with Tonya Riley

The lawmakers behind an ominous report about America’s lack of preparedness for a major cyberattack are hoping the coronavirus pandemic will boost their calls to overhaul the nation’s digital defenses. 

The Cyberspace Solarium Commission on March 11 released its 182-page report calling for a far more muscular stance against U.S. digital adversaries such as Russia and China and new cybersecurity executives with broad powers to cut through red tape at the White House and State Department. 

But the commission’s bold recommendations were largely lost in the shuffle two days later when President Trump declared the coronavirus a national emergency and official Washington rushed to deal with the pandemic. A planned media tour by the commission’s congressional co-chairs, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), was also put on ice. 

But now that lawmakers are returning to Washington, King and Gallagher hope the pandemic is hammering home the report’s main message: The U.S. needs to prepare for a major cyberattack before it hits, not scramble after the fact. 

“I think covid has taken public attention away [from cybersecurity], but for policymakers it’s underlined the importance of having a comprehensive strategy in place and really strengthened the case for the actions we recommended,” King told me. “We’re in the middle of a crisis that has shaken people to say we can’t go back to business as usual.”

Other commission members include Sen. Ben Sasse (R-Neb.), Rep. Jim Langevin (D-R.I.), FBI Director Christopher A. Wray, former Department of Homeland Security cybersecurity chief Suzanne Spaulding and Tom Fanning, CEO of the Southern Company gas and electric utility. 

Commissioners’ pitch before the pandemic was that they wanted to make changes on the scale of the 9/11 Commission — but before a 9/11-level cybersecurity tragedy struck. 

That argument has taken on added gravity now when Washington is hotly debating what the government was and wasn’t prepared for before the pandemic and what it should do differently next time. 

One Solarium Commission recommendation that was deemed controversial before the pandemic, for example, was to create a Senate-confirmed national cyber director in the White House controlling a large budget and dozens of staff members. Now, Republican and Democratic leaders on the Senate Homeland Security and Armed Services Committees are expressing interest in that role and may help shepherd it into law, King said. 

“You look back on the 9/11 Commission and you realize how much good work was being done [before the attack] but it was all siloed at different agencies,” Gallagher told me. “We want someone who’s in charge and coordinating efforts across the government, forcing discussions across agencies about different scenarios and how we can prepare for an attack.”

That’s one of several proposals King and Gallagher are pushing to include in an annual defense policy bill now being crafted on the Hill. 

The recommendation was one of several that won praise from Senate Homeland Security Committee members during a videoconference hearing about the report Wednesday. 

They also praised a recommendation that the U.S. government should state more clearly the consequences adversaries will face if they hack vital U.S. infrastructure, such as airports and the electrical grid, and that those consequences should ratchet up in times of crisis. 

That would be particularly useful during the pandemic when the FBI and DHS are warning about Chinese government-linked hackers targeting U.S. research labs working on coronavirus vaccines. 

Portions of the report also focus on making the United States less dependent on China for technology and other vital resources. 

I think if nothing else when the dust settles on coronavirus, it will harden the hawkish consensus on China and add energy to this effort to wean ourselves off our dependency on certain things produced in China,” Gallagher said. 

More from King:

The commissioners are also preparing an addition to the report they hope to release by Memorial Day focused on lessons from the pandemic related to the report’s recommendations. 

That new material will point out ways in which the pandemic has made the United States more vulnerable to a cyberattack. Most notably, with huge numbers of Americans teleworking now, a cyberattack that compromised electricity or Internet connectivity would be especially devastating. 

“If the electric grid or our internet infrastructure was compromised, it would substantially increase the negative impact of what we’re going through,” King said. “The confluence of the virus and a potential cyberattack is truly frightening.”

The keys

The Trump administration is ratcheting up its efforts to punish Huawei by cutting it off from global computer chips. 

The move, announced today by the Commerce Department, expands an existing ban on some U.S. supplies going to the Chinese telecom, Reuters’s David Shepardson reports. Under the expanded rule, foreign companies that use U.S. chipmaking equipment must obtain a U.S. license before sending chips to Huawei or its affiliates. 

The new restrictions are sure to ratchet up tension with China, which Trump has sparred with during the pandemic. U.S. officials have long argued Huawei is too closely tied to the Chinese Communist Party and could be enlisted to spy for the government. They’ve lobbied allies to block the company from their next-generation 5G telecom networks. 

Sen. Richard Burr (R-N.C.) stepped down as chairman of the chamber’s Intelligence Committee, creating a major shakeup on a key cybersecurity panel.

The move by Burr, who is being investigated for questionable financial transactions, creates a leadership gap while the committee is still releasing portions of its investigation into Russia’s 2016 election interference. The Senate investigation, led by Burr, was widely seen as far less partisan than its House counterpart and backed up the intelligence community's conclusion that Russia’s interference was aimed at helping Donald Trump beat Hillary Clinton. Burr subpoenaed Donald Trump Jr. as a part of the investigation a move that sparked ire from Trump loyalists.

The committee is also in the process of considering Rep. John Ratcliffe (R-Tex.) to be the next director of national intelligence to replace acting director Ric Grenell, an outspoken Trump defender who has clashed with committee Democrats. 

Burr is being investigated for selling stocks before the coronavirus crashed markets. He stepped down from the chairmanship after FBI agents seized his phone as part of the investigation, Devlin Barrett, Seung Min Kim, Spencer S. Hsu and Katie Shepherd report

The work the Intelligence Committee and its members do is too important to risk hindering in any way, Burr said in a statement. I believe this step is necessary to allow the Committee to continue its essential work free of external distractions.”

Senate Majority Leader Mitch McConnell (R-Ky.) has not named Burr's successor yet but said he agreed that [Burr’s]decision would be in the best interests of the committee.

Democrats introduced legislation aimed at reining in how much data coronavirus contact tracing apps can collect. 

The legislation is similar to a bill Republicans introduced last month but it puts greater emphasis on the role of states in privacy legislation. 

The lawmakers say the protections will encourage people to use the contact-tracing apps, which more than half of Americans say they won't do now, according to a Washington Post-University of Maryland poll. An Oxford University study suggests 60 percent of a country's population would have to use such apps for them to be effective at stopping the virus's spread. 

The  Public Health Emergency Privacy Act would also:

  • State that government agencies that don't have a public health mandate can't use the data
  • Ensure consumers opt in before their data is collected and require companies to delete the data after the pandemic is over
  • Mandate the data not be used for commercial purposes or to infringe on Americans' civil and voting rights

The bill is sponsored by Sens. Richard Blumenthal (D-Conn.) and Mark R. Warner (D-Va.) and Reps. Anna G. Eshoo (D-Calif.), Jan Schakowsky (D-Ill.), and Suzan DelBene (D-Wash.) in the House. 

The Senate renewed vast government spying powers, but privacy advocates are pushing for major changes in the House.

Advocates want the House to include an amendment that would excluded warantless spying on internet and browser history from the renewed Foreign Intelligence Surveillance Act, which lapsed about two months ago and has been inactive during the pandemic. An amendment doing that failed the Senate by one vote before the bill passed 80 to 16.  

Sen. Ron Wyden (D-Ore.), who helped write the failed Senate amendment:

The American Civil Liberties Union Senior Legislative Counsel Neema Singh Guliani also called on the House to add the provision, saying the closeness of the Senate vote “demonstrated there is overwhelming support for protecting our internet search and browsing histories from warrantless searches.”

Securing the ballot

Expanding voting by mail and recruiting younger poll workers should be top tasks for election officials during the pandemic, a new report says.

States should also launch aggressive campaigns to combat voter disinformation, update election contingency plans and steer clear of online voting options, the University of Pittsburgh Institute for Cyber Law, Policy, and Security recommends. The institute is also calling for increased federal funding for elections.

“Delaying the general election is untenable. Federal, state, and local leaders must begin planning today for a free, fair and safe election,” said Pitt Cyber Executive Director Beth Schwanke.

A roundup of election and coronavirus news from the states:

  • Florida will accept $20 million in federal election funds to secure voting during the pandemic – the final state to formally accept the money.
  • A group of senior voters is suing the Minnesota secretary of state to end a rule that would require them to have a witness for signatures on their ballots.
  • A federal judge dismissed a suit that would have delayed Georgia's July 8 primary.
  • Missouri House lawmakers adopted a proposal that would allow voters to request an absentee ballot without needing a reason. The proposal still needs Senate approval.

Industry report

Taiwan's largest chip maker will announce plans to build a factory in Arizona, helping the United States better secure technology production.

The plant, which could open as soon 2023, could accelerate efforts by the U.S. government to reduce the reliance of American companies on Asian suppliers, Bob Davis, Kate O'Keeffe and Asa Fitch at the Wall Street Journal report. The State and Commerce departments are both involved in plans for the new plant. 

Trump has prioritized reducing U.S. reliance on Chinese goods “We shouldn’t have supply chains. We should have them all in the U.S.,” the president said on Fox Business yesterday.

But the new plant could also cause conflict with U.S. chip maker Intel, which also manufacturers in Arizona and has lobbied the Pentagon for a partnership, the Journal reports.

More cybersecurity industry news:

People-counting cameras, which have become a niche tool in recent years to help companies better use their office space, are now being repurposed to help employers comply with government guidelines on social distancing.
Wall Street Journal
Microsoft has decided to make its coronavirus-related hacking threat intelligence public, even for non-customers, to boost collective security.
CyberScoop
Britain’s main supercomputing service for academic research has been unavailable since Monday following a security incident that forced administrators to reset user passwords.
CyberScoop

Global cyberspace

A cyberattack hit Britain's energy system. 

Key systems that govern the electricity market don't appear to have been affected and the system administrator Exelon reported no power outages, Jillian Ambrose at the Guardian reports.

Elexon said it had "identified the root cause" of the attack and was still investigating. It didn't name a potential culprit, but the attack comes just days after the United Kingdom's top cybersecurity agency warned about increased hacking attempts.

More global cybersecurity news:

Patience with President Vladimir Putin is running thin in Berlin. But Germany needs Russia’s help on several geopolitical fronts from Syria to Ukraine.
New York Times

Chat room

Here's some math to put the $400 million Congress granted to state and local election officials in the recent coronavirus stimulus bill in perspective: The OSET Institute's Eddie Perez:

Daybook

  • The Center for Strategic and International Studies will host an online event “Who Makes Cyberspace Safe for Democracy?” on Tuesday at 12:30 pm.
  • The Senate Commerce Committee will mark up the CYBER LEAP Act on Wednesday at 10 a.m.

Secure log off

One last scandal before the weekend: