Our country is at risk, not only from a catastrophic cyberattack but from millions of daily intrusions disrupting everything from financial transactions to the inner workings of our electoral system. Capturing the complexity of this challenge is hard. Even the man credited with inventing the term “cyberspace,” the science fiction author William Gibson, would later criticize it as an “evocative and essentially meaningless” buzzword.1
In studying this issue, it is easy to descend into a morass of classification, acronyms, jargon, and obscure government organization charts. To avoid that, we tried something different: an unclassified report that we hope will be found readable by the very people who are affected by cyber insecurity—everyone. This report is also aimed squarely at action; it has numerous recommendations addressing organizational, policy, and technical issues, and we included an appendix with draft bills that Congress can rapidly act upon to put these ideas into practice and make America more secure.
The reality is that we are dangerously insecure in cyber. Your entire life—your paycheck, your health care, your electricity—increasingly relies on networks of digital devices that store, process, and analyze data. These networks are vulnerable, if not already compromised. Our country has lost hundreds of billions of dollars to nation-state-sponsored intellectual property theft using cyber espionage. A major cyberattack on the nation’s critical infrastructure and economic system would create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast.
To prevent this from happening, our report outlines a new cyber strategy and provides more than 75 recommendations for action across the public and private sectors. Here are some big ideas to get the conversation started.
First, deterrence is possible in cyberspace. Today most cyber actors feel undeterred, if not emboldened, to target our personal data and public infrastructure. In other words, through our inability or unwillingness to identify and punish our cyber adversaries, we are signaling that interfering in American elections or stealing billions in U.S. intellectual property is acceptable. The federal government and the private sector must defend themselves and strike back with speed and agility. This is difficult because the government is not optimized to be quick or agile, but we simply must be faster than our adversaries in order to prevent them from destroying our networks and, by extension, our way of life. Our strategy of layered cyber deterrence is designed with this goal in mind. It combines enhanced resilience with enhanced attribution capabilities and a clearer signaling strategy with collective action by our partners and allies. It is a simple framework laying out how we evolve into a hard target, a good ally, and a bad enemy.
Second, deterrence relies on a resilient economy. During the Cold War, our best minds were tasked with developing Continuity of Government plans to ensure that the government could survive and the nation recover after a nuclear strike. We need similar planning today to ensure that we can reconstitute in the aftermath of a national-level cyberattack. We also need to ensure that our economy continues to run. We recommend that the government institute a Continuity of the Economy plan to ensure that we can rapidly restore critical functions across corporations and industry sectors, and get the economy back up and running after a catastrophic cyberattack. Such a plan is a fundamental pillar of deterrence—a way to tell our adversaries that we, as a society, will survive to defeat them with speed and agility if they launch a major cyberattack against us.
Third, deterrence requires government reform. We need to elevate and empower existing cyber agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA), and create new focal points for coordinating cybersecurity in the executive branch and Congress. To that end, we recommend the creation of a National Cyber Director with oversight from new congressional Cybersecurity Committees, but our goal is not to create more bureaucracy with new and duplicative roles and organizations. Rather, we propose giving existing organizations the tools they need to act with speed and agility to defend our networks and impose costs on our adversaries. The key is CISA, which we have tried to empower as the lead agency for federal cybersecurity and the private sector’s preferred partner. We want working at CISA to become so appealing to young professionals interested in national service that it competes with the NSA, the FBI, Google, and Facebook for top-level talent (and wins).
Fourth, deterrence will require private-sector entities to step up and strengthen their security posture. Most of our critical infrastructure is owned by the private sector. That is why we make certain recommendations, such as establishing a cloud security certification or modernizing corporate accountability reporting requirements. We do not want to saddle the private sector with onerous and counterproductive regulations, nor do we want to force companies to hand over their data to the federal government. We are not the Chinese Communist Party, and indeed our best path to beating our adversaries is to stay free and innovative. But we need C-suite executives to take cyber seriously since they are on the front lines. With support from the federal government, private-sector entities must be able to act with speed and agility to stop cyberattackers from breaking out in their networks and the larger array of networks on which the nation relies.
Fifth, election security must become a priority. The American people still do not have the assurance that our election systems are secure from foreign manipulation. If we don’t get election security right, deterrence will fail and future generations will look back with longing and regret on the once powerful American Republic and wonder how we screwed the whole thing up. We believe we need to continue appropriations to fund election infrastructure modernization at the state and local levels. At the same time, states and localities need to pay their fair share to secure elections, and they can draw on useful resources—such as nonprofits that can act with greater speed and agility across all 50 states—to secure elections from the bottom up rather than waiting for top-down direction and funding. We also need to ensure that regardless of the method of casting a vote, paper or electronic, a paper audit trail exists (and yes, we recognize the irony of a cyber commission recommending a paper trail).
We didn’t solve everything in this report. We didn’t even agree on everything. There are areas, such as balancing maximum encryption versus mandatory lawful access to devices, where the best we could do was provide a common statement of principles. Yet every single Commissioner was willing to make compromises in the course of our work because we were all united by the recognition that the status quo is not getting the job done. The status quo is inviting attacks on America every second of every day. The status quo is a slow surrender of American power and responsibility. We all want that to stop. So please do us, and your fellow Americans, a favor. Read this report and then demand that your government and the private sector act with speed and agility to secure our cyber future.