Biblio

Crafting a national cyber strategy is an enormous undertaking. In this article we review the process by which the Cyberspace Solarium Commission generated the Solarium Commission Report, developed the strategy of layered cyber deterrence, and strategized for legislative success in implementing its recommendations. This is an article about the development of a whole-of-nation strategy. Once the production of the strategy of layered cyber deterrence is explained, the article goes on to elaborate on implementation strategies, the challenge of escalation management, and future efforts to ensure that the work of the Solarium Commission becomes entrenched in U.S. national cyber strategy and behavior. We review the work left undone by the Solarium Commission, highlighting the enormous effort that went into the process of building out a strategy to defend a nation.11It takes a village; we thank the entire Solarium Commission team, as their efforts generated the final Commission Report and the legislative successes that followed. In some ways, this article seeks to chronicle the process of building a strategy that was developed through the efforts of hundreds of people. This work reflects the process that we went through to construct the Solarium Commission report, which is particular to our experience; others may have had different recollections of the events under consideration. Brandon Valeriano is also a Senior Fellow at the Cato Institute and a Senior Advisor to the Cyberspace Solarium Commission. Benjamin Jensen is also a Scholar in Residence at American University and the Research Director for the Cyberspace Solarium Commission.

The process for determining how to respond to a cyberattack involves evaluating many factors, including some with competing risks. Consequentially, decision makers in the private sector and policymakers in the U.S. government (USG) need a framework in order to make effective response decisions. The authors' research identified two competing risks: 1) the risk of not responding forcefully enough to deter a suspected attacker, and 2) responding in a manner that escalates a situation with an attacker. The authors also identified three primary factors that influence these risks: attribution confidence/time, the scale of the attack, and the relationship with the suspected attacker. This paper provides a framework to help decision makers understand how these factors interact to influence the risks associated with potential response options to cyberattacks. The views expressed do not reflect the official policy or position of the National Intelligence University, the Department of Defense, the U.S. Intelligence Community, or the U.S. Government.