Two Republican House members have called for universities researching COVID-19 remedies to be better protected amid reports that hackers from China, Russia, and other countries are trying to steal their work.
A new bill sponsored by Rep. Andy Barr of Kentucky and Frank Lucas of Oklahoma directs the National Institute of Standards and Technology, or the NIST, to create new recommendations and offer other resources to help universities and other research organizations conducting coronavirus research defend themselves against cyberattacks.
If passed, the bill would “greatly reduce the threat of cyberattacks,” Barr said. “This includes providing best practices and guidelines that will protect our national security.”
In recent months, U.S. and U.K. intelligence agencies issued warnings about hackers attempting to steal or disrupt COVID-19 research from Western research institutions. In May, the FBI and the Department of Homeland Security issued a warning about Chinese hackers. In July, the U.K. National Cyber Security Centre pointed its fingers at a notorious Russian hacking group.
The legislation requires the NIST to provide resources to help universities and research institutions reduce their cybersecurity risk related to COVID-19 research. The resources should promote awareness of basic cybersecurity controls and should be technology-neutral and available off-the-shelf, the bill says. The recommendations should also include case studies.
The bill is unlikely to pass this year with Congress headed into the election season unless it is included in a new COVID-19 stimulus package. Still, some cybersecurity experts praised the effort.
Help from Congress is needed because lifesaving research conducted by U.S. researchers needs to be protected, added James Yeager, vice president of public sector at cybersecurity vendor CrowdStrike.
In recent months, the company has “observed sustained and targeted e-crime activity, ransomware deployment, and phishing attempts on American institutions perpetrated by adversaries bent on disrupting scientific and medical advancement.”
The sponsors should be congratulated for pushing for better research security, said Fred Cate, vice president for research at Indiana University and founding director of the Center for Applied Cybersecurity Research. “Too many people think that good cybersecurity just happens, and [Barr] obviously appreciates it takes leadership, commitment, and support,” Cate said.
Most universities are likely already following all or part of the NIST’s existing cybersecurity standards. However, he said, “to the extent they are not, they are so comprehensive and sweeping that it takes months or longer to implement them.”
“The original NIST standards took years to develop, and new guidance for research institutions could take time,” he said. “So, we should view the likely greatest impact of this legislation to be in the longer term, not in the immediate pandemic.”
The NIST’s existing programs can “prevent or minimize the impact of a cyberthreat,” added Michael Puldy, CEO of Puldy Resiliency Partners and a former director of global business continuity programs at IBM.
The NIST Cyber Security Framework and NIST Publication 800-53 on Security and Privacy Controls provide “a lot of options that anyone can use to improve their resiliency and reduce cyberthreats,” he added. “Theoretically, there’s nothing stopping universities from implementing the NIST Cyber Security Framework today.”
In many cases, organizations are not adopting the framework because implementation costs money, and “that would further reduce a bottom line that’s already being punished from a weakened COVID-19 economy,” Puldy said.
The bill appears to be a directive to repackage what the NIST has already developed, focusing on a version specifically for universities, he added.
He called on legislation to include penalties such as fines for institutions that don’t adopt cybersecurity recommendations. “The disappointing reality is without both funding and a regulatory requirement, very few universities, if any, will implement NIST recommendations in 2020 or even 2021,” he added.
