As people across the United States moved to working from home and socially distancing, cyber security breaches have become more prevalent for universities, research institutions and even regular citizens. Paul Rosenzweig, former deputy assistant secretary for policy at the Department of Homeland Security, thinks that life will continue changing in the coming months given the rapid spread of the novel coronavirus. Congress, state governments and other official entities including Homeland Security and the Intelligence Community are still coping with the structural changes forced by the pandemic, which sent workers home with little notice.
Rosenzweig studies the intersection of national security and cyber security as a senior resident fellow at the R Street Institute, a nonpartisan Washington think tank. In an interview, he analyzed the impact of the pandemic on national security and security-related policies, including issues surround elections.
Editor’s note: This interview has been slightly edited and condensed.
How has national security been affected by the coronavirus pandemic?
Oh, well, in lots of ways.
First and most obviously: A lot of national security activity happens in groups. The Army can’t socially distance, the Navy are 5,000 people living on a boat. The intelligence community in order to keep its secrets always gathers together in classified spaces to discuss secure matters, and so on. A lot of the physical activity of national security depends on proximity. That’s one easy way to think about the changes.
Another way, but kind of more in the head is that almost all of our responses to crisis that involve disruptions to our government were thought of [as involving] moving our government. So, the President and Congress go to West Virginia, for example, if Washington is destroyed. We never really contemplated the necessity to continue government without gathering all of our leaders in a separate, different place. That was our continuity plan was to move the government to Iowa. But now all of a sudden, our continuity of government crisis planning involves moving everybody to separate places. The president to one place, the vice president to another, Congress all around, the House of Representatives still hasn’t really gotten itself back together to do things. So that’s part of its problem.
And then third, national security is changed because we really haven’t focused on public health as a national security threat. We tend to think of national security threats as Russian tanks, Chinese hackers, even bioterrorists, but just maintaining the health of the country has not been that big of a deal, or it hasn’t been a national security deal. But now it is. So, those are three really big changes.
But doesn’t the Intelligence Community have some way of communicating through private, secure methods that can’t be intercepted?
That doesn’t exist. That’s the entire reason why they gather in [remote] places, because all communications are subject to interception and there’s just no way to ensure against that kind of interception activity. So, no that doesn’t happen. That doesn’t exist, I’m afraid which is the problem. So, they’re going into work. They’re essential and they’re going into work safely or unsafely, but they’re going into work.
Has there been a moment in the past when national security or the Intelligence Community have been compromised like they are now?
No, not really. The last time we had a pandemic like this was 100 years ago, when all of the national security was much less of a challenge. Likewise, our prior national security threats, like wars, were much more obvious and clearer. This is a different circumstance altogether.
Are national security officers concerned about the future weaponization of the virus?
All bioweapons are modifications of naturally occurring things so yes, it’s necessarily a concern. I have no idea whether it’s realistic or not, because I don’t think we know nearly enough about the structure of the virus to know whether it can be modified in that way. So, that’s a theoretical possibility but we have no idea if that’s realistic.
Is it more likely that private citizens will be the victims during this confinement, as they are working from home without the security their systems may have had at work?
The higher degree of use by more people who are not as well-trained in security necessarily increases the overall risk to the economy. Everything from Zoombombing, to identity theft and fraud, to the disclosure of corporate confidential information. [The risk] is much higher as the use of Internet in the cyber domain gets higher. So yes, of course, very much so.
[This risk] is for everybody. Lots of companies that weren’t very cybersecure have moved online because they had to do so quickly and, likewise, a lot of people in some ways. For companies it’s even worse because they have a lot of really important secrets to keep. So, it’s everybody, I wouldn’t say the risk for one is worse than the other.
COVID-19 research labs have been reporting continued breaches in security to access their research on the virus. Why?
First, to get [the information] early. Second, it’s not clear to me that all of it will be released. I think some countries may withhold some information, for all we know. So, I think that’s probably the reason, to get it early.
There are a million ways in which people can improve their cybersecurity: From updating and patching all of their systems, to training all of their employees, to employing tools that will limit the ways in which people can attack them, to hiring outside groups to do that.
Universities have also been the victims of cyberattacks. Is there a difference on how these institutions can prepare ahead of another semester of online classes starting in the fall?
It’s the same thing: Update, patch, train. Zoombombing is easy to prevent if you just set the “enable waiting room” toggle on your security. The reason we didn’t have that before is that so many people didn’t know to do that. Many people didn’t understand the risk. So, it’s really just a question of training and responsible use of technology.
There are there are some baseline things that are good hygiene involving training and updating your systems. There’s a whole set of tools put out by a company called the Global Cyber Security Alliance. It’s a nonprofit that everybody can use that as a baseline and then beyond that every university is different.
It will work its way out. [Universities] have to do better, obviously, because they move too quickly. But with six months to prepare, they should be able to do well this fall.
You are an advocate against implementing online voting, but considering that it may be one of the only resources for November, why shouldn’t it be the main voting method?
Because it runs the risk that the vote that is reported will not be the actual vote. Every security expert in the world has said so: the National Academy of Sciences, the Association for the Advancement of Science, the Association of Computing Machines, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. There is, literally, nobody except the people who manufacture these systems and want to make money who says that they’re ready.
The entire chain of Internet voting is at risk from registration to voting to tabulation. There isn’t any way in the absence of paper records to conduct an online voting that you know will be secure.
We should not implement online voting, period. Full stop. End of story. It’s just wrong because that’s not the only resource. We should use vote by mail, absentee balloting, we can use very secure, clean, polling stations while social distancing, but under no circumstances should we use online voting period.