Widespread disruption to critical infrastructure. Fundamental shifts in the way we live our lives. Growing uncertainty about the stability of the U.S. economy. At the start of the year, if you asked national security professionals what they thought the most likely cause of a crisis fitting that description would be, many would have answered “cyber.” As the coronavirus pandemic has unfolded over the intervening months, the United States has experienced a significant trauma, prompting a national conversation about disaster prevention, as well as crisis preparedness and response. While the new coronavirus is the root cause of today’s crisis, a catastrophic cyber incident could be the cause of the next.
That was the kind of calamity envisioned by Senator Ben Sasse (R-NE) and other members of Congress when they authorized the bipartisan Cyberspace Solarium Commission in August 2018. Fashioned after Dwight Eisenhower’s “Project Solarium” to develop a strategic approach to counter the Soviet Union, the Cyberspace Solarium Commission was authorized by the Fiscal Year 2019 National Defense Authorization Act to “develop a consensus on a strategic approach to defending the United States… against cyber attacks of significant consequences.”
The commission, where we serve as executive director and director of research and analysis, respectively, spent a year crafting a strategy to ensure the United States is optimally positioned to both prevent a catastrophic cyber incident and withstand, respond, and recover from one, should it happen. The U.S. Senate Committee on Homeland Security and Governmental Affairs is scheduled to hold the first of a series of hearings tomorrow on the resulting report, with testimony from co-chairs Senator Angus S. King Jr. (I-ME) and Representative Michael “Mike” J. Gallagher (R-WI) and other commission members.
While different in some ways, the parallels between the current pandemic-induced crisis and a major cyber event mean that the coronavirus pandemic provides a useful test case for many of our recommendations concerning resilience and the need for improved public-private collaboration in the defense of our critical infrastructure. In addition, the novel circumstances posed to Americans by the imperative of social distancing have highlighted new cybersecurity challenges in some cases and increased the urgency of implementing solutions in others.
Comparing COVID-19 and a Catastrophic Cyber Incident
It almost goes without saying, but we cannot, as a nation, deter a pandemic in the traditional, Cold War deterrence sense. Where a cyber crisis is most likely to result from the intentional actions of a strategic actor, which theoretically could be deterred, a pandemic is an act of nature. It possesses neither emotion nor infrastructure. In other words, the coronavirus can neither be signaled to, nor can we impose costs on the virus in the hope that it relents.
Still, the current crisis does share many clear similarities with a significant cyber event. Like the pandemic, cyber incidents are often global in nature, requiring nations to both manage consequences at home while engaging internationally with partners and even adversaries. Like the pandemic, a catastrophic cyber incident would require a whole-of-nation response to manage economic consequences that cross sectors and state lines. And finally, like the pandemic, prevention of a catastrophic cyber incident is likely to prove far more cost effective than responding to one.
The commission’s March 2020 report introduces a cyber deterrence strategy that consists of three layers: shaping behavior, denying benefits, and imposing cost. The virus, unlike cyber, lacks behavior to shape, and cost imposition is equally unrealistic as a strategy to manage an outbreak. However, the logic of denying benefits — essentially bolstering our defenses, building more resilience, and diminishing our vulnerabilities — is relevant in both the cyber and pandemic contexts.
Like an adversary in cyberspace, the disease seeks to infect and affect as much of our population as possible, resulting in maximum disruption of our daily lives, our economy, and our system of governance. The U.S. response to the coronavirus pandemic can therefore yield important insights and lessons to inform our readiness as a nation to respond to a similar cyber crisis.
Lessons from the COVID-19 Crisis for Cybersecurity
The pandemic has put U.S. crisis leadership, preparedness, and response to the test. The mammoth federal and state government efforts have highlighted several key themes for major crisis responses that are equally valuable and worth extrapolating to the context of a cyber crisis. If we don’t heed these lessons now, we will be caught flat-footed when a cybersecurity crisis hits. If we invest in meaningful changes to the way we approach cybersecurity now, before a disaster hits, the United States will be in a much better position to withstand and come back from a catastrophe stronger than ever.
Here we outline six key lessons that cybersecurity policymakers and practitioners can glean from the ongoing COVID-19 crisis and recommendations for actions to ensure that the United States will be better prepared to deal with a cybersecurity crisis when it arises.
Lesson #1 – National leadership and coordination are crucial. The important roles played by Dr. Anthony Fauci and the Centers for Disease Control and Prevention underscore the importance of expert national leadership and coordination. While not always on display so publicly, the United States must maintain crisis-management teams and subject-matter experts empowered to coordinate, plan, and prepare for a multitude of crises. Given the integrated nature and bureaucratic overlap of cybersecurity as an issue, this leadership and coordination role must be done at the highest levels — preferably within the White House. The CSC recommended this take the form of a National Cyber Director, an individual who would act as the president’s principal advisor on cybersecurity issues on an ongoing basis; lead interagency and public-private coordination, planning and exercising; and serve as the nation’s chief representative and spokesperson for cybersecurity issues and crisis management. Someone needs to lead this effort long before the United States even knows it is in a crisis.
While central leadership and coordination is crucial, it does not replace the need for strong lead agencies. In the context of a pandemic, the Department of Health and Human Services (of which Dr. Fauci’s Institute of Allergy and Infectious Diseases is a part) and the CDC serve this function. In cybersecurity, the burden falls on the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). CISA has the mission of ensuring the security and resilience of critical infrastructure and is intended to serve as the lynchpin for national cybersecurity efforts.
While CISA has worked hard to fulfill this mission in recent years through the National Risk Management Center and the National Critical Functions work, it lacks adequate resources and authorities to carry out the mission to its fullest. This must change. The CISA Director position should be elevated and strengthened, commensurate with the importance of the job. CISA’s program and support resources, as well as its overall budget, should be expanded to allow the agency to build greater analytic capability and support more and better collaboration between the public and private sectors. Finally, and perhaps most importantly, the agency should be formally recognized as the primary federal agency tasked with assessing and managing risk and resourced commensurately.
Lesson #2 – We need better data and risk assessment. The potential importance of CISA’s risk-management work leads naturally to the second major lesson. The pandemic response has exposed the systematic U.S. underinvestment in resources that were needed to prevent a crisis or mitigate the consequences. What we are experiencing today are the repercussions of decades-long underinvestment in disease control. The same underinvestment is also readily apparent in cybersecurity.
But simply throwing money at the problem does not make it go away.
In both cases, effectively mitigating risk requires a base understanding of who might be affected, the most likely vector through which they will be affected, and the most effective prevention and mitigation measures. In a pandemic, this means understanding how the disease spreads and whether interventions like masks, medicine, or social distancing are the best mitigation measures.
In the context of cyber risk, this means understanding what critical entities are most likely to be targeted for disruption, the vulnerabilities they have, and the consequences — both immediate and downstream — should they be disrupted. Understanding these factors helps inform policymakers’ decisions about where to direct financial and human resources and what guidance to issue to the public. These risk-mitigation investments and risk assessments must be persistent and integrated with one another. And good risk assessment relies on good data.
In cyber, risk assessment and mitigation are made more complicated when you consider that the government does not own the critical infrastructure we aspire to protect. The U.S. government must therefore build stronger institutions to identify and collect relevant data and conduct robust assessments of threats to critical functions, the vulnerabilities of our critical infrastructure, and the consequences of their disruption.
This will go well beyond strengthening CISA, as the U.S. government must also codify and strengthen support to specific critical infrastructure sectors of the economy. Today, this kind of support exists in the form of sector-specific agencies (SSAs), such as the Department of Energy and the Department of the Treasury. However, significant disparities exist among these agencies; whereas some, like the Energy and Treasury departments, have strong relationships with their sector and provide real services and an interface for key stakeholders, others do not.
To ensure a more consistent effort across sectors and more reliable support from the federal government during a crisis — whether a pandemic or a cyber crisis — Congress should codify SSAs in law as sector risk management agencies (SRMAs). Such a measure should outline baseline expectations for these agencies and provide the required resources. Among the expectations of SRMAs should be participation in a national risk management cycle and the creation of a National Critical Infrastructure Resilience Strategy. Through this five-year cycle, CISA and the SRMAs would identify and assess national risk, highlighting key priorities for investments in risk mitigation and resilience. To facilitate this iterative and continual investment, Congress should consider establishing a National Cybersecurity Assistance Fund, which would be directed by CISA and directed toward projects and programs where there is a clearly defined critical risk that market forces do not provide sufficient incentive for the private sector to mitigate on its own.
In addition to improving the federal government’s own understanding of risk, more must be done to furnish the private sector, researchers, and the general public with data to multiply assessment and mitigation efforts. In other more mature policy areas, the United States has established statistical bureaus to help gather and disseminate data for use by both public policymakers and private-sector decision makers.
The United States needs something commensurate for cyber in the form of a Bureau of Cyber Statistics. In addition to efforts run out of national labs and sector risk management agencies, this bureau could be furnished with data collected by SRMAs and surveys, and become a hub in efforts to share data with nongovernmental researchers.
Lesson #3 – We need to build resilience into our economy. The shocks to the economy –particularly to national production, distribution, and logistics — caused by the coronavirus outbreak call attention to the complexity and interconnectedness of our economy and supply chains. Both are potential points of fragility. While the commission approached this issue from the perspective of a cyber disruption, the economic disruption from the coronavirus underscores the importance of ensuring the United States has plans in place to ensure timely and effective coordination of responses to major disruptions and incidents. To do so, the federal government must develop a “Continuity of the Economy” plan, taking into account the state, local, and private-sector equities.
A Continuity of the Economy plan must ensure that the U.S. government can maintain coordinated action with key parts of the economy in times of crisis. As the pandemic has demonstrated, disruptions of key companies and functions have downstream effects that can limit the ability of the United States to manage consequences of the crisis itself. In the context of the pandemic, this has meant scrambling to redirect production towards medical supplies. In the context of a massive cyber disruption, it may mean ensuring the availability of the right high-tech equipment to reconstitute key networks and processes.
Currently, a good deal of our high-tech supply chain relies on potentially unreliable vendors and producers in adversary countries like China. To ensure that we have access to the critical resources we need in a time of crisis, the United States must identify these critical supply chain dependencies and consider strategic, direct investment to incubate more trusted suppliers.
Lesson #4 – Special authorities are crucial for enabling an early government response. The authorities activated in response to the coronavirus outbreak demonstrate the expansive federal powers available to the government in an emergency and the importance of preplanning to ensure efficient execution. However, in cyber, not every major incident or set of incidents will reach the threshold of death and destruction to trigger a national emergency. This reality stresses the importance of ensuring that the U.S. government has the needed capacity and authorities to respond to cyber crises in their early stages, often before they rise to the level of a national emergency.
To ensure that the U.S. government is well-placed to intervene in the early stages of a cyber crisis, Congress should codify a “Cyber State of Distress” declaration tied to a standing response and recovery fund. A declaration of a “Cyber State of Distress” could be made by the president in response to, or anticipation of, a significant cyber incident. A “Cyber State of Distress” could be declared by the federal government only when a cyber incident exceeds or is expected to exceed the capacity of the federal government to aid the private sector and state, local, tribal, and territorial governments under existing authorities. The declaration would establish the Secretary of Homeland Security as the principal federal official responsible for coordinating incident response and recovery efforts. In order to enable DHS to call on capacities and capabilities across the federal government and in the states, the state of distress should unlock access to a designated fund that DHS may use to reimburse Department of Defense personnel activated under Defense Support to Civil Authorities.
Lesson #5 – Foreign influence operations are a broader challenge than just elections and campaigns. The COVID-19 crisis has underscored a point that experts have been making for several years: the challenge of foreign influence operations is not confined or restricted to the context of political campaigns and elections. China is pushing false narratives about the origin of the novel coronavirus – that the U.S. Army started the coronavirus epidemic, for example — to cloud the public’s understanding. Meanwhile, Russian and Iranian sources continually fabricate and exaggerate conspiracy theories about the pandemic, including claims that the virus was a biological weapon or a hoax. The prevalence of disinformation in the context of a crisis that is costing thousands of lives underscores the importance of building a populace that is resilient to attempts to cloud truth and fact and that has the tools to easily identify and understand disinformation.
While that means the U.S. government should invest more in educational initiatives on civics and digital literacy, which is likely the most effective long-term solution, the United States as a nation also needs more and better capability to help identify foreign influence operations and communicate them to the public. However, the U.S. government, like all democratic governments, must avoid becoming an arbiter of truth. Instead, the government can ensure strong non-governmental capacity to identify, expose, and explain foreign influence operations through funding and support to civil society efforts that identify and communicate foreign influence campaigns to the public, like the Alliance for Securing Democracy’s Hamilton 2.0 and the Atlantic Council’s Digital Forensic Research Laboratory.
Lesson #6 – The pandemic exposes unanticipated and underappreciated cybersecurity challenges. While perhaps the most prescient lessons from the COVID-19 crisis for cybersecurity policymakers pertain to our nation’s preparedness for a crisis, the circumstances forced on Americans by the pandemic has also revealed important cybersecurity challenges. More and more of our workforce has been thrust into remote working environments. We’ve seen a 40 percent increase in the volume of U.S. internet traffic. This stresses the security and reliability of the ecosystem as a whole. Critical government and private-sector services are wrestling with the imperative of sustaining their important offerings, while limiting person-to-person contact. With the general election set for this November, for example, election officials must balance voter health and safety with the need to ensure a secure, credible voting system.
Many of these new realities do not require novel approaches, but renewed focus and energy. The push to rapidly digitize underscores the continued importance of cloud services, but the market must also ensure that providers equip users with adequate information about the security of the services they provide. The increased reliance of our economy and day-to-day lives on our national cyber ecosystem necessitates renewed attention to the security of the software we use and the reliability of our networks. The newfound importance of in-home and consumer devices highlights the need to furnish consumers with satisfactory security information about their devices and the possible requirement to enforce higher standards for some internet-of-things devices such as routers through law.
The COVID-19 crisis is a watershed moment for the United States in many ways. It provides a live-fire exercise for our national-scale crisis response and recovery capabilities and exposes previously underappreciated challenges we face as a nation. Public policymakers in cybersecurity and other fields should use these trying times to learn as much as they can and develop solutions to problems before they become crises.