The worlds of biological and digital germs have converged. That is, the coronavirus pandemic has caused both a fresh round of cybersecurity threats. The germ is also a test of national resilience that parallels the potential for disruption from cyberspace. That’s why the congressionally chartered Cyberspace Solarium Commission recently published what it calls an appendix to its March report in light of the pandemic. For highlights, Federal Drive with Tom Temin turned to the Commission co-chairman, Maine Sen. Angus King (I).
Insight by GitLab: During this webinar executives from the State Department, U.S. Securities and Exchange Commission, U.S. Patent and Trademark Office and GitLab will discuss how institutionalizing a DevSecOps approach to software development is a journey that must bring together the technology and business sides to change an organization’s culture.
Tom Temin: Senator King, good to have you back.
Angus King: Tom, great to be with you. (Jokingly) And you you stated the whole program in your question. I think you covered it pretty well there.
Tom Temin: Well, I think you can probably get us some more detail here, though. And this apendix draws some parallels here. And what what sparked this and what should people take away from the appendix?
Angus King: Well, the first thing that sparked it was a realization that the pandemic had spawned a new round of cyber attacks, that there was disinformation, there was hacking, that this had illustrated a vulnerability — and as we got deeper into it, we realized that there’s some important lessons to be learned here. Number one, we’ve gone to a world of work from home. And through the last three or four months, we’ve had millions, literally millions of people working from home in all kinds of businesses and industries across the country, which has created, if you stop and think about it, a whole new what we call target space for adversaries. In other words, a whole whole bunch of new places to attack. Home routers, for example, have become a target of opportunity. So that in itself has sort of alerted us to this broad spectrum of possible attacks. A couple of things that we learned from the pandemic that are parallels to our original report — one is the necessity of some kind of planning and preparation in advance, and particularly planning for continuity of the economy for, how do you cope with a nationwide catastrophe of some kind? I mean, we’ve seen what the pandemic has done to our economy. And it could have been a cyber attack that took down the electric grid or the telecommunications or finance. I mean, the threat is still there. And we thought this was an important moment to pause and say, okay, what do we learn from this terrible experience we’re going through?
Tom Temin: And interestingly, one of the things in the appendix says the need to digitize critical services, which is something that I think the administration, successive administrations, have talked about and tried to do. And just as an aside, there’s a proposal for a lot of money for IT modernization of the federal government. Do you think this mitigates in favor of some of that spending?
Angus King: I do, and this is something as you know, there’s been this sort of ongoing drama of knew it for the FBI, for various agencies, OPM. And we just got to do that. I mean, in some areas, the federal government is in the 90s, in terms of its IT capacity and digitization and moving things to the cloud, are protective, if done right, and if done in a secure way. I have a son that I talk about with these things, quite often. And he said, dad why do you want to move everything to the cloud, then all they got to do is hack one place. And that’s a reasonable point. On the other hand, if we have a secure cloud, that’s better than millions of insecure places where every business in America can be hacked. So one of our major recommendations is upgrading the security of the cloud and certification. The other thing we’ve talked about is the security of the Internet of Things. If everything in your house is connected and your car and your microwave and your refrigerator and your of course your television — if they’re all connected they again they are points of possible attack. And what we’re recommending is the creation of a voluntary labeling program like UL. We buy a lamp and it says you will and you have some assurance has been tested and it’s not going to burn your house down. We’re talking about a kind of UL label for devices in terms of their cybersecurity,
Tom Temin: Because there is also in the military, the Cybersecurity Maturity Model Certification program going on just for the supply chain of DoD, it seems like there might be lessons learned there so far, that could apply everywhere.
Angus King: Absolutely. And the other thing we’ve learned in the pandemic is from the old song the knee bone is connected to the thigh bone. Everything is connected. And the supply chain is really critical and we don’t really think about it. My nightmare is somebody in China pushes a button and all the all the bolts fall out of the transmissions in every military vehicle in the world. I mean, we’ve got to be thinking about supply chain and security of supply chain. And you know, that brings us back to Huawei and those other kinds of issues. But it’s really caused us to stop and think about how everything is connected, that when when we shut down one business or industry for the pandemic, it ripples through the entire society.
Tom Temin: And you also have some management recommendations about leadership coordination processes, executive branch leadership, and so on in this latest appendix. What are some of the top line ideas for making sure we are psychically, and I guess intellectually and organizationally prepared, not just technically?
Angus King: Well, organizationally is really crucial. As you know, one of our major recommendations in the original report, which is reiterated here is the need for a National Cyber Director, somebody in charge. Right now we have great people at the Department of Homeland Security, NSA, FBI, CIA, TSA, all over the government. We have pieces of this responsibility, but nobody’s in charge. There’s nobody that oversees and has some input into the budgets of all the departments. There’s nobody that can hold the various agencies accountable. And what we’re suggesting is a National Cyber Director in the Executive Office of the President, appointed by the president, confirmed by the Senate. And my sort of homely approach to this is when I was in business, I always look for one throat to choke. I want somebody who’s accountable, who I can go to and say, you’re in charge here, rather than everybody saying, well that wasn’t my responsibility. And the administration is resisting this proposal, but I contend that this is a favor to the president because it gives he or she not just this president, but any president in the future, a place that they can go to hold somebody accountable and to execute orders rather than having them fall between the silos scattered throughout the federal government.
Tom Temin: (Jokingly) Yeah, you put a tougher than the military, they call it a belly button to push. But and then that gets to the idea of the federal cyber security workforce. And that’s a recommendation in the appendix and also in the original report,
Angus King: We really have to step up this part of the of the job. We’ve got, I think there’s something like 35,000 empty IT jobs in the in the federal government right now. And we have a number of suggestions. One is a kind of ROTC for IT, for cybersecurity, where there’ll be college support college scholarships, in exchange for a commitment to serve the country. And it doesn’t have to be in the military. It could be anywhere across the federal government. And I think that’s really important. And people often ask me, you know, why would somebody go to work for the federal government in IT when they could make so much more money in the private sector? And the answer is from talking to people at NSA and CISA and the other agencies — there is something attractive about national service. There’s something important about serving your country. And it may be for a period of years, short period of years, and then you come back. So we’re trying to press all those buttons to be sure that we have the kind of workforce that we need because you can’t solve problems with empty seats.
Tom Temin: And let me ask you about a parallel effort at FEMA. They have put out all kinds of guidance in recent weeks to local authorities in trying to get them better prepared to deal with a possible weather emergency because we are in hurricane season and it’s predicted to be maybe a little worse than normal. In the age of pandemic, so you have emergency response and pandemic — here we’re talking about cybersecurity and pandemic. Is there a grand architecture to all of thism all of these threats in some manner that could be built into the way the government thinks about and plans for disaster?
Angus King: The key word is plan. And having the structure in place before the crisis hits. I mean, let me tell you a quick story. When I was first elected governor of Maine I toured various state offices. And one of the offices I walked into there were a bunch of people sitting around with maps and charts and directories and computer screens with storm tracks on them. And I said, what’s this? Who’s this? This is MEMA governor, the Maine Emergency Management Agency, they’re preparing for for a crisis. And I was in a cutting of government mode at that point. And I said to myself, well, here’s the 35 or 40 or 50 jobs we can cut. And they talked me out of it and I was damn glad they did because lo and behold, a couple of years later, we had a huge ice storm in Maine. 600,000 people lost power and MEMA was critical and the fact that they had done the planning and knew where the cots were and knew how to get food service to shelters and had a network of people in every county really made a huge difference and I’m sure saved lives. So I really learned a lesson from that, that planning in a situation like this as simply buying insurance. And that’s what we really need to be thinking about. We need to have the structure have built, as I mentioned, but we also need to plan on continuity the economy. If there’s a cyberattack that takes down the electric grid in the northeast, what do we do? How do we think through getting power, for example, to the financial sector in New York? And we need some people with vivid imagination saying, well if I were an adversary, here’s what I would do. And then we have to figure out how to counter it. So planning and preparation and structure is really important. One of my favorite sayings is structure is policy. If you have a messy, ucoordinated, disorganized structure, you’re going to have messy, uncoordinated, disorganized policy. It’s just as simple as that. So all of the pieces having the structure, having the planning, having the thinking of the unthinkable and then thinking about solutions and how are we gonna solve this can make a huge difference, rather than just ad hocing it trying to deal with a serious problem on the fly without without those those elements in place.
Tom Temin: (Jokingly) Yeah, I guess when the first stay at home water started coming out. My response was first the liquor store for a bottle of gin then to the bank to get some cash to hide in the house and I’ll have to do better the next time based on what you said.
Angus King: Don’t forget get toilet paper. You swung by for toilet paper and paper towels.
Tom Temin: Alright you got me on that one. Maine senator Angus King is co-chairman along with Wisconsin Representative Mike Gallagher of the Cyberspace Solarium Commission. Thanks so much for joining me.
Angus King: Great to be with you. Good to discuss these things. And I think we’re on the right track. We’ve made some serious and important recommendations. And I have to tell you, this commission was totally non-partisan. I mean, we had four members of Congress, of course, we knew who their parties were, or in my case, no party, but the other members of the Commission, the other 12 members, I haven’t the faintest idea what their political affiliation was. And that was the way it should be. We had great discussions, talked about the issues, there was no sense of political ramifications. We’re just trying to do something for the country. I think we’re on a track to provide some positive help. So thanks for the time and let’s keep in touch.