WASHINGTON — A yearlong congressional study of American cyberspace strategy concludes that the United States remains ill-prepared to deter attacks, including from Russia, North Korea and Iran. It calls for an overhaul of how the United States manages its offensive and defensive cyberoperations.
The report, mandated by Congress and led by a bipartisan group of lawmakers, says the military needs far more personnel trained for cyberoperations. It also says Congress needs to dedicate committees to cyberoperations, and the public and private sectors need vastly improved defenses created in layers, along with more aggressive offensive actions inside the networks of other nations.
Those steps would be intended to drastically raise the cost of attacking the United States or its companies.
“The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace,” the final report of the Cyberspace Solarium Commission concludes. “We must get faster and smarter, improving the government’s ability to organize concurrent, continuous and collaborative efforts to build resilience, respond to cyber threats, and preserve military options that signal a capability and willingness to impose costs on adversaries.”
Senator Angus King, the Maine independent who is the co-chairman of the commission, said in an interview, “There is rarely a silver bullet; there is silver buckshot.”
Many of the actions in the 122-page report can be taken by Congress, including transforming the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, into a rapid-response group akin to the how the Federal Emergency Management Agency is supposed to react to natural disasters.
But others would require active support from the White House. President Trump’s staff is famously reluctant to bring cybersecurity issues to his desk for fear that he would again conflate recommendations for improved defenses with discussion of Russia’s efforts to interfere in American elections, which Mr. Trump considers tantamount to questioning the legitimacy of his presidency.
The White House has also been secretive about current policy: The administration refused to share with Congress, or the commission, the presidential order signed in August 2018 that gave new powers to the military’s Cyber Command.
The commission stops short of addressing one of the central conundrums of current cyberoperations. The United States has condemned foreign operations aimed at intruding in American networks to influence elections or penetrate energy grids. But at the same time, the report calls for an acceleration of the American strategy of persistent engagement, in which Cyber Command and the National Security Agency go deep inside Russian, Chinese, Iranian and North Korean networks, among others, to see attacks massing or to take pre-emptive action to deter an adversary’s operations.
In order to reach international agreements on what kinds of actions are permissible, the United States must be willing to say what kinds of offensive techniques it is willing to give up — including turning off power systems, communications networks or influence elections in peacetime, the report states. American intelligence agencies and the military have resisted such discussions. While commission members have said any such international agreement would require a verification system to ensure compliance, the commission report does not directly address that challenge.
“I don’t think we should take any options off the table if we are attacked,” said Representative Jim Langevin, a Rhode Island Democrat on the commission and the chairman of a House subcommittee on intelligence and emerging threats. “We will not in peacetime take down infrastructure.”
The report endorses the current concept of “forward defense” or “persistent engagement” so the United States stays inside foreign networks. But it argues for penalties against those who steal intellectual policy, interfere in elections or manipulate data in the United States.
“Those that would violate those norms should be held accountable, with public shaming and sanctions or indictments, using all tools of national power,” Mr. Langevin said.
Many of the solutions proposed by the commission have a bureaucratic feel, even if they might help lead to a better coordinated strategy. While the White House has had a cybersecurity coordinator, the job was downgraded by John R. Bolton, who was dismissed last year as national security adviser. The position created by the commission would be confirmed by the Senate and report to the president.
The commission was created in part to assess why America’s response to nuclear weapons deployment was so focused and its response to cyberstrategy so disorganized. While nuclear weapons have not been used in war in nearly 75 years, cyberweapons — far less drastic in effect — are used all the time against government and industrial targets and private individuals. In the absence of a single major, catastrophic event, the fear was that Congress was not focused on daily, corrosive cyberbattles.
“This is almost like a 9/11 commission in the absence of a 9/11,” said Representative Mike Gallagher, Republican of Wisconsin, who is the co-chairman of the commission. “We are attempting to galvanize the American public and spur a change in the status quo prior to that huge cyberattack.”
To better deter adversaries, the commission calls for both quicker attribution of who is responsible for cyberattacks — easier to advocate than execute — and a clearer, more public discussion of America’s military cyberoperations aimed at countering such adventurism.
Under the Trump administration, the government has taken some steps to shore up its cybercapabilities and use them more aggressively.
Mr. Trump, from time to time, has favored cyberattacks over traditional, physical strikes. When Iran shot down an American drone over the Persian Gulf last year, Mr. Trump called off airstrikes but allowed a cyberattack that hurt Tehran’s ability to covertly strike oil tankers in the Persian Gulf. There were attacks on Russia’s Internet Research Agency before the 2018 congressional elections.
The Pentagon is already beginning work on one key proposal of the commission: an expansion of the nation’s cyberranks. Cyber Command was formed with 6,200 personnel but has since expanded its missions to encompass far more operations aimed at potential adversaries, Mr. Gallagher said.
“Three years from now, we could be looking at that as a recommendation that results in an expansion of the cybermission force,” he said.
General Paul M. Nakasone, the head of Cyber Command, testified last week that the Pentagon had already ordered a study to potentially increase the number of personnel.
The cyberspace commission was modeled on work done in the Eisenhower administration, the original Project Solarium, which ultimately shored up the containment policy of the Cold War and focused the military on building a broad deterrence policy around nuclear weapons.
Cyberoperations are of growing importance, but they are not yet as central to American national security strategy as nuclear weapons were in the 1950s. Still, just as early Cold War strategists needed to build up the nuance of deterrence around nuclear weapons, national security experts today are wrestling with how to deter adversaries in cyberspace.
To build up deterrence, a key recommendation of the commission is that the United States speak more clearly about its cyberoperations, which are shrouded in mystery and rarely publicly discussed.
“Saying we will respond at a time and place of our choosing is not sufficient,” Mr. King said. “That is too mushy. There has to be a communication that there will be a response in a timely manner.”