Commission amends cyber recommendations to reflect COVID-19 vulnerabilities

The coronavirus pandemic is leaving the country to grapple with more questions than answers about healthcare, the economy and even cybersecurity.

In response to the U.S.'s "absence of the requisite preparedness" during the outbreak, the Cyberspace Solarium Commission issued an update to its inaugural cyber report, just about three months after its release.

The original report set out to address how the U.S. could absorb the impact of a catastrophic cyberattack with an immediate rebound. The commission identified critical infrastructure and cross-sector functions that need prioritization in the event of a destructive cyberattack, including healthcare providers, telecommunications and utilities. But the pandemic cast a light on particular weaknesses.

The commission released an annex to the original report, serving four new recommendations to reflect the ongoing lessons from the coronavirus pandemic. While the pandemic isn't a "significant cyberattack," the commission found "many illuminating parallels" worth addressing.

The four new recommendations are divided between two sections:

Pandemic cybersecurity challenges: 

Pass an IoT law: The law would subject IoT devices to "reasonable security measures" and compliant with basic security protocols, such as NIST, according to the report. The law emphasizes "enduring standards" for authentication and patching.
Support nonprofits collaborating with law enforcement in cybercrime: Trusted nonprofits are capable of and flexible enough to "disrupt cybercrime," according to the report. The commission recommends Congress calls on the Justice Department to fund nonprofit efforts.

Pandemic's lessons in cyber preparedness:

Establish the Social Media Data and Threat Analysis Center (DTAC): To combat the influx of false information, furthering complicating domestic issues, the commission is in favor of a provision in the National Defense Authorization Act that enables the Office of the Director of National Intelligence to organize and financially support a DTAC.
Increase nongovernmental ability to find and defense against foreign misinformation campaigns: When misinformation campaigns on social media became a prominent threat in the U.S. several years ago, Sen. Angus King, I-Maine, co-chair of the commission, sought advice from peers in Eastern Europe. His counterparts were familiar with misinformation campaigns perpetrated by Russia, King said, while speaking during a press briefing Monday.

They told him the best defense is public awareness. The commission's recommendation is "not very dramatic," but the best defense is unrelenting fact checking, said King.

The commission is seeking funds from the DOJ, with guidance from DHS and the National Science Foundation, for nonprofits that "identify, expose, and explain malign foreign influence" on social channels, according to the report.

A closer look at the recommendations

As the U.S. shifted to remote work, the commission highlighted an even greater need for a "reliable cyber ecosystem," according to the updated report.

"We're going to see a non-[COVID-19]-related expansion of working from home," said King. IoT security, as remote employees lean on their home computers and routers, needs more scrutiny.

Given the current climate, the commission acknowledges business obligations might be focused elsewhere.The IoT security standard is voluntary, though commonplace for basic enterprise security strategies. "It's a matter of informing consumers," said King.

One exception to the voluntary nature of the recommendations is funds allocated to state and local governments are used, said Mark Montgomery, executive director of the commission, during the call. One of the recommendations addresses the push toward digital services and stimulus grants associated with the upgrades for state, local, tribal and territorial governments (SLTT).

The original report suggested establishing a National Cybersecurity Assistance Fund where grants provided to local entities should require 10% matching funds in the first year of enactment. The funds then increase 10% yearly, until meeting 50% matching "every year thereafter to minimize moral hazard."

The original report also proposed incentivizing qualifying SLTT governments with tax breaks to adopt cloud-based services "as determined by the certified secure assessment," according to the report. Migration to digitized services depends on an assessment of market availability and affordability, in part contributed by Congress, Department of Commerce, Small Business Administration, and Department of Homeland Security.

"We really did push for market forces," said Montgomery. The commission wants recipients of grant money to ensure a percentage of the funds will be dedicated to security.

The commission views the market as the most effective way to transform the U.S.'s cyber landscape. The commission continues to set out to answer two questions:

Why isn't the market doing all that it could to drive greater cybersecurity?
What can the government do to make that market more effective?

The commission was designed to give Congress structure, to "make it easy for our colleagues," King said in March. King acknowledged that the U.S. can't solve cyber problems until it identifies them.

With the additional recommendations, the U.S. could reposition itself to better anticipate and therefore mitigate substantial cyberthreats, according to the commission. The new recommendations are intended to strengthen the U.S. capacity to identity misinformation campaigns, said Montgomery, which could complicate current crises further.

The upgraded recommendations bolster existing ones that "weren't as strong, frankly," as the original ones, he said.