CSE-09: The Cyberspace Solarium Commission | Cybersecurity Ethics

Cybersecurity Ethics — Week 4 · Module 09

The Cyberspace Solarium Commission

A US national-strategy report that asks the security profession to do things its codes never anticipated. Where the moral obligation meets state power.

13 slides~13 minCSC March 2020 Report

Slide 2 of 13 · Origin

What the Commission Was

The Commission's purpose: Congress chartered it to develop a "consensus on a strategic approach to defending the United States in cyberspace." Modeled on the original 1953 Project Solarium that shaped Cold War strategy.

Slide 3 of 13 · The 6 pillars

The Six Pillars

Slide 4 of 13 · The strategy

Layered Cyber Deterrence

The strategic logic: deterrence in cyber requires multiple simultaneous mechanisms because no single one is sufficient. Each layer addresses a different adversary calculus.

Slide 5 of 13 · The most contested concept

"Defend Forward" — What It Means

The Solarium framing

Engage adversaries continuously in cyberspace short of armed conflict. Operate against malicious actors before they reach US networks. "Persistent engagement" is the doctrinal counterpart at US Cyber Command.

The ethical questions

When does proactive engagement become preemptive attack? Whose infrastructure is the engagement on? Is the standard for "malicious actor" reliable enough to support offensive action? What is the role of the private sector in this engagement?

The Commission did not invent defend forward — the doctrine emerged from US Cyber Command earlier. The Commission endorsed it and recommended structures to scale it. The endorsement is what makes it a Solarium concept.

Slide 6 of 13 · The collaboration model

Public-Private Collaboration

The structural change: the Solarium pushed cooperation from "share threat intel after the breach" to "operate together before the breach." JCDC is the visible institutional outcome.

Slide 7 of 13 · New office

National Cyber Director (NCD)

Origin

Solarium Pillar 1 recommendation. Created by FY2021 NDAA. Senate-confirmed Senate-Cabinet-level cybersecurity leader in the White House. Office of the National Cyber Director (ONCD).

Function

Coordinate federal cybersecurity policy across agencies. Advise the President. Lead implementation of the National Cybersecurity Strategy. Liaison with private sector and international partners.

Why this matters: before the NCD, cybersecurity policy was scattered across NSC, OMB, Commerce, DHS, etc. The NCD is the centralization the Solarium argued was needed. Whether centralization improves outcomes is an empirical question still being answered.

Slide 8 of 13 · CISA's elevated role

CISA After Solarium

Operational center

Cybersecurity and Infrastructure Security Agency. The federal civilian operational lead. JCDC, sector risk management agencies, threat sharing.

Critical infrastructure

Sector Risk Management Agency designations clarified. CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act, 2022) gave CISA mandatory reporting authority for major infrastructure incidents.

Direct engagement

Direct collaboration with platform companies, ISPs, cloud providers. Visible publication of threat intelligence. Public attribution support.

Slide 9 of 13 · The ethical questions

What Solarium Asks of the Profession

Spinello's question for the profession: the codes were written assuming security professionals defended their employer's systems. Solarium-era operations involve security professionals participating in nation-state engagement. The codes have not fully caught up.

Slide 10 of 13 · Reference event

SolarWinds (2020)

What happened

In late 2020 (publicly disclosed December), a sophisticated supply-chain compromise of SolarWinds' Orion software allowed attackers (later attributed to Russia's SVR by US government) to access multiple federal agencies and private companies via routine software updates. Discovery came through FireEye, a private security firm.

Why it tested the model

SolarWinds happened just as the Solarium recommendations were being implemented. Discovery was private-sector. Attribution was government. Response coordination tested CISA's then-new role. The incident became a real-world stress test of the layered-deterrence approach.

The lesson the profession took: the supply chain is the soft underbelly of cybersecurity, and no national strategy is complete without addressing it. Subsequent executive actions (EO 14028, May 2021) were direct responses.

Slide 11 of 13 · CSF anchor

Solarium and the CSF

Pillar 4 — Reshape the Cyber Ecosystem

Recommends a National Cybersecurity Certification and Labeling Authority. The labels would be CSF-aligned. Procurement decisions become CSF-aligned by extension.

Pillar 3 — Promote National Resilience

Recommends a National Data Security and Privacy Protection Law. Would extend CSF-style requirements to private-sector data handling at federal level.

CSF as common vocabulary

The Solarium report leans on CSF throughout because it provides a shared language for federal-private coordination on risk — what Pillar 5 of the strategy requires.

Slide 12 of 13 · Implementation tracker

What's Implemented vs. Still Pending

Implemented (substantially)

National Cyber Director established (FY2021 NDAA). JCDC stood up at CISA (2021). CIRCIA passed (2022). National Cybersecurity Strategy issued (March 2023). EO 14028 on supply-chain security (2021).

Partial / pending

Comprehensive federal data-protection law (proposed repeatedly, not enacted). National Cybersecurity Certification & Labeling Authority (CISA Cyber Trust Mark for IoT advancing). Sector-specific risk frameworks evolving. CSC 2.0 publishes annual implementation scorecards.

The current state: Solarium is an active reference document. Many recommendations became law; some remain proposals. CSC 2.0 (a successor entity) tracks implementation publicly.

Slide 13 of 13

Module 09 Takeaways

1The Cyberspace Solarium Commission (chartered 2018, final report March 2020) produced the most influential US cybersecurity strategy document of the post-2016 era.

2Six pillars covering government structure, norms, resilience, ecosystem reform, public-private collaboration, and military instrument.

3Layered cyber deterrence: shape behavior + deny benefits + impose costs. Multiple simultaneous mechanisms because none alone is sufficient.

4"Defend forward" — persistent engagement with adversaries in cyberspace. Raises ethical questions the codes do not yet fully address.

5Implementation outcomes: NCD (created 2021), JCDC at CISA (2021), CIRCIA (2022), National Cybersecurity Strategy (2023), EO 14028 (2021).

6SolarWinds (2020) tested the model in real time. Supply-chain security became a top federal priority in direct response.

Next up: CSE-10 — Capstone Synthesis. Four weeks of cyberethics in one frame.