https://crsreports.congress.gov
March 20, 2020
The Cyberspace Solarium Commission: Illuminating Options
for Layered Deterrence
In August 2018, Congress authorized the Cyberspace
Solarium Commission (Commission), a blue-ribbon panel
tasked with examining and developing a strategic approach
to defending the United States in cyberspace and protecting
its advantages there. The Commission released its report on
March 11, 2020. This In Focus provides an overview of the
Commission and its report’s findings and
recommendations.
The Cyberspace Solarium Commission
Over the course of nearly a year and a half, the Commission
investigated approaches to defend the nation from
significant cyber attacks and ways to implement those
approaches. Its authorizing legislation highlighted three
policy options: deterrence, norms-based regimes, and
persistent engagement with adversaries in cyberspace. The
Commission was not bound to those options, and indeed
expanded its research. For its work, the Commission
defined priorities, conducted cost-benefit analyses,
evaluated the effectiveness of the current national policy for
cyberspace, and considered restructuring the federal
government to manage cyber risks.
The Commission was composed of 14 commissioners—
four current Members of Congress (one each from the
majority and minority party in each chamber); four
executive branch officers; and six non-legislative, non-
executive branch members as picked by congressional
leadership.
The Director of National Intelligence and the Secretary of
Defense were required to provide administrative services,
staff, and other support to the Commission without
reimbursement. Such support included detailees from the
agencies to staff the work of the Commission. Staff also
included professionals from think tanks and academia. The
Commission had an authorization to expend $4 million. In
addition to the 14 commissioners, there were full-time staff
members and part-time staff experts contributing to the
work. The Commission held over 300 meetings, which
included sessions with industry experts, academics,
government officials, and international organizations.
The Commission borrowed its name from the Solarium
Task Force—an initiative from the Eisenhower
Administration which investigated strategies to combat
threats from the Soviet Union. Similar to the Solarium Task
Force, the Commission tasked teams to investigate different
strategies and report their findings. Those strategies were
then tested against opposing thoughts to advance their
analysis and inform the final report.
Commission Findings and Report
The Commission found that the nation faces threats in
cyberspace from nation-state actors (e.g., Russia, China,
North Korea, and Iran), extremist groups, and criminals.
Using cyberspace as a medium, these groups are able to
exploit inherent vulnerabilities in devices, networks, and
supply chains to conduct espionage, sabotage, and influence
operations, according to the commission report. They also
commit cybercrime (e.g., ransomware attacks) for illicit
financial gain, steal intellectual property, and compromise
critical infrastructure. These attacks contribute to a loss in
U.S. political, military, and technological leadership, and
economic advantages; and the safety of systems upon which
the nation relies, the report noted.
The Commission also observed that cyberspace is a unique
domain because it is relatively new, mostly owned and
operated by private industry, and operates primarily by
market forces—as opposed to the physical domains (i.e.,
land, sea, air, and space) which are more directly controlled
by government.
The Commission proposed a new national strategic
approach to cybersecurity: layered cyber deterrence.
Through this approach the Commission seeks to reduce the
frequency and severity of significant cyber events and limit
the ability of adversaries. Layered cyber deterrence consists
of four parts:
Foundation—Reform the U.S. government’s organization
and responsibilities.
Shape Behavior—Build a collation of partners who share
our values and use our powers to influence others.
Deny Benefits—Improve national security, particularly for
elections and critical infrastructure, so that adversaries are
not able to use cyberspace to their advantage. Also, develop
ways to ensure economic resiliency in light of cyber events.
Impose Costs—Improve cyber offensive and defensive
capabilities and capacity.
The Commission’s report provides recommendations for
action by the Congress and the executive branch.
Selected Actions for Congress
The Commission’s report groups recommendations under
strategic objectives, that are organized under six policy
pillars. The report contains more than 80 recommendations,
of which nearly 50 would potentially need legislation.
(Appendix A of the report provides an overview of all the
