This week, a coalition of major tech groups sent a letter to House Speaker Nancy Pelosi and Minority Leader Kevin McCarthy demanding that Congress send cybersecurity funds to state and local governments as a part of the next COVID-19 stimulus package, as reported by The Hill. The groups represent some of the largest tech companies in the U.S., including Microsoft, Amazon Web Services, Adobe, and Verizon. In their letter, they point to “The rise in malicious cyberattacks targeting State and local entities, combined with the chronic lack of workforce, patchwork legacy systems, under-sourced cybersecurity and IT services” as the reasons for increased cybersecurity funding.
The cyberattacks mentioned, having already done serious damage to local governments – including Baltimore, Atlanta, and New Orleans – are of particular concern during this unprecedented COVID-19 crisis. Millions of workers, including many government staffers at the local, state, and federal levels, are now working from home, having to rely on unsecured networks and personal routers to conduct official business. This government wide WFH period is providing many opportunities for hackers to steal confidential data without having to go through traditional channels – as noted by the GAO in its report on DOD WFH cyber standards and its subsequent lack of cyber-hygiene.
China Tech Threat believes that the federal government had an essential role to play to deter cyber-attacks at all levels of government. Moreover, there is an important discussion of cybersecurity appropriators during this crisis. However in their rush to help, policymakers may unwittingly authorize –stimulus funds on vulnerable technology. Just this week, 35 U.S. senators called for the federal government to create an emergency fund to support remote learning, through the purchase of Wi-Fi hot spots, modems, and routers. Without proper cybersecurity funding, and a full vetting of the companies that governments are purchasing from, cyber vulnerabilities will continue to be an issue. Consistent with the National Defense Authorization Act, Congress must not authorize any stimulus funds to vulnerable firms, equipment and services. This list should be expanded to include Chinese state-owned makers of information technology noted in the National Vulnerabilities Database and the Entity List.
Recall that the problem with Huawei was seeded in the part from the American Recovery and Reinvestment Act of 2009 in which $4.5 billion in broadband subsidies were directed to 55 small carriers represented that serve up to 100,000 subscribers each, which then contracted with Huawei and LTE as lowest-price-bidders to install the Chinese-made networking hardware that now services 25 percent of U.S. territory and 4 million Americans, as federal funds were unwittingly used to purchase vulnerable Huawei equipment, necessitating the recent $2 billion bailout to rip and replace equipment. Taxpayers should not be paying twice to fix problems the government creates, and their money should not go to companies supported by the Chinese Communist Party.