In early June, we saw the release of interesting white paper that offers commentary on the parallels between pandemics and cyberattacks. The piece also lists out pages worth of lessons that the federal government should be taking away from the COVID-19 pandemic and applying to cybersecurity policy at all levels of government. The aptly titled Cybersecurity Lessons from the Pandemic white paper was released by the Cyberspace Solarium Commission, a bipartisan council established in 2019 to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” It combines five new recommendations with thirty of the over eighty recommendations from the Commission’s March 2020 report to the federal government on implementing a strategy of layered cyber deterrence. It’s a long read, but contains suggestions that, if implemented effectively, could drastically improve the cyber posture of our nation.
In the white paper, the Commission brings up the observation that the cascading impacts of the COVID-19 pandemic have highlighted the challenge of maintaining resiliency and continuity of operations in a world as connected as the one we live in. They make the case that our nation’s systems and infrastructure need to be more resilient in the face of hardship, and that the way to take that from a need to a reality is through planning ahead and implementing the appropriate strategies, entities, and processes. While these observations are easy to understand in the context of the COVID-19 pandemic, the Commission suggests that we view them both on a broader scale and in the slightly different context of cybersecurity by drawing some key parallels.
- Both a pandemic and a cyber attack can occur on a global scale, requiring those affected to simultaneously manage the spread internally and across borders.
- Both events require a whole-spectrum response, meaning every element of the affected government or organization must play a part.
- Both can challenge existing response plans and expose glaring weaknesses where they were not previously obvious.
- Vaccines or therapies are needed to address the root cause of a pandemic. Patches, bug fixes, or security policy changes are needed to address the vulnerabilities behind major cyber attacks. In both situations, those solutions can take while to create when they are not immediately available, and often require rapid responses that call for collaboration between the government and private sector.
- The final parallel is one that rings particularly true. Strategies based on prevention and pre-established relationships work far better than those focused on mere detection and response.
The white paper goes on to list out the thirty-five recommendations that Cyberspace Solarium Commission mapped to the prevention and preparedness-based strategy that they would like to see our government implement. These suggestions are broken into two major sections. The first highlights the cybersecurity challenges that we have faced during the COVID-19 pandemic and primarily focuses on a call for the digitization of critical government services, a push for a more secure and reliable cyber ecosystem, and the need to counter opportunistic cyber crime. The second covers how the U.S. should prepare for disruptions of this scale on a cyber front in the contexts of leadership and coordination processes, preparedness, prevention and mitigation, response and recovery, and countering disinformation. We’ve listed all of the recommendations below. To read the full descriptions of each, view the full white paper on the Cyberspace Solarium Commision’s website.
Section I: Cybersecurity Challenges During a Pandemic
- Digitization of Critical Services
- Incentivize the Uptake of Secure Cloud Services for Small and Medium-Sized Businesses and State, Local, Tribal, and Territorial Governments
- The Work-From-Home Economy
- Pass an Internet of Things Security Law
- Establish and Fund a National Cybersecurity Certification and Labeling Authority
- Establish Liability for Final Goods Assemblers
- Develop a Strategy to Secure Foundational Internet Protocols and Email
- The Need to Combat Opportunistic Cybercrime
- Strengthen the FBI’s Cyber Mission and the National Cyber Investigative Joint Task
- Support Nonprofits That Assist Law Enforcement’s Cybercrime and Victim Support Efforts
Section II: What a Pandemic Can Teach the United States About How to Prepare for a Major Cyber Disruption
- Leadership and Coordination Processes
- Executive Branch Leadership and Coordination
- Establish a National Cyber Director
- Strengthen the Cybersecurity and Infrastructure Security Agency
- Planning for Continuity of the Economy
- Develop and Maintain Continuity of the Economy Planning
- Quick, Effective, and Coordinated Government Responses
- Establish a Joint Cyber Planning Cell under the Cybersecurity and Infrastructure Security Agency
- Improve and Expand Planning Capacity and Readiness for Cyber Incident Response and Recovery Efforts
- International Coordination
- Create a Cyber Bureau and Assistant Secretary at the U.S. Department of State
- Strengthen Norms of Responsible State Behavior in Cyberspace
- Improve Cyber Capacity Building and Consolidate the Funding of Cyber Foreign Assistance
- Executive Branch Leadership and Coordination
- Preparedness
- Availability and Security of Critical Resources
- Develop and Implement an Information and Communications Technology Industrial Base Strategy
- Designate Responsibilities for Cybersecurity Services under the Defense Production Act
- A Robust Federal Cybersecurity Workforce
- Diversify and Strengthen the Federal Cybersecurity Workforce
- Voter Safety and Secure, Credible Voting
- Improve the Structure and Enhance Funding of the Election Assistance Commission
- Availability and Security of Critical Resources
- Prevention and Mitigation
- Sustained National Risk Assessment and Management
- Codify Sector-specific Agencies into Law as “Sector Risk Management Agencies” and Strengthen Their Ability to Manage Critical Infrastructure Risk
- Establish a Five-Year National Risk Management Cycle Culminating in a Critical Infrastructure Resilience Strategy
- Establish a National Cybersecurity Assistance Fund to Ensure Consistent and Timely Funding for Initiatives That Underpin National Resilience
- The Critical Need for Data
- Improve Attribution Analysis and the Attribution-Decision Rubric
- Establish a Bureau of Cyber Statistics
- Establish a Public-Private Partnership on Modeling Risk
- Establish and Fund a Joint Collaborative Environment for Sharing and Fusing Threat Information
- Sustained National Risk Assessment and Management
- Response and Recovery
- Government Capacity to Respond to Crises
- Codify a “Cyber State of Distress” Tied to a “Cyber Response and Recovery Fund”
- Clarify the Cyber Capabilities and Strengthen the Interoperability of the National Guard
- Assess the Establishment of a Military Cyber Reserve
- Government Capacity to Respond to Crises
- Countering Disinformation
- Creating Societal Resilience to Disinformation
- Build Societal Resilience to Foreign Malign Cyber-Enabled Information Operations
- Identifying and Countering Disinformation
- Establish the Social Media Data and Threat Analysis Center
- Increase Nongovernmental Capacity to Identify and Counter Foreign Disinformation and Influence Campaigns
- Creating Societal Resilience to Disinformation
If you or your company would like to learn more about the parallels between pandemics and cyberattacks, please do not hesitate to reach out to Mission Multiplier. We are here to help, especially as we all adjust to the many changes that our business environment has seen in response to recent events.
