About 30 minutes into a virtual Senate hearing on revamping U.S. cyber policy, the Department of Homeland Security and the FBI sent an alert warning of Chinese hackers targeting health care institutions.
The joint alert from the FBI and DHS’ Cybersecurity and Infrastructure Security Agency said the bureau is investigating hacks by Chinese-backed actors stealing intellectual property and public health data related to vaccines and treatments for COVID-19. The statement also warned that “the potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”
Meanwhile, lawmakers on the Senate Homeland Security and Governmental Affairs Committee pressed members of the Cyberspace Solarium Commission on their 75 cyber policy recommendations. The commission’s aim was to improve U.S. cyber policy and the cybersecurity of America’s critical infrastructure, such as that related to health care or the electric grid.
“One of the things this pandemic has showed us is how vulnerable we are,” Sen. Angus King, I-Maine, said as a witness at the hearing. King serves as a co-chair on the Cyberspace Solarium Commission.
The commission report, released March 11, recommended a new, three-pronged U.S. cyber strategy dubbed “layered deterrence”: strengthening cyber defenses, establishing international norms and imposing costs.
The “imposing costs” piece has vexed policymakers from Capitol Hill to the executive branch, and the commission report doesn’t make specific recommendations for what that approach might look like. But one thing was clear to the commissioners: Costs must be imposed.
“If you come at us during a time of crisis, like the national pandemic, the response will be stronger," King said. “The penalties will be stronger.”
Establishing international norms, or acceptable behavior in cyberspace, is another important piece of the solarium strategy, King said.
Gathering the support of the international community is critical to establishing these acceptable behaviors. For example, in February, the U.S. State Department and more than a dozen other nations joined to attribute a cyberattack on the country of Georgia to the Russian military .
“A system of norms, based on international engagement and enforced through these instruments of power, helps secure American interests in cyberspace,” King wrote in a joint opening statement with his fellow commissioners.
New roles in the executive branch
Both the commission report and the hearing signaled growing support for increasing the authorities of the Cybersecurity and Infrastructure Security Agency, or CISA.
The alert about Chinese-backed hackers boosted the sense of urgency. Just before the hearing, Sen. Gary Peters, D-Mich., sent a letter to President Donald Trump urging him to direct CISA and U.S. Cyber Command to prioritize assisting hospitals and medical research organizations with their cybersecurity.
CISA is supposed to be the lead agency on a range of cybersecurity issues, including protecting federal networks, election security and critical infrastructure. However, outside of federal agencies, CISA lacks the authority to direct organizations on what actions to take.
The Cyberspace Solarium Commission’s report seeks to boost CISA’s authorities — a step supported by several members of Congress. Sens. Ron Johnson, R-Wis., and Maggie Hassan, D-N.H., have introduced legislation that would give CISA the authority to issue administrative subpoenas to compel internet service providers to turn over contact information of critical infrastructure operators that CISA identifies as running vulnerable systems.
Right now, DHS has the ability to scan the internet for known vulnerabilities, but the challenging part for CISA is what comes next.
“What we cannot do without a tremendous amount of effort, and sometimes not at all, is to identify who owns that system so that we can reach out to them and warn them,” said Suzanne Spaulding, a commissioner and former director of the National Protection and Programs Directorate, which was later renamed CISA.
Johnson, the chairman of the committee, said he wants the administrative subpoena bill inserted into the annual defense policy bill. For its part, the commission wants to place about 30 percent of its recommendations into the defense policy bill, including pushing for the inclusion of several cyber workforce recommendations it outlined in a May 4 letter to leaders of the congressional Armed Services committees.
Senators also asked the commissioners how they propose the federal government can help state and local governments across the country, particularly as they deal with constant outbreaks of ransomware attacks. In the commission report, it recommends creating a cyber state of distress — a declaration that would give states access to federal resources.
“The key there is it would trigger the ability of CISA particularly to use funds to tap into a response and recovery fund to scale up to go out and help these researchers, these facilities that are being attacked, hospitals, our health care providers,” Spaulding said, adding that states would also be able to get help from the intelligence community or the Defense Department.
Cyber issues across the government, the commissioners argued, also require coordination under a new position in the executive branch, which the commission called the national cyber director.
There is interest in Congress about identifying the role of a national cyber director. King said he received a letter from Sen. Mike Rounds, R-S.D., asking for more details about structure and authorities of the position.
“We need somebody at a very high level who can oversee, coordinate and work on the planning with all these different disparate parts of the federal government that are working on this,” King said. “I think that’s an absolutely critical need.”