The Cyberspace Solarium Report released today is another, in an endless string of reports, that disgorge from Washington committees dealing with the eternal mantra of “defending American interests and values in cyberspace.” The challenges (and many reports) here trace back 170 years when transnational telecommunication internets emerged. The dialogue and reports scaled in the 1920s with the emergence of radio internets and cyber threats, then again in the early 1980s with the deployment of data internets, and yet again in the mid-1990s with the Clinton-Gore Administration forcing the TCP/IP platform into public network infrastructure without even minimum security regulation, and abandoning related international agreements. As the effects of that disastrous decision have manifested themselves, the cyber reports have become more frequent. Now it is Solarium revisited. (Solarium is the name given to a 1953 Cold War strategic defence initiative that met in the solarium on top of the White House.)

The gist of the Solarium Report and its 80+ recommendations are not significantly different than those seen countless times before—even as it professes the threats are greater. However, the recommendations are not much different than those produced 25 years ago when NSA’s legendary Press Winter pulled together the nuclear cold warriors who had funded TCP/IP—for them to atone for their sins as they would say—by creating the CRISP initiative at Stanford and engaged the National Labs. DARPA’s Emeritus Director Steve Lukasik who ran much of the work spent the next 20 years cranking out one Andy Marshall or DTRA report after another predicting almost every impending TCP/IP internet disaster and recommending mitigation strategies.

So here we are in 2020. Most of the same observations and mitigations are now bundled under “six key pillars.” Even if well-meaning, the pillars and most subtending recommendations have been seen many times before. They are standard Beltway mantras. The only especially critical new concerns relate to U.S. elections and cloud data centres.

What was especially telling about the report is found as part of its rollout explanatory panel on The International Impact a few days ago. The most interesting part of the panel was the probing questions of The Washington Post’s Ellen Nakasima who kept asking the question how this report is different from the countless others. The only mind-boggling answer to the question at the end seemed to be more people and an ambassador slot at the State Department for “dealing with 5G.” What they probably didn’t know was that it was ironically exactly what Diana Dougan did almost 40 years ago when she came to Washington with the Reagan Administration and landed in the State Department.

The report utterly fails to deal with the major foundational problems under the pillars—as it probably inherently could not.

1. The US shift from its highly-integrated public-private model with strong private-sector R&D in the 1990s to promote the TCP/IP internet political-economic strategy of the time has proven a disaster. The esteemed groundbreaking research laboratories combined with dedicated experts collaborating with their peers in global standards bodies just disappeared. NSA’s groundbreaking cybersecurity programs and public leadership disappeared. Other countries—particularly in Asia—took a more cautious approach and instead emulated what was a U.S. success story. The result has gutted the ability of the U.S.—especially the ability to participate effectively internationally.
2. The TCP/IP internet itself—together with its institutions which are still propped up—has proven an even greater disaster. It was regarded at the time as a vulnerability nightmare—which has become ever worse over the years, as predicted. Now—as networks and services worldwide shift to 5G entirely and move to better protocols—the U.S. is facing challenges in shedding the old baggage and adapting.
3. Just when effective global multilateral instruments and forums are most needed to deal with global cyber problems of its own making, the U.S. has basically zero credibility from abandoning them in 1990, and effectively killing what was left by the current Administration. The White House, “Elephant in the Room,” is impossible to ignore. The most the report offers on international is working with a dozen friendly nations with those new hires at State. Good luck with that one.

Although the report likes to blame the rest of the world for cybersecurity challenges, it ignores the rather embarrassing reality that the U.S. TCP/IP infrastructure itself has long been the source of most of the world’s cyber attacks and malware as well as the most targeted—even if the perpetrators are abroad. This reality produces a significant skepticism abroad when yet another report emerges that fails to deal with the problems extant in the nation’s own back yard. Even as the FBI warns against zero trust digital certificates being churned out by Silicon Valley and exacerbating cybersecurity incidents, Washington does nothing. What Washington should be doing as one of its pillars is studying how other countries are protecting themselves from the cyber threats emanating from the U.S.

The Solarium Report’s comment on page 18 about “losing the international standards race” is so utterly bereft of reality that it underscores the challenge being faced in Washington—its inability (or unwillingness) to understand what is occurring. On page 74 of the report, it asks, “can the 5G deployment be made fundamentally secure? Although nothing can be made fundamentally secure, the risks can be significantly reduced, and the very activity to accomplish this in multiple international bodies has long been underway and the report’s authors seem utterly unaware of it. Even the idea of a security certification is moving towards implementation, but will the U.S. participate?

Fortunately, the real participants in the 5G security arena met virtually all of last week and advanced an array of essential capabilities, including supply chain assurance—reviewing and reaching agreement on more than 450 input contributions from 35 different companies and organizations treating 30 5G security work items and proposing 14 new critical security studies and specifications. These were some of the real experts who collaborated and reached consensus decisions via 604 emails. No inputs from any USG sources, but five registered from the national security community to watch, and one lone NIST person expressed a view on an esoteric development. Although a small step, it is a giant leap for an insular Washington. Fourteen U.S. companies and organizations actively participated. These activities are fairly transparent, and the rest of the world outside of Washington can see what is actually occurring here rather than the xenophobic nonsense in the report.

Notwithstanding the foibles of the report, it deserves praise for assembling a broad array of needed actions and beginning to focus on the security of cloud data centres in section 4.5, which—as noted in the report—Europe is already pursuing. The U.S. based Center for Internet Security has already worked with cloud platform providers to instantiate Critical Security Controls capabilities in cloud operating system images, and contributed its specifications for that action via the ETSI global standards profiles that are being used for certification. Section 4.6 also raises the possibility of national data security legislation—which many other nations already have accomplished. The report also expresses long-due concern over the serious negative consequences of end-to-end encryption—for which ETSI has already developed standardized platforms for meeting the diverse needs.

Washington’s biggest cybersecurity challenge is itself. It exists in a bubble of non-stop, self-similar chat-boxes that have minimal knowledge or apparent interest in the history, the actual underlying technologies and ongoing activities, or its own culpabilities in the global cybersecurity ecosystem. The internet myths are truly ludicrous. As someone who spends almost all his time in international venues or analyzing them, it is plain that almost no US government agencies and only a handful of companies even engage in the relevant activities anymore. As a result, anything in the report concerning international developments lacks credibility.

What the U.S. should consider is analyzing at how other nations are developing successful strategies, analyzing what is actually occurring, and beginning to engage again in the international venues and activities it has largely abandoned—to the extent that is still possible. Although this is recommended in section 2.1.2 of the report, what is there reveals a lack of understanding of the topic and has no substance. A few people at State is not going to cut it. The only real expertise around Washington is at NSA (as it has been for the past hundred years) and with their peer organizations in every other country. Without NSA significantly, publicly engaged in domestic and international venues, there is no U.S. cyber credibility.

The sad truth is the U.S. has the resources to be a global leader in this space with others, but seems as a nation to be incapable of shedding its internet political illusions and myths, understand the fundamental technological changes in play, and organize and facilitate the available resources effectively. Today, we have yet another cyber commission producing still more pillars. The hope is that it will be something more than just a blueprint for program funding, agency turf, regulation avoidance, Washington institutional aggrandizement, and lobbying prominence—that have nothing to do with any meaningful 5G security or global leadership.