Congress Fights Back Against Cyberattacks
Cybersecurity has for years been a wonky, abstract concern to most Americans. No longer. The long gasoline lines and price spikes resulting from the Colonial Pipeline attack were a wake-up call, the moment cyber got real for millions. The ransomware attack disrupted one of the largest refined-gasoline pipelines in the U.S. for six days, and is part of a disturbing trend. Our adversaries no doubt are noting the economic and societal cost inflicted; the number of people directly or indirectly affected by a malicious cyberattack is only going to rise.
That is one of the many reasons we have worked for the past two years as co-chairmen of the Cyberspace Solarium Commission, a panel created by Congress and dedicated to writing a 21st-century “cyber doctrine” that better secures America from these threats. Our goal is to be the “9/11 commission” for cybersecurity before a catastrophic attack happens. Unlike many efforts out of Washington, our work has been productive. We are already crafting and passing legislation to ensure the U.S. government has the resources and tools to protect Americans.
This starts with the federal government improving its interactions with private industry—the companies and enterprises that comprise the overwhelming majority of our exposure to cyber threats. One priority is the identification, protection and defense of systemically important critical infrastructure. These are systems and assets like the electric grid, energy pipelines and the financial industry that, if targeted and exploited by adversaries or criminals, could lead to catastrophic consequences to national security, the U.S. economy and public health and safety.
A second commission priority is improving the shared situational awareness of cyber intrusions. The private economy owns and operates most of the country’s critical infrastructure, so collaboration is essential to preparation. To that end, the commission recommended the establishment of a Joint Collaborative Environment, a common, cloud-based environment that would allow for the increased sharing of cyber threat data between federal agencies and state and local governments and private industry. This “nerve center” approach would lead to greater detection and analysis of cyber threats that affect critical networks, whether public or private.
Third, the government needs to increase its capacity to respond to cyberattacks. As Vince Lombardi once said: It’s not whether you get knocked down. It’s whether you get back up. We want to make sure that critical infrastructure is resilient enough to weather a cyberattack and also get back up to 100% capacity swiftly. The commission recommended the codification of a “cyber state of distress,” a federal declaration that would trigger additional resources through a “cyber response fund,” not unlike what the U.S. now does in the case of natural disasters.
Such a declaration is designed primarily to assist the private sector and state and local governments beyond what is traditionally available in federal technical assistance and incident response. Federal leaders could invoke a cyber state of distress either in response to, or in preparation for, a significant incident.
Finally, Washington needs to protect Americans by bringing bad actors to justice and striking back against those who would do the U.S. harm, whether at home or abroad. This is why we recommend strengthening the military’s Cyber Mission Force and improving the government’s tools for conducting international law enforcement, imposing sanctions and engaging other states diplomatically. All these measures will help ensure that America has the appropriate military and nonmilitary capabilities.
When the 2021 National Defense Authorization Act became law last year, it included 25 of the commission’s recommendations. If these provisions were a stand-alone bill, it would have represented the most comprehensive piece of national cybersecurity legislation in the nation’s history. Some of the key provisions passed through the NDAA include the creation of the new national cyber director, codifying sector risk management agencies to assess and help secure critical infrastructure, and developing and maintaining continuity-of-the-economy planning to ensure the continued operation of key economic functions in the event of a serious cyber disruption.
These are only a portion of our more than 80 recommendations. As more of us have come to realize from the Colonial Pipeline attack, the cyber risks to our country are greater than ever. With the steps the commission has started to put into law, Washington can provide Americans with the resources, tools and assistance to withstand these threats, preserve our freedoms and continue the growth and prosperity of our country.