COVID-19 NEWS: Coronavirus Could Stymie U.S. Cybersecurity Enhancements
The COVID-19 pandemic may throw a monkey wrench into plans to boost cybersecurity in the United States, two members of a blue ribbon panel said April 14.
Congress chartered the U.S. Cyberspace Solarium Commission in the 2019 National Defense Authorization Act to "develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.”
In mid-March, the commission — which consists of 14 members, including four lawmakers and four senior executive agency leaders such as Deputy Secretary of Defense David Norquist — released its final report which featured 80 recommendations to Congress.
The wide-ranging document broke its recommendations into six pillars, including: reform the U.S. government’s structure and organization for cyberspace; strengthen norms and non-military tools; promote national resilience; reshape the cyber ecosystem; operationalize cybersecurity collaboration with the private sector; and preserve and employ the military instrument of national power.
However, the ongoing COVID-19 pandemic may stymie Congress’ ability to turn the report’s recommendations into law, said commissioner Suzanne Spaulding, a former undersecretary at the Department of Homeland Security.
When the panel released the study, “the intent was to be poised as well as we could be to move things through Congress, particularly on the [National] Defense Authorization Act," she said during a virtual town hall hosted by the Mayer Brown law firm. "But obviously, a lot of that is thrown up in the air as we look at our current situation."
The commission has bipartisan support on Capitol Hill, she said. Commissioners include Sen. Angus King, I-Maine; Sen. Ben Sasse, R-Neb.; Rep. James Langevin, D-R.I.; and Rep. Michael Gallagher, R-Wis.
Additionally, even before the final report was released in March, commission staffers were working with lawyers, such as those at Mayer Brown, to draft specific pieces of legislation for each of its 80 recommendations, Spaulding said. However, the novel coronavirus has “preoccupied, appropriately so, the time and attention Congress has to try and address the implications of COVID-19 but also, obviously, makes it very difficult for Congress to be in Washington and be conducting business as usual, let alone voting,” she said.
Chris Inglis, another commissioner and the former deputy director of the National Security Agency, said the panel took steps to facilitate the recommendations' timely movement through the legislation process.
“We essentially pre-discussed these with the executive and the legislative branches" so that they understood the importance of the recommendations, he said. Now that “Congress itself has been stymied to conduct its normal and routine business, it remains to be seen how fast we can proceed.”
The commission’s report called for the nation to adopt a layered cybersecurity posture.
“The United States must be prepared to impose costs to deter and, if necessary, fight and win in conflict, as well as counter and reduce malicious adversary behavior below the level of armed conflict,” the study said.
So far, the nation has deterred cyber attacks that would rise to the level of an act of war. However, below that threshold “there is a significant set of adversary behavior that the United States has not prevented,” the document said.
The United States needs to implement a “defend forward” posture which recognizes that “organizing U.S. cyber forces around simply reacting to adversary activity has been ineffective in preventing adversary cyber campaigns; and initiatives that rely solely on non-military instruments of power have been insufficient to alter adversaries’ cost-benefit and risk calculus,” according to the panel.
U.S. forces must be forward-deployed geographically and virtually to counter adversaries, the report said.
The commission outlined two strategic objectives. One is expanding the capacity of the cyber mission force to meet the scope of the threat and growing mission requirements.
“The United States should achieve appropriate resourcing, force size and mix of its cyber forces as well as streamlined decision-making processes to ensure rapid maneuver and flexibility,” the study said.
The commission recommended Congress direct the Defense Department to conduct a force structure assessment of the cyber mission force as well as create a major force program funding category for U.S. Cyber Command.
A second strategic objective highlighted by the commission was ensuring the security and resilience of critical conventional and nuclear weapon systems and functions as potential foes enhance their capabilities.
“While continued automation and connectivity are essential to DoD’s military capabilities, they also present numerous access points for adversaries’ cyber intrusions and attacks," the report warned. "The scope and the challenge of securing critical military networks and systems are immense.”
The commission recommended Congress direct the Pentagon to conduct a cybersecurity vulnerability assessment of all segments of the nuclear command, control and communications enterprise and National Leadership Command Capabilities systems, and continually assess weapon systems' cyber vulnerabilities. It also called for the defense industrial base to participate in a threat intelligence-sharing program and conduct “threat hunting” on its networks.