Washington Needs a New Solarium Project To Counter Cyberthreats

Sometimes the most significant legislative measures get the least attention at the time of passage. That may be the case with the Cyberspace Solarium Commission mentioned in the National Defense Authorization Act that was passed on June 18 by the U.S. Senate. Tucked into the bill crafted and sponsored by Sen. Ben Sasse (R-Neb.), the commission may not garner many headlines, but it could galvanize a strategic paradigm shift.

If the idea survives the House-Senate conference process and gets signed into law — and we very much hope it does — it could lead to the creation of the institutions, doctrines, resources, and strategy that the United States needs desperately in the realm of cybersecurity. As New York Times national security correspondent David Sanger argued in a recent essay, the United States is woefully unprepared for the age of cyberconflict.

The perennial challenge for senior officials attempting to craft long-term strategy is not letting urgent matters crowd out important ones. In this particularly tumultuous time, just keeping pace with breaking headlines exhausts policymakers and leaves them little bandwidth for strategic reflection.

Yet paradoxically, strategy becomes all the more important in a time of crisis. Indeed, a well-conceived set of strategic principles can serve as both ballast in turbulent waters and a lighthouse guiding the way. And when many policymakers and cyber-experts believe that the multiple low-to-midlevel cyberattacks the United States has already suffered (such as the Office of Personnel Management hack, regular Chinese and Russian efforts to penetrate U.S. national security infrastructure, and Russia’s past and ongoing interference in the U.S. political system) are a harbinger of more serious ones to come.

One of the underappreciated advantages of the United States’ structure of government lies in the capacity of Congress to generate institutional reforms that the executive branch is either unwilling or unable to undertake. Congress has a history of initiating important strategic reviews and restructurings, such as the National Security Act of 1947, the Goldwater-Nichols defense reform act of 1986, and the creation of the 9/11 Commission and the subsequent Intelligence Reform and Terrorism Prevention Act of 2004. Though each of these had its problems, each also forced the executive to undertake painful yet ultimately necessary strategic reforms that in the end strengthened U.S. national security.

If properly led and implemented, the Sasse proposal for a Cybersecurity Solarium Commission could make a similarly timely and consequential contribution to national security. The NDAA provision self-consciously draws inspiration from President Dwight D. Eisenhower’s iconic Project Solarium exercise in 1953.

Solarium divided its participants into three teams of senior experts, each with a mandate to develop and defend a new and different U.S. strategy in response to the Soviet nuclear threat, then at a parallel stage to today’s cyberthreats. At the time, the United States and the Soviet Union were far enough into the contest for its dimensions to be evident, but not so far that strategic responses were set in stone.

The nuclear threat was so new that it demanded fresh thinking about history. So too with cyberwarfare. Eisenhower was drawn to the Solarium exercise precisely because history offered little explicit guidance other than the bracing clarification that the United States was in uncharted territory. As one of us has written elsewhere:

Upon being sworn into office, Eisenhower’s assessment of the national security challenges facing his Administration emphasized the unprecedented nature of the situation. Drawing on his own extensive military experience, Eisenhower realized that never before in history had the United States been in the role of a global superpower, in a bipolar system, in a nuclear age. … The prospect of global nuclear annihilation was not the only defining feature of this ahistorical age. Never before had the United States faced the challenge of maintaining domestic economic growth simultaneously with a substantial standing military that included permanent deployments overseas.

The Soviet leader, Joseph Stalin, died a few weeks after Eisenhower took office, adding even more uncertainty to the equation. Similarly, today, there is much that is unprecedented about cyber threats. Cyber is both a domain and an instrument. Unlike nuclear weapons — which demand the mobilization of tremendous resources by a nation-state — cybertools are available to otherwise impoverished and ill-resourced nations and nonstate actors. Unlike large-scale attacks with conventional weapons from a visible enemy, cyberattacks can wreak unfathomable carnage with uncertain origins and attribution.

Unlike armaments that belong exclusively to nation-states that maintain a monopoly on the use of force, some of the most advanced cyberweapons belong to private-sector companies. Unlike weapons of mass destruction, where there are strong taboos that have inhibited large-scale use, cyberweapons are used every day by states and nonstate actors and against states and nonstate actors.

The old joke needs to be updated. Back in the day, everyone was thinking about nuclear use, but no one was doing it. Today, it seems like everyone is using cyberweapons, but not enough policymakers are thinking about them.

To be sure, there is a fair degree of strategic analysis and thinking in academia, in think tanks, and in the relevant Cabinet departments and agencies. But this thinking has not accumulated into definable strategies that have buy-in from the White House or that have aligned roles and responsibilities across department and agency lines.

There are limits to the Solarium analogy, however. Eisenhower had some clear ideas on how he wanted nuclear strategy to go, and he structured the Solarium exercise to empower him to go in those directions. Neither the Obama nor the Trump administration has gone so far down the decision path, and so this commission may prove to be an enabling and action-forcing exercise, as Congress reasserts its Article 1 constitutional responsibility to “provide for the common defense.”

The United States cannot afford to wait. It is already clear that U.S. adversaries are willing to stage attacks in the cyber domain and believe they can do so with impunity: Witness Russia’s successful deterrence of the Obama administration from retaliating in 2016.

Advanced cyber capabilities and a willingness to run risks to use them are the common features of every major national security challenge facing the United States today, whether it is Iran, North Korea, Russia, or China. As a result, cyberthreats cast a long shadow over the full range of national security and foreign-policy issues, including trade, regional conflict, terrorism, and new great power rivalries.

Americans struggled to understand the nuclear threat from the Soviet Union. In an effort to overcome bureaucratic stovepipes and to catalyze fresh thinking, Eisenhower convened the Solarium exercise to help him assess and respond to an unprecedented national security challenge. With this new provision in the Senate version of the fiscal 2019 NDAA, Sasse has given the U.S. government the opportunity to make a similar landmark assessment and response.