Countering Cyberattacks And Ransomware Will Require “Whole Of Nation” Response
Cyberattacks are growing in frequency and sophistication. Protecting individuals’ personal information and national security interests will require broad collaboration—across nations and across industries. These challenges were a key focus of Telecom Policy Research Conference webinar, US Cybersecurity Policy for Data Breach, Ransomware and Supply Chain: What’s Working, What Isn’t and How to Fix It. The event was keynoted by Carole House, Director of Cybersecurity and Secure Digital Innovation at the National Security Council, and Brendan Carr, Commissioner at the Federal Communications Commission. “The stakes for securing [the United States’ critical technology] networks could not be higher, and the Biden Administration recognizes that,” said Ms. House.
Roundtable participants included Josephine Wolff, Assistant Professor of Cybersecurity at Tuft University’s Fletcher School; Thomas Vartanian, Executive Director of the Program on Financial Regulation and Technology at George Mason University’s Antonin Scalia Law School; and Karl Grindal, Ph.D. candidate at Georgia Tech University’s School of Public Policy.
Secure Supply Chains
Reliable supply chains are necessary to mitigate threats, the participants roundly agreed. Commissioner Carr noted a recently proposed rulemaking that was unanimously approved by the FCC. The measure would prohibit commercial use of products made vulnerable supplies on the FCC’s Covered List—whereas current restrictions only prevent government use. U.S. policymakers should also review companies whose supply chains originate in China, Commissioner Carr added. While that is not required in the FCC’s proposed rulemaking, regulators “need to be sure the Entity List covers the range of Chinese companies under the government’s thumb,” like Lenovo and Lexmark.
The Commission has already adopted efforts to restrict China Mobile and other entities “vulnerable to exploitation, influence, and control by the Chinese government.” The proposed rulemaking could expand the FCC’s Covered List of just five Chinese government and military aligned companies to reflect the reality that hundreds, if not, thousands of Chinese firms have such vulnerabilities. The Covered List is maintained by the FCC’s Public Safety and Homeland Security Bureau and its criteria include any communications equipment or services produced by entities which present an unacceptable security risk and are capable of routing or redirecting user data traffic or permitting visibility into any user data or packets or disrupting services remotely.
Concurrently, the Commission proposes to use the opportunity to create incentives in its equipment authorization processes for improved trust through the adoption of cybersecurity best practices in consumer devices. Commission will review and revise these processes to spur trustworthy innovation that can advance America’s global competitiveness and promote responsible global development and deployment. The inquiry and proposed rulemaking is open for submissions for 30 days from its publication in the Federal Register.
Mr. Grindal’s highlighted his doctoral research which demonstrates a 20 percent increase in data breaches as measured at the state level. “Not a lot is working in the way we need it to… A lot can be done to improve international collaboration and shifting focus to cyber-crime issues,” said Mr. Grindal, also noting that emerging technologies may help identify and prevent attacks.
Policies have often focused on “intermediary defenders—not who’s doing the malicious activity,” added Dr. Wolff. Cyber insurance, for example, has not reduced risk because it hasn’t informed companies how to prevent attacks. “There is an opportunity to make new rules that [delineate] which stakeholders have responsibility” and to “broaden liabilities.”
The panel discussed President Biden’s assertion that he told Russian President Vladimir Putin that certain critical infrastructures are “off limits” to attack, referring to the 16 critical infrastructures described by the Department of Homeland Security and recent ransomware attacks against Colonial Pipeline and JBS. Apparently the leaders have agreed to task experts from both countries to work on specific understanding about what’s off limits and to address specific cases. The roundtable participants were skeptical that President Biden’s recent meeting with Putin could significantly reduce cyberattacks. “Will [the Russians] cooperate when they are winning the game?” Mr. Vartanian asked. “Are they going to be serious about coming to table and engaging in collegial information sharing? I doubt it.”