Cybersecurity and Deterrence
A Cyber Solarium Project
In the midst of the holidays, readers may have missed an interesting op-ed published in the Washington Post on Dec. 25 about Russia’s continuing online information operations against the United States. Former CIA deputy director Michael Morell and Rep. Michael Rogers, the former House intelligence committee chairman, argue that U.S. policymakers and the general public should not think that Moscow has dialed back its digital operations since the 2016 elections.
Their closing paragraph summarizes their argument nicely:
The sanctions that the Obama administration and Congress put in place in the aftermath of the 2016 election are steps in the right direction, but they were not significant enough to check Russian President Vladimir Putin. True deterrence requires policies that prevent adversaries from achieving their objectives while imposing significant costs on their regimes. So far, we have done neither.
I couldn't agree more: At the strategic and policy level, the United States is flailing and it is not detering its adversaries online.
The U.S. government is still unable to define, short of attacks with kinetic effect, what constitutes an act of war in cyberspace. In a 2015 congressional hearing, James Clapper, then the director of national intelligence, didn’t distinguish between expected digital espionage and catastrophic cyber theft. The Department of Defense still does not understand if or how deterrence works in cyberspace, and top U.S. diplomats have not decided whether they want international legal norms in the cyber domain because they might primarily constrain our own military and intelligence operations.
Others see this failure too. Susan Landau, a key contributor to this site, makes a compelling case that even our basic understanding of what “cybersecurity” is needs to change. Sounding similar themes as Morell and Rogers, Landau concludes:
If there is anything we've learned from the Russian cyber activity during the Brexit campaign and the 2016 U.S. and 2017 French presidential campaigns, it's that our cybersecurity protections are completely unprepared to cope with a disinformation campaign. They, and our policies, were focused on protecting computer systems and their data, not on protecting people's minds from misinformation planted on networks users relied upon.
Put simply: U.S. cybersecurity efforts are too narrowly defined, and they are hobbled by the scope of the threats this country faces, by fragmented government organization around the issue, and by a general lack of expertise and imagination at senior levels of government.
The bad news is that a wholesale reevaluation of this country’s cyber posture is needed. The good news is that the U.S. has effectively been here before, and there is a workable way forward.
In 1953, President Dwight Eisenhower had a problem: In the wake of World War II, Soviet Russia was aggressively expanding its influence and challenging the U.S. and its allies in Europe. For weeks, Eisenhower met with top diplomats and advisers in the White House’s Solarium room, trying to devise a plan for halting, and eventually lifting, the “Iron Curtain” of Soviet influence that was falling across the continent.
Nothing was working. The policies that Eisenhower had inherited from Harry Truman were insufficient, and Eisenhower’s Cabinet was beset by infighting and a lack of imagination.
The president knew he needed more than a narrow set of policies. He needed a grand strategy—an intellectual and political framework that arranges all elements of national power to pursue American interests and to understand and confront the Soviet Union. Nothing his advisers gave him, however, would accomplish this.
But then, he had an idea.
In what would eventually become known as the Solarium Project, Eisenhower commissioned three teams of experts to craft an anti-Soviet grand strategy—each with the same objectives and information but oriented around different political approaches. The results of this competitive analysis were distilled into National Security Council memorandum 162/2, one of the core documents guiding U.S. strategy during the Cold War.
This project succeeded because it leveraged broad expertise to inform the Eisenhower administration, because it used competition to diversify and to refine findings and policy options, and because it delivered a comprehensive intellectual structure that supported a focused—yet agile—whole-of-government anti-Soviet strategy throughout the Cold War.
Today, nearly 65 years later, Russia’s Soviet-style aggression is returning, and the U.S. political and national security apparatus is again proving insufficient. Moscow is using advancing technologies—and their accompanying disruption—to degrade an international system the Russians see as hostile to their interests and to elevate Russia’s relative influence within a new global order. And arguably, it is working.
Russia’s most recent National Security Strategy explicitly calls for a “polycentric” world, where Russia is an equal partner with the United States, China and the European Union; and, as one scholar has observed, “diminishing the international reach and impact of Western institutions is central to the creation of this polycentric world.”
Understanding this places Russia’s digital aggression in context, including its interference in democratic elections and cyber attacks against Western nations and others. It also helps with understanding Moscow's maturing efforts to build out its cyber resilience, such as its reported desire to build an “independent internet” by August—ostensibly to withstand “Western aggression” online.
But understanding the threat is not the same as addressing it. The United States needs a new approach.
Perhaps it needs a Cyber Solarium Project.
This effort could largely adopt the model of its Cold War predecessor by leveraging competing teams of experts sharing the same resources and information, but each with its own unique point of view.
Each team’s research could challenge the other teams’ perspectives and findings while forcefully advocating for its own. These competing analyses could then be synthesized into a grand strategy that provides an orienting framework for U.S. economic, social and political security in the digital age.
Unlike the original effort, however, the Cyber Solarium Project should be established, funded and overseen by the private sector and civil society groups. Government should support and participate in the exercise, but it should not administer the project.
At the beginning of the Cold War, the U.S. government had a near-monopoly on the expertise, information and means to confront the Communist threat. Today, though, much of the cyber expertise, data and capabilities in the U.S. exist outside the federal government.
Business interests are motivating technology titans such as Facebook, Google and Apple to accumulate ever more sophisticated capabilities, information and insights. Combine that with the intelligence community’s growing inability to attract and retain high-level expertise, and the U.S. government is just one of several stakeholders—not the decisive voice on cyber innovation and security.
It is increasingly clear that the United States must integrate the private sector at the root of strategy, policy and planning. Our interests are interconnected, and the private sector is an expanding center of gravity for the knowledge and tools necessary to be safe. This migration of power and influence also means that private technology companies and their civil-society partners must recognize, and step up to, their growing national security responsibilities.
Obviously, such a project would not guarantee American success in the emerging digital world. But the status quo guarantees U.S. failure.
The original Solarium Project helped guide the United States through the threat of nuclear war. Perhaps a Cyber Solarium Project can help it navigate the spiraling consequences of digital conflict.