Recipe for Success: Guidance Based on the Experience of the Cyberspace Solarium Commission

Introduction

When facing a complicated challenge, individuals may do research and seek expert advice. When the U.S. government faces that kind of challenge, it often stands up a commission — a body tasked with producing a report, recommendations, and an action plan to spur strategic thinking based on in-depth analysis.

Since 1983, the U.S. government has established more than 200 commissions.¹ Some have initiated major reorganizations of government institutions and catalyzed progress on critical initiatives, especially in the national security realm. However, turning recommendations into law or policy is challenging, in part because there is no requirement for Congress or the executive branch to follow through. Commissions rely on persuasion.

The political climate, partisan dynamics of the issue at hand, and an issue’s connection to national crises all play a role in determining the level of policy implementation a commission achieves. Based on his analysis of 51 commissions related to national security, foreign policy scholar Jordan Tama concluded that the most successful commissions were created by the executive branch in response to a crisis. Their narrow scope and the climate of urgency after a crisis provide a unique opportunity to make change.² Such commissions, on average, see about half of their recommendations implemented, while commissions that lack a precipitating crisis generally see around 31 percent of their recommendations fully adopted.³

Despite being congressionally established, lacking a specific precipitating crisis, and having a broad scope, the Cyberspace Solarium Commission (CSC) achieved high levels of implementation. Within two years of the CSC report’s March 2020 publication, Congress and the executive branch implemented or partially implemented 58 percent of CSC’s initial 82 recommendations.⁴ Created by the fiscal year 2019 National Defense Authorization Act (NDAA),⁵ CSC produced a report that “has reshaped U.S. cybersecurity strategy and policymaking,” according to one industry publication.⁶ CSC benefited from the absence of entrenched partisan or ideological positions on cybersecurity, leaving an essentially blank slate for developing a new framework for an increasingly important realm of national security.

Leveraging extant analysis of other commissions and interviews with CSC commissioners and staff, this report examines the factors that CSC staff saw as instrumental to their success and outlines five key stages of the commission lifecycle. CSC was successful in part because of the nonpartisanship mentioned above, as well as strong efforts to ensure open debate, wide-ranging stakeholder engagement across the private sector and executive branch, the drafting of legislative language tied to actionable recommendations, the prioritization of public rollout, and dedicated advocacy before lawmakers for implementation of the report’s recommendations. This report’s  conclusions aim to provide guidance for future commissions.

 Lifecycle of a Commission: Applying Lessons From CSC

Stage 1: Conception

A congressional commission is born from a statute outlining its goals and membership. The statute also identifies research objectives and sets deliverables — most often a final report specifying the commission’s activities, findings, and recommendations. A successful commission needs a clear mandate — and the resources to execute the mandate — as well as bipartisan and bicameral leadership. While exact procedures differ across commissions, in many cases the next step is the appointment of congressional members — generally, at least one from each party and each chamber — and the selection of leadership as defined in the statute. In the case of CSC, leadership included two co-chairs. The co-chairs hire the executive director, who then hires the staff and oversees their efforts in day-to-day operations, research, and writing of the final report.

The John S. McCain National Defense Authorization Act for Fiscal Year 2019 mandated the establishment of the CSC. As is often the case, the statute required the commission to have congressional leadership and tasked lawmakers with appointing outside subject matter experts as commissioners. Uniquely, it also required federal agencies to appoint representatives to serve on the commission.⁷

From its conception, CSC had the benefit of dealing with an inherently nonpartisan issue without strongly established thought camps. This allowed the commission to focus on the issue itself — one team lead acknowledged the fact that “people came in without clearly preconceived notions of what the answer should be.”⁸ This created an “unusual blank page” on which CSC could more easily craft a new approach.

The diversity of CSC commissioners — four congressional members, four executive branch commissioners, and six representatives from the private sector — supported CSC’s success by ensuring engagement across the necessary stakeholders.

Co-chairs Sen. Angus King (I-ME) and Rep. Mike Gallagher (R-WI), as well as commissioners Rep. Jim Langevin (D-RI) and Sen. Ben Sasse (R-NE), contributed to the nonpartisan environment and demonstrated a commitment rooted in their concerns about cyber, deterrence, and adversarial aggression. CSC Executive Director RADM (Ret.) Mark Montgomery highlighted that the members “were known as moderates in their parties” and, despite the variety in their focuses, “came with a passion for the product that was going to come out.”⁹

The nongovernmental commissioners came from high-level industry, research, technology, and policy backgrounds. Their breadth of experience and connections to stakeholders were instrumental in building an informed set of realistic recommendations, especially given the applications of cyber across sectors and the importance of gathering input from private companies facing the brunt of criminal and nation-state cyberattacks.

The unique inclusion of executive branch commissioners allowed CSC to incorporate federal agency expertise and perspectives throughout report development, which accelerated implementation later on. One advisor acknowledged that executive branch members “knew if they didn’t engage, then Congress might make laws that they didn’t like,”¹⁰ incentivizing both sides to meaningfully contribute to the conversation and reach informed consensus.

Commissioner Suzanne Spaulding spoke to the “tone set at the top by [our] bipartisan and bicameral leadership,”¹¹ staff emphasized the “lack of pomp and politics,” and Rep. John Katko (R-NY), who worked with the commission’s members to advance legislation, recognized the leadership’s deep “understanding [of] the issues and understanding [of] the threat.”¹²

Stage 2: Setup

 In the setup stage, the commissioners build the team and form a plan for executing the mission. The executive director and chief of staff are critical hires, as they take the lead in staff hiring and direct the day-to-day operations of the commission.

Executive Director Mark Montgomery spoke to the importance of getting the team structure right by organizing the staff into lines of effort and setting a clear path forward by “defining the mission properly so everyone understands.”¹³ He also highlighted the importance of having a chief of staff who comes from the government to jump-start the hiring and address the logistical needs of establishing offices, a network domain, and other resources necessary for smooth operations. Expediting this process gives the commission more time to focus on the work — Montgomery explained that “it sounds mundane, but a shocking number of commissions spend 12-18 months executing what should be the first two months.”

Montgomery, CSC Chief of Staff Deb Grays, and other senior directors highlighted the importance of forming a team with diverse expertise, including people with experience in cyber, policy, tech, industry, and interagency collaboration. Many of the staff members were detailed from federal agencies or were leading cyber-policy experts. CSC also brought on technical experts to build a “combination of detailed and hired contract staff”¹⁴ that encompassed the broad range of stakeholders in cyber policy and defense.

Stage 3: Working Phase

 As the commission’s work begins, the investment of time and energy by commissioners, robust stakeholder engagement, and legislative drafting are key to producing a successful final report. Deliberately creating a space for debate and disagreement while balancing the goals of the commission and emphasizing actionability in recommendations can support a stronger outcome.

Co-chairs should set an expectation that commissioners are heavily engaged in the work. An advisor highlighted that “King and Gallagher were at every meeting … they had to put their energy into it because if it had just been Mark and kind of pro forma co-chairs who didn’t really show up or participate, it wouldn’t have worked.”¹⁵ Other commissioners also prioritized the weekly meetings, even flying from out of state each week, which is not always the culture of commissions. CSC meetings did not just entail progress updates but also allowed for productive debates.

Commissioner Suzanne Spaulding highlighted the benefit of having executive branch commissioners and staff detailed from federal agencies, saying:

Usually what you do is you work in secret and then reveal your report. It is, for the first time, given to the executive branch … they take months to review the recommendations and come back with their thoughts on how it might be implemented, at which point usually the administration is over and that’s the end of it.¹⁶

Future commissions should engage with executive branch officials throughout their work — allowing the commission to gain their perspective and expertise and ensuring appreciation of the relevant authorities while also building a support base to expedite implementation of the commission’s recommendations.

Engaging with non-governmental stakeholders was also pivotal to preparing a comprehensive report. Staff participated in more than 160 meetings and briefings with industry leaders, conducted more than 300 interviews, and attended conferences to hear a range of industry perspectives.¹⁷ Many of these engagements came through connections made by the nongovernmental commissioners representing the private sector and resulted in ideas incorporated into the final report. Montgomery estimated that 30 percent of CSC’s recommendations resulted from these engagements.¹⁸ These efforts not only contributed to the substance of the report but also built relationships for future implementation.

CSC’s culture of open debate enabled it to derive maximum benefit from these research and engagement efforts. Throughout the process of developing the report, commissioners and task force directors emphasized the importance of disagreement while working toward a unanimous report. Co-chair Gallagher highlighted that they “tried not to suppress disagreement … but to surface it and if nothing else, provoke a more thoughtful debate among our colleagues.”¹⁹ One task force lead spoke to how this approach informed the drafting of recommendations, saying, “We were happy to be so specific that people could disagree with us … they needed to be specific enough to where you could potentially disagree with them.”²⁰

Commissioner Dr. Samantha Ravich pointed out that while the commission did not shy away from addressing difficult or controversial issues, it did seek consensus where possible. Most importantly, where there was no consensus, the commissioners thoughtfully assessed whether the inclusion of a divisive issue was worth the potential cost of having a report with minority viewpoints that could be exploited by outside critics.

To build the report recommendations with this informed and involved debate in mind, the commission organized itself into three task forces and a fourth directorate, each composed of staff experienced in military operations, homeland security, or non-military tools of shaping behavior in cyberspace. The fourth directorate functioned as a catch-all for issues that did not fit cleanly into one of the other categories, including work on issues related to election security, quantum, and other adjacent issues.

Each task force brought its work together in an interactive table-top event modeled on the 1953 Solarium exercise initiated by President Dwight Eisenhower. In that 1953 exercise, different groups presented contrasting perspectives on the best path forward for countering the Soviet Union. This process culminated in the production of the presidential directive known as NSC 162/2, which outlined Eisenhower’s approach to nuclear-backed deterrence.²¹ CSC took inspiration from this event as a forum for generating productive debate and creative thinking.

In the CSC event, staff workshopped their proposed strategies by applying them in various hypothetical cyber scenarios, and commissioners and other experts assessed the effectiveness of the different approaches. This structure allowed open discussion and iteration. The process also identified gaps between the different task forces and where greater collaboration and organization were needed. Based on the event, the commission defined its “whole-of-government approach” as layered cyber deterrence.

Leveraging the findings from engagements, research, and lively debate, the commission then focused on refining its recommendations into a report offering specific and actionable steps. CSC leadership worked to create a report that stakeholders across fields could understand and use. Gallagher highlighted the commission’s desire to produce a final report that would “speak in plain language, not only to each other and to the executive branch, but to the American people.”²² CSC consciously wrote a relatively short report with minimal acronyms and a narrative hook to engage readers with varying backgrounds and levels of expertise while communicating the critical nature of the commission’s work.

Finally, with a view toward maximizing the impact of its work, CSC embraced “a bias toward action” throughout the report development process. One director stated, “The key thing that differentiates Solarium from other commissions in my mind is that every single thing that we considered, we considered legislation first … every recommendation was created with political compromise in mind.”²³ Of the 82 recommendations in the March 2020 report, the commission converted 54 into more than 250 pages of drafted legislative proposals that could be handed directly to lawmakers.²⁴ This effort to draft legislative language for each recommendation was one of the key drivers of CSC’s success during Stage 4.

Stage 4: Rollout and Legislation Push

 As work on the initial report wraps up and is presented to Congress, the commission shifts to a rollout stage. During this phase, both public events and engagement with lawmakers are necessary for turning the report’s recommendations into meaningful change.

In his study of national security commissions, Tama points out that “successful commissions do more than just carry out their mandate … they also act as policy entrepreneurs, using all of their persuasive power to press policy makers to adopt their proposals.”²⁵ Outside support and pressure toward implementation cannot be understated as a driver for policy change and can be a defining factor in the long-term success of a commission.

CSC hosted an initial launch event introducing the report and its recommendations to the broader policy community and national media, and then commissioners hosted or participated in more than 80 speaking events to highlight different aspects of the report. These events used salient topics like Super Tuesday, election security, supply-chain competition, international impact, military growth, and public-private collaboration to draw CSC recommendations into the public discourse. These events brought together some of the same stakeholders the commission had worked with during Stage 3 while also garnering broader public attention. CSC staff also committed to a public affairs plan that included authoring dozens of op-eds and policy papers, helping generate interest and engagement across the policy community.

This work was accompanied by extensive efforts on Capitol Hill to turn CSC’s recommendations into law. Senior directors emphasized the importance of having “champions on the Hill”²⁶ and that “having sitting subcommittee chairmen was really the thing that was the big difference.”²⁷ Langevin’s subcommittee chairmanship on the House Armed Services Committee (HASC) and King’s seat on the Senate Armed Services Committee (SASC) were both instrumental in making sure CSC priorities were on the legislative agenda. Montgomery, who had formerly served as the policy director for SASC, noted the benefits of having access to the NDAA — a guaranteed annual and bipartisan bill — as a vehicle for legislation.²⁸ Langevin’s chief of staff, Nick Leiserson, described “a letter to appropriators” that congressional commissioners “signed as part of their member requests”²⁹ as a key part of their efforts to push CSC recommendations.

CSC’s legislative push also benefited from outside factors — namely, disruptions to lobbying efforts due to government shutdowns during the COVID-19 pandemic. Montgomery mentioned the fortuitous timing: “Our recommendations suddenly became some of the most accessible … people who were looking to fill their NDAA trough had our stuff.”³⁰ The pre-drafted legislation produced by CSC staff enabled this work to advance quickly, evidenced by the implementation of 22 CSC provisions in the 2021 NDAA, only nine months after the commission published its report.³¹

Stage 5: Wrap-up

 The wrap-up stage of the commission requires recognition of the unique issues and current events relevant to the commission’s work to ensure continuation of its mission. Addressing these areas through additional written products and establishing a tracking mechanism for the report’s recommendations can foster continuous conversation and policy action on the issue.

While the nature of this stage differs depending on a commission’s domain and the political context, taking steps to ensure the longevity of the report and understanding the ever-changing nature of policy work is critical. The publication of the CSC report in 2020 fell in a year of presidential transition. Historically, the change of administrations can stall the implementation of recommendations due to the introduction of new policy priorities.³² To avoid this, CSC produced a white paper formatted as a transition book for the incoming administration, highlighting the importance of the work, the progress to date, and next steps.³³ This prepared the new administration to hit the ground running.

After the publication of its report, CSC published multiple follow-up white papers³⁴ highlighting topics absent from the primary report, broadening the commission’s impact, and identifying additional recommendations to address timely issues such as lessons from the pandemic, federal workforce growth, supply chain stabilization, and countering foreign malign influence. Each of these white papers provided an additional opportunity to identify concrete actions and pair those ideas with legislative language.

Establishing a tracking mechanism is critical to ensuring that Congress acts on a commission’s recommendations. CSC produced an assessment one year after the report’s release detailing the progress on each recommendation. This first assessment and subsequent annual assessments conducted by CSC 2.0 — an initiative housed at the Foundation for Defense of Democracies to continue the mission of CSC — provide clear-eyed analysis of the commission’s impact, categorizing all recommendations from the CSC report and white papers as implemented; nearing implementation or partially implemented; on track toward implementation; progress limited or delayed; or facing significant barriers to implementation. These assessments create a sense of accountability after the end of a commission’s mandate and provide metrics to measure long-term success. The 9/11 Commission benefited from a similar effort through an effort called the Public Discourse Project, which published “report cards” highlighting progress or lack thereof on the recommendations, ultimately playing a key role in keeping the issues and recommendations in the public conversation.³⁵ Having a nongovernmental institution adopt the mission of a commission is one way to ensure that the work does not end with the report’s publication.

Conclusion

 CSC’s leadership was determined to ensure their report had impact and did not just “sit on a shelf somewhere.”³⁶ Their specific objective was to preempt a U.S. cyberspace security crisis. Recognizing that the commission’s recommendations were not binding, the commissioners focused on clarity and actionability to increase the chance of recommendations being adopted by Congress or federal agencies.

This approach paid off. Less than a year after the publication of the commission’s report in March 2020,³⁷ Congress and the executive branch had implemented 22 percent of its recommendations. Another 13 percent were nearing implementation, and 44 percent were on track to be implemented.³⁸ Five years later, three-quarters of CSC recommendations have been implemented, a testament to the urgency of the issue and persistent efforts to continue the work.

Certain factors beyond CSC’s control enhanced the impact of its work. These included the nonpartisan nature of the issue at hand, agreement on the need for action, lack of established thought camps, and sufficient time on the legislative calendar as a result of the pandemic. Building on this base, the choice of diverse commissioners and staff, chairs from relevant committees, executive branch and stakeholder involvement, and legislation writing and advocacy efforts supported a successful effort. While all commissions face unique challenges and are responsible for unique mission sets, future commissions can increase their impact by adopting similar priorities to CSC.

Appendix: Select List of Subject Matter Experts Interviewed

Appearing on this list does not imply that an expert or any organization with which they are affiliated endorses the findings or recommendations in this paper. The author would like to thank all subject matter experts who generously shared their perspectives and insights.

Val Cofield, CSC Senior Director and Task Force Three Lead
John Costello, CSC Deputy Director
Deborah Grays, CSC Chief of Staff
Harry Krejsa, CSC Director and Deputy Team Lead
Nick Leiserson, Chief of Staff for CSC Commissioner Rep. Jim Langevin (D-RI)
Dr. Erica Lonergan, Senior Director and Task Force One Lead
RADM (Ret.) Mark Montgomery, CSC Executive Director
Charles Morrison, Legislative Director for CSC Co-Chair Rep. Mike Gallagher (R-WI)
Cory Simpson, CSC Senior Director and Fourth Directorate Lead
Steve Smith, Senior Policy Advisor for CSC Co-Chair Sen. Angus King (I-ME)