities while U.S. vulnerabilities continue to grow. There is much that the U.S. government can do to improve its defenses and reduce the risk of a significant attack, but it is clear that government action alone is not enough. Most of the critical infrastructure that drives the American economy, spurs technological innovation, and supports the U.S. military resides in the private sector. If the U.S. government cannot find a way to seamlessly collaborate with the private sector to build a resilient cyber ecosystem, the nation

will never be secure. And, eventually, a massive cyberattack could lead to large-scale physical destruction, sparking a response of haphazard government overreach that stifles innovation in the digital economy and further erodes American strength.

To avoid these outcomes, the U.S. government must move to adopt the new strategy detailed in this report—layered cyber deterrence—and the more than 75 recommendations designed to make this approach a reality. The executive branch and Congress should give these recommendations and the associated legislative proposals close consideration. Congress should also consider ways to monitor, assess, and report on the implementation of this report’s recommendations over the next two years.

If you are trying to access the full report from a government server, please use this link: