New cybersecurity recommendations for US government target IoT, social media

The Cyberspace Solarium Commission is a unique policy initiative created in 2019 to cut through the complexity of the vast and dense cybersecurity challenges facing the country. It is composed of lawmakers and government officials from across several agencies who, working with outside experts, are devising “a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.” The high-profile focal point group came out this spring with an ambitious report that offered 75 recommendations to keep the country safe from digital threats.

Last week, the commission took its prerogative one step further. It came out with its first white paper, Lessons from the Pandemic, a timely document articulating the changes the COVID-19 crisis creates for cybersecurity.  The pandemic “illustrates the challenges of ensuring resilience and continuity in a connected world,” co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI), wrote in their executive summary of the white paper.

The white paper contains observations about the parallel connections between cybersecurity and the pandemic. It stresses 32 of the commission’s original recommendations, which King and Gallagher said have attained “renewed importance” in light of the coronavirus crisis.

The white paper also contains four new recommendations, including the need to:

• Pass an internet of things (IoT) security law
• Provide significant support for non-profits that assist law enforcement’s cybercrime and victim support efforts
• Establish a social media data and threat analysis center
• Increase non-governmental capacity to identify and counter foreign disinformation and influence campaigns

Remote work drives need for IoT security

In terms of how the pandemic has altered cybersecurity, “there has been a massive shift to move to remote work, forcing companies to rely on in-home consumer electronics as their employees log in from home,” the report noted. It is this radical shift to working from home that drives the new Solarium Commission recommendation to pass an IoT security law. The law should focus on known challenges, such as insecurity in Wi-Fi routers, and mandate that the devices have reasonable security measures as determined by NIST guidelines.

Increased online fraud makes people feel less secure

Another nexus between the COVID crisis and cybersecurity that spurs the second new recommendation is the rise in online frauds and scams that have increased during the pandemic. “Cyber threat actors’ flagrant conduct during this pandemic reveals that while their tactics and targets have not dramatically changed, they are able to take greater advantage of increasingly vulnerable businesses, governments, and individuals to steal information, defraud their targets, and make Americans feel insecure online,” the report states.

As a consequence, non-profits that help law enforcement deal with cybercrime and victim support should receive more support, the Solarium Commission says. Because these often-helpful organizations frequently face financial challenges, “the Commission recommends that congress provide grants through the Department of Justice’s Office of Justice Programs to help fund these essential efforts.”

Disinformation a growing threat

The third and fourth new recommendations spelled out in the pandemic white paper flow from “the  imperative that the United States possess the capacity to identify highly dangerous disinformation activities and make them known both to the platforms that enable the activities and to the general public.”

To that end, the commission supports the provision in the FY2020 National Defense Authorization Act that authorizes the Office of the Director of National Intelligence to establish and fund a Social Media Data and Threat Analysis Center (DTAC) to counter foreign influence operations against the United States. The report also recommends that the Department of Justice, in consultation with DHS and the National Science Foundation, provide grants to non-profit centers “seeking to identify, expose, and explain malign foreign influence campaigns to the American public while putting those campaigns in context to avoid amplifying them.”

Speed and agility needed to counter threats

The speed with which the Solarium Commission developed a new view of cybersecurity challenges based on the changes sparked by the virus underscores its value, according to Casey Ellis, CEO, and founder of bug bounty company BugCrowd, who advises a number of the commission’s members. “It really is an advisory committee…that allows agility and allows speed,” he tells CSO.

“In terms of responsiveness to the pandemic, it became very obvious to people who work in cyber risk that COVID was going to change a lot of things from a risk management and risk assessment standpoint,” Ellis says. “Patterns of human behavior have changed; patterns of communications have changed. Speed is the traditional enemy of security. The fact that we had to do all this so suddenly implies there are going to have to be decisions made in a hurry that might have negative security impacts to them. All that adds up to a whole lot of momentum in the Solarium group to basically speak to those changes.”

Speed and agility are likely critical to addressing cybersecurity challenges emerging from America’s latest major crisis, the national reckoning over racism following the death of George Floyd. “The thing that COVID did was change the attack surface. I think the thing that the unrest has done over the past two weeks is kind of retrigger a rethink on who the attackers might be,” Ellis says. “There are people in the Solarium working on the problem space. I would suspect you would see another follow up along these same lines very promptly.”

Jonathan Reiber, senior director, cybersecurity strategy and policy at enterprise security company AttackIQ, is a big proponent of the Solarium Commission’s recommendations. But Reiber, who has also served as the Department of Defense’s CSO for Cyber Policy and has advised the Commission, warns that the economic crisis precipitated by the pandemic won’t leave enough government resources to tackle the commission’s many recommendations. “We’re now going to head into a period of severe budgetary drawdowns for a significant period. The government won’t feel it for about eight months or so,” he tells CSO. “So, rather than try to achieve everything in the recommendations, they need to focus on a few.”

One top priority should be to increase public-private partnerships, Reiber recommended. “Public-private partnerships can enhance visibility to counter and blunt incoming attacks and do it at no cost to the government.”

Another critical priority in Reiber’s view is to promote key leaders within the government to manage high-impact projects. “In the white paper, they talk about expanding the Cybersecurity Infrastructure and Security Agency [CISA] under DHS. That agency is really important, but I think that promoting and enabling an expert within the White House to serve as a national cybersecurity coordinator, I would definitely propose that right now.”

For now, congress is beginning to mark up the fiscal 2021 National Defense Authorization Act (NDAA), which will likely contain some of the many recommendations put forth by the Solarium Commission. However, it’s unclear which proposals will make the cut. The full Senate Armed Services Committee markup is slated for Wednesday, and the House is expected to take up the 2021 NDAA later this month.