WASHINGTON: The congressionally chartered Cyberspace Solarium Commission told the House Armed Services Committee on Thursday that the nation urgently needs a “continuity of economy” plan to guide recovery from a devastating cyber attack.
“I want to make sure we… address the continuity of the economy,” said Patrick Murphy, a Solarium commissioner who has served in the Army, the Pentagon, and the House of Representatives. “The government needs a continuity plan to ensure that critical data and technology remains available after a devastating network attack.”
“We need to direct the executive branch [to] make sure we have continuity of economy planning that’s in consultation with the private sector,” Murphy said, the former legislator lapsing into speaking of Congress in the second person plural. “Congress should codify a cyber state of distress tied to a cyber response and recovery fund to ensure that the CISA [Homeland Security’s Cybersecurity and Infrastructure Security Agency] and appropriate federal agencies have sufficient resources and capacity to respond.”
Otherwise, he warned his old colleagues, “we are going to get caught with our pants down.”
“One thing the pandemic has taught us is the unthinkable can happen,” said Sen. Angus King, co-chairman of the commission. “If you’d told us all a year ago we’d be wearing masks… it would have sounded like science fiction.”
Both King and Murphy testified via video because of the COVID-19 pandemic.
“We’ve got to be thinking about how to react if the unthinkable happens,” King said. “If everybody’s pointing at one another and there’s no plan on the shelf, it’s going to be infinitely worse and take infinitely longer to recover.”
During the Cold War, the US had detailed plans for “continuity of government” and restoration of critical services after a nuclear attack, Murphy notes, down to how to shore up the currency. (Of course, many critics then and now said these plans amounted to whistling hopefully in the face of a hurricane). There’s no such plan for the aftermath of a cyber attack, when critical infrastructure could be paralyzed by malware but physically intact.
While a continuity of government plan can be handled in-house by federal agencies, a continuity of economy plan would take a much wider team to put together, since most of the critical players are in the private sector. That’s just one more way the cyber threat requires a new kind of collaboration between government and industry, from sharing data on threats and attacks to preparing to restore critical infrastructure.
“Overallm one of the most important insights of the commission was the extent to which we have to really forge a new relationship, we have to think in a new way …about how the private sector and the government relate,” King said. “[It’s] one of the problems that our commission tried to attack head-on. [For] the continuity of the economy, the planning has to engage the private sector.”
“I think this is one of our most important recommendations,” King said. But while a continuity-of-economy planning mandate is included in the Senate’s version of the National Defense Authorization Act for 2021, the Senator told his House colleagues, it’s not in the version passed by the House.
“Hopefully, we’re going to be able to pull it through in the conference committee,” he added.
It’s unusual, if hardly unheard of, for Congress to call its own current or former members to testify – but they usually get a receptive hearing, in both senses of the word. That was certainly true today with House Armed Services, where the subcommittee chairman hosting the hearing, Rep. Jim Langevin, is a commission member himself and an outspoken public advocate for its recommendations. So when his fellow commissioners tell him his current bill is missing something, the odds are good he’ll work to get that provision into the law.
Killer Apps: 5 stories highlight quiet progress on military AI and CJADC2
While combat has seen a drone revolution, the US has made subtle but real advances in applying AI to military planning, intelligence, and “all domain” command and control.