Summer is supposed to be a quiet time in Washington, DC. But this year the Cyber Solarium Commission, a bipartisan national commission established to create a comprehensive U.S. cyber policy, is hard at work trying to “provide strategic guidance and policy recommendations on how to defend ourselves against cyber threats.”
The Solarium is the latest effort in a long list of similar commissions intended to come up with a new approach to solving our cyber insecurity. I know and respect many of commissioners and staff members working hard on the effort, but in our new book, The Fifth Domain (released today), Richard Clarke and I argue that the question of strategy in cyberspace was settled long ago.
Since my co-author penned PDD-63 in 1998, the cornerstone of our national strategy has been a public-private partnership in which private owners and operators of internet-connected systems are responsible for their own protection. Government, meanwhile, is in a supporting role, doing only the things that government can do like offensive operations, intelligence collection, making arrests, and setting regulations.
The problem with this strategy has been in the marketing. Not only does a “public-private partnership” sound soft and wishy-washy, it is a means and not an end. “Deterrence” is a goal. “Containment” is a goal. “Working together” is not.
We argue that the right strategy, the one we have been pursuing now for twenty years, needs to be reframed as a national goal to achieve “cyber resilience.” Resilience is a concept often tossed around at the top of government strategies (I wrote my fair share of executive orders that vaguely listed “resilience” as the goal) but that has yet to be embraced as the centerpiece of a national effort.
Resilience thinking is better developed in other fields where it is accepted that prevention of bad outcomes will not always be possible. Judith Rodin, a psychologist who as head of the Rockefeller Foundation spearheaded resilience efforts in American cities, defines “resilience” as the capacity to “prepare for disruptions, to recover from shocks and stresses, and to adapt and grow from a disruptive experience.” That definition works equally well for cyber resilience.
In the Wall Street Journal, we lay out the case that some companies are already resilient to cyber attacks. Dmitri Alperovitch, the CTO at Crowdstrike, and the originator of the often-quoted line that there are “two kinds of companies: those that have been hacked and know it and those that have been hacked and don’t," no longer stands by that assessment. He would add a third kind of company: those that are actively managing the risk posed by even the most persistent nation-state actors. Those companies are cyber resilient.
The handful of companies that have developed resilience are spending millions of dollars and hiring thousands of cybersecurity professionals. For the nation as a whole to be resilient to cyber attacks, we will need innovations that reduce costs and automate security processes. We will also need to put in place incentives so companies truly value their own data and sufficiently invest in their own resilience.
What we need is the resolve and the budget to make our nation resilient to the threat of cyber attacks. Here, the Solarium can play an important role, not by divining a new strategy, but by studying what we need to do to implement resilience as a strategy, and convincing Congress to make the investments sorely needed to upgrade federal cybersecurity, build the connective tissue for managing threats with the private sector, and bring existing, successful programs to scale to meet the national challenge.
In the last chapter of the Fifth Domain, we quote Matt Devost, Neal Pollard, Jeff Moss, and Robert Stratton, who, when looking at the 2011 Obama-era cyber strategy concluded that it said all the right things and that all that we needed to do was “the coding”—actually designing the programs that would motivate private companies to improve their own cybersecurity. Then, as now, grand strategy turns out to be the easy part. Twenty years on, it is time we stop searching for an alternative and get down to the coding.