Cyberspace Solarium Take Aways 


The United States Cyberspace Solarium Commission released their report on March 11, 2020. The report recommends a wide variety of strategies and proposed cyberspace legislation. Most of the report I really agreed with such as more resources for CISA and Cyber Command or tasking NIST with efforts to make cyber insurance easier.  This blog is about what I found really interesting and what I liked in the report - namely vulnerability liability, a US population smarter about cyberspace and increased support for elections on a near equal footing with critical infrastructure.  
If You Have Not Read the Report Yet

You should read it end to end. This will be the basis for much of the legislation passed by congress about cyberspace for the next few years. The report has an executive summary which is concise, and proposed legislation in lots of different sections. 

The best graphic is on page 25 and details the multiple strategies that are recommended by the commission. Multiple strategies are required because the commission tries to address everything from peacetime and cybercrime to actual armed conflict.   

You should also read some articles and blogs that are a bit critical of the report to get some perspective. A good example is
Joshua Rovner’sDid the CyberSpace Solarium Live Up To Its Name”. This is a very thoughtful article that claims there is too much covered by the commission and it makes a variety of good points. 

Liability for Vulnerabilities 

Section 4.2 recommends proposing legislation to “Establish Liability for Final Goods Assemblers”. A "Final Goods Assembler" is the business or entity that puts the product together for you. A vendor might sell you something like a new home router, but they really paid someone else to manufacturer the motherboard and someone else to make the plastic housing and someone else to write the operating system. In this case, the "final good assembler" would be liable for vulnerabilities from these sub-contractors.

It does not come right out and say it, but this includes all vendors which includes embedded manufacturers such as those that produce power, medical and election systems. This is extremely important as those industries have had a history of not being transparent and often adversarial to vulnerability disclosures and making patches available. 

Having said that, there is still a lot of work to be done here and I would expect any bill that tried to nail this down would be heavily debated. Section 4.2 suggests that only the entity offering an end user license agreement would be liable which is good, but this sets up lots of potential questions such as: 

  • Does this include social media companies? 
  • What about open source? 
  • What if my bank makes an error in the code they have on their web site? Are they a “final goods assembler” then? 
  • If the vulnerability came from a cyber weapon leak, does that count too? 

I could see a bill such as this being deemed too broad and more specific legislation for verticals and critical infrastructure could be easier to get broader support for. This is also something that could be narrowed in scope and passed at the state level too. 

A Smarter US Population in Cyberspace 

Section 3.5 recommends - “The U.S. government should promote digital literacy, civics education, and public awareness to build societal resilience to foreign malign cyber-enabled information operations”.  When you realize we are all easily duped by disinformation and that phishing and spear phishing depends on tricking a human, this recommendation makes a lot of sense. 

The commission report recommends funding the Department of Education to support digital literacy in K-12 and beyond. It also recommends enabling the DOE to fund non-governmental organizations to help. I’m particularly interested in this as Gula Tech Adventures has been involved with the
National Cyber Education Program to specifically support K-12 cyber education through a partnership with Discovery Education. 

The report also recommends enhancing general public awareness of cyberspace issues. I feel the US public has come a long way over the past five years in their understanding of how social media collects private data on them and in turn, how AI, robots and automation like self-driving cars will impact them. What I would have liked the commission to outline were some goals and ability to measure those goals. Do we need each citizen of the US to be able to articulate the pros and cons of government-controlled cryptography? Do we need to cut the phishing rate to nearly zero? 

The commission also makes a recommendation that political advertising be modified to make it harder for non-US entities to buy political adds. I would have loved to have seen some other specific recommendations the US government could do promote digital literacy. Two “simple” ones could be to: 

  • Require social media platforms an option to validate their users and then give users the ability to only show validated user content. I should be able to remove the trolls, bots and people pretending to be my Mom’s friend from church if those same trolls, bots and fake friends could not produce a valid US ID or US Post Office correspondence. This would allow social media users to see how much noise there really that is targeting their social media networks. 
  • Have more consumer-friendly labels that talk about where the data is hosted, not just the vulnerabilities involved with them. In the report, section 4.1 suggests many different types of certifications for products, but none of them are very consumer friendly.  It would be nice to see the equivalent of “MADE IN CHINA” as “YOUR DATA HOSTED IN CHINA”. 

More Election Security Support

In many ways, the commission’s report placed “election security” as high as any other critical infrastructure. This is excellent and if the recommendations are followed, will make permanent support for both the Election Assistance Commission (
EAC) and a finding by the Federal Election Commission (FEC) permanent.

The EAC offers support to state elections with funding and some cyber guidance without impugning on states’ rights or requiring how a state secure their infrastructure. Making changes to how voting works is a very political subject and much more complex than the average US citizen realizes. Funding the EAC at a greater level will allow them to support state elections with basic hygiene and cyber staff.  

Believe it or not before this 2020 election cycle, if you were to give cyber advice, some extra Yubico keys, or conduct a free web scan of a candidate, you would be providing an in-kind donation and this is something which requires disclosure and is limited to a small amount of dollars. Fortunately, the FEC made exceptions to this rule for cyber products and services. One of those exceptions was made to Defending Digital Campaigns (
DDC). I’ve been very happy to help out as a board member there and help recruit some great solution providers. I would very much like to see the status enabling DDC to be made permanent because elections come and go. Permanency would allow us to continue to expand DDC with more donations and engage campaigns and political parties on a long-term basis. 

What Can You Do?

As I said before, if you have not read this and you are in cyber - shame on you! Spend the time to read this so that when we start debating about putting these things into law, you’ll be up to speed. 

If reading it is too much to ask - watch this
video from RSA 2020. It has several of the commission members talking about the report and the process as well as questions from the RSA audience. 

Lastly think about what you do in cyberspace. Are you making a big enough impact that it keeps the US safe in cyberspace in both peacetime and war? What could you do in your cyber job to help your company or organizations meet the recommendations in the report?