The Cyberspace Solarium Commission on What the Pandemic Teaches Cybersecurity

In unfortunate timing, the Cyberspace Solarium Commission released its report on March 11, just as the COVID-19 pandemic began to transform the context for every policy area. In the report, the commission argued that “layered cyber deterrence” should define U.S. cybersecurity strategy. In building the argument, the report identified cyber vulnerabilities that public health systems and health-care services share with other critical infrastructure sectors and private sector activities. On June 2, the commission issued a white paper analyzing the cybersecurity challenges that the pandemic has generated and what the pandemic teaches about preventing, preparing for, and responding to a serious, disruptive cybersecurity event.

According to the commission, the pandemic exposed cybersecurity problems arising from the:

• Inadequate modernization and digitization of governmental and private-sector information technologies that left too much reliant on stressed, insecure legacy systems;
• Increased vulnerabilities from “an easier and larger target and attack surface” caused by remote government and business operations necessitated by social distancing; and
• Intensified cybercrime against “vulnerable businesses, governments, and individuals.”

As the white paper noted, these pandemic-related problems reinforce recommendations in the commission’s report, such as expanding the use of secure cloud services, increasing the security of cyber technologies and services, and strengthening the FBI’s cybercrime capabilities. However, the pandemic’s impact prompted the commission to recommend that Congress (1) adopt a law to ensure that manufacturers of internet-of-things devices “build basic security measures into the products they sell;” and (2) provide funds to help cyber-focused, non-profit organizations collaborate with law enforcement agencies in combatting cybercrime and providing services to victims.

In terms of what the pandemic teaches the United States about preventing, preparing for, and responding to a major cybersecurity incident, the white paper identified issues addressed in the commission’s report, including the need for federal crisis leadership and coordination, preparedness for crises, prevention and mitigation capabilities, funding and authorities for government response and recovery operations, and countermeasures against disinformation. The white paper included two new recommendations about the disinformation challenge: (1) establish the Social Media Data and Threat Analysis Center authorized in the FY2020 National Defense Authorization Act; and (2) increase “nongovernmental capacity to identify and counter foreign disinformation and influence campaigns.”

The white paper did not address the widespread interest in using digital technologies, such as smartphones, to implement public health measures against the pandemic, such as surveillance, case tracking, and contact tracing. This development has raised national and international concerns about the security and the privacy implications of government use of collected data. In its report, the commission identified the importance of privacy and data security—and the interdependence between these two objectives. Given the commission’s emphasis on privacy and data security in building a new cybersecurity strategy, why the white paper did not connect the pandemic’s agitation of worries about these issues with the report’s analysis and recommendations is unclear.

Like the report, the white paper emphasized the need to strengthen norms of responsible state behavior in cyberspace. The commission identified the problem experienced during the pandemic of “state-sponsored hacking operations against U.S. health-care infrastructure, including against institutions that are conducting research into COVID-19 vaccines and treatments.” However, the white paper contained no recommendations on strengthening cyber norms specifically against malicious state-sponsored cyber activities that target health capabilities. Thus, the commission did not add its voice to efforts to advance cyber norms in the context of health, such as the pandemic-stimulated work of the UN Open-Ended Working Group and the Oxford Statement on the International Law Protections against Cyber Operations Targeting the Health-Care Sector.

In the white paper, the commission described the pandemic as a “call to action,” “wake-up call,” and “warning shot” for U.S. cybersecurity to develop needed “disaster prevention, crisis preparedness, and incident response” capabilities. However, prior efforts to ring alarm bells have largely fallen on deaf ears. The white paper acknowledged the previous times “experts have sounded the alarm, ranking cyberattacks as one of the most likely causes of a crisis.” The commission’s report itself constituted another “urgent call to action” because, for over two decades, state and non-state actors “have used cyberspace to subvert American power, American security, and the American way of life.” In this sense, cybersecurity mirrors how the pandemic exposed twenty years of failure to learn the lessons from past outbreaks, indicating that, as Herb Lin argued, “the history of cybersecurity suggests its own lessons for dealing with pandemics.”

The adage about never missing the chance to turn a crisis into opportunity has merit, and the pandemic has been a fertile emergency for renewed attention on all manner of policy needs. However, the pandemic has also been a disaster for developing the political consensus needed to sustain transformative policy efforts on dangers that the country faces. How to turn the pandemic into a tipping point for cybersecurity is unclear when the prevailing political logic in the United States never misses the opportunity to turn a crisis into ever more crises.