The challenges weathered by the nation during the COVID-19 pandemic can help inform and should put a sense of urgency on plans to prevent and respond to a potentially crippling cyber attack, members of the Cyberspace Solarium Commission told the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Innovation at a Friday hearing.
Rep. Jim Langevin (D-R.I.), who was leading the hearing in the absence of Chairman Cedric Richmond (D-La.), noted that this year has underscored why lawmakers need to continually put a sharp focus on cyber strategy as well as the 82 recommendations in the Cyberspace Solarium Commission report.
“The COVID-19 pandemic has upended and altered the way we live, the way we work, and the way we govern. Overnight nearly half of employed adults became teleworkers, putting added stresses on our infrastructure and creating new opportunities for hackers to wreak havoc,” he said.
“Now Congress is holding remote hearings, and state and local governments have become e-governments with little time to transition. Many state and local governments are also finding that due to antiquated IT systems and the fact that their data aren’t in the cloud that they are unable to scale and secure vital programs like unemployment insurance, highlighting the need for modernization as part of the security push. Our adversaries have noticed the broader attack surface.”
The commission was established in the 2019 defense bill and consisted of four sitting members of Congress, four members from the executive branch, and six members from the private sector. The panel conducted more than 30 meetings and was described as independent Sen. Angus King (Maine), a co-chairman, as a fully nonpartisan exercise.
Fifty-four of the report’s 82 recommendations have been converted into legislative recommendations and presented to pertinent House and Senate committees.
“We are a cheap date. Our adversaries don’t compute the cost of attacking us. That has to change. That’s the strategic picture,” King said. “The organizational picture is that cyber is scattered throughout the federal government. It’s in the Defense Department, it’s in the intelligence community, it’s in DHS, it’s in the FBI, and we really need to try to straighten out the organizational structure.”
King also pointed to the “difficult” relationship between government and the private sector on cybersecurity when 85 percent of the cyber target space is in the private sector.
“The private sector computers, whether they are in the financial sector or energy or transportation or telecommunications, they are the frontline troops in this battle, and yet it is the federal government that often has the resources and the expertise and the ability to pull together this information in order to protect our country,” the senator said.
The other co-chairman, Rep. Mike Gallagher (R-Wis.), noted that the release of the report in March came as COVID-19 was dominating the national conversation.
“I think it is important to note that the overall approach we are taking here is not to create a bunch of new organizations within the federal government but rather an attempt to elevate and empower existing organizations like CISA who have made important progress in recent years but need more support from Congress,” Gallagher said.
The report encourages defining of agencies’ roles focusing on national risk management and a continuous planning process “so that we think through the unthinkable now, so we are not having to make things up on the fly in the wake of a cyber 9/11.”
“We are recommending, for example, that Congress establish and fund a national cybersecurity certification and labeling process to establish and manage a program on security certification and labeling of ICT products as well as establish a Bureau of Cyber Statistics charged with collecting and providing data on cybersecurity,” Gallagher added.
Commission member Suzanne Spaulding, former leader of the National Protection and Programs Directorate — CISA’s predecessor — at the Department of Homeland Security, told lawmakers that three areas “must be acted on very quickly, given the vulnerabilities, particularly as we have noted with the pandemic”: strengthening CISA with more resources and authorities including administrative subpoena authority, improving the efficiency of the market to drive better cybersecurity, and reducing the benefit side in the adversary’s cost-benefit analysis with a focus on resilience.
“We have a number of urgent election-related recommendations, including reforming regulation of online political advertisements, providing grant funding for states to improve election systems, replace outdated equipment, ensure voter-verifiable paper-based systems and conduct post-election audits. These are perhaps the most urgent of our recommendations,” she said.
Commission member Samantha Ravich, former deputy national security advisor to Vice President Dick Cheney, said the panel “would have not have lived up to the great responsibility given to us if we had not thought about what our country would do in the aftermath of a significant cyber attack.”
The recommendation to develop and maintain a Continuity of the Economy plan was introduced as a bill in the Senate Banking, Housing, and Urban Affairs Committee last month.
“What it would mean for the U.S. military and the security forces of our allies if there was a major attack on bulk power transmission not only knocking out the lights in major metropolitan areas but taking transportation systems offline or if the major stock exchanges were compromised, if wholesale payments, medicine, telecommunications, and trader logistics were brought down?” Ravich said. “And now think about the difficulties that would create for mobilizing and deploying forces if this all occurred during a time of international crisis, not knowing which plane, train or bus to hop on to get to the rally point, leaving loved ones at home scared in the dark and not knowing if their medicine or baby formula will still be stocked at the local Walmart. Much of the economic base of the United States potentially losing complete access to their data for good.”
“Creating and externalizing, exercising a continuity of the economy plan will serve as a visible deterrent to adversaries by demonstrating that the United States has the wherewithal to respond to a significant cyber attack. It will show that we will not be cowed and that if the economy upon which our livelihoods depends is brought down by an adversarial cyber attack they, the adversary, will feel our wrath.”
Continuity of the economy planning “might also further review the feasibility of disconnecting critical services or specific industrial control networks if national security concerns overwhelm the need for internet connectivity,” she added. “Continuity of the economy planning should also further explore options to store backup, protected data across borders with allies or partners, particularly in areas where economic disruption in either country could have cascading effects on the global economy.”
Planning for a catastrophic cyber event also needs to take into consideration “the lack of readiness by the general public.”
“Many industries will not be included in this planning, and most citizens will not be able to rely on government assistance in the period following an attack, but as is also true of natural disaster preparedness, the American people do not need to be helpless,” Ravich said. “…As we sit here in our virtual COVID world trying to think the unthinkable and plan for the implantable, we must ask ourselves the hardest question of all, what would a cyber day after look like if we didn’t undertake continuity of the economy planning?”