House Lawmakers Introduce the NIST COVID-19 Cybersecurity Act

US Representatives Andy Barr (R-KY) and Frank Lucas (R-OK) introduced H.R. 7998, the National Institute of Standards and Technology (NIST) COVID-19 Cybersecurity Act, on August 11, 2020. The bill would direct NIST to provide guidance to higher education institutions on mitigating cybersecurity risks related to COVID-19 research. The bill is a response to recent reports that hackers linked to the Chinese government have launched cyberattacks aimed at compromising COVID-19 research at various nongovernmental organizations, including colleges and universities.¹

Federal prosecutors charged Chinese nationals Li Xiaoyu and Dong Jiazhi with hacking US and foreign companies as well as nongovernmental organizations. The indictment alleges that the two men stole hundreds of millions of dollars' worth of trade secrets, intellectual property, and other valuable business information, including COVID-19 research. The indictment further states that the hackers "worked with, were assisted by, and operated with the acquiescence of" an officer in China's Ministry of State Security. At a press conference, FBI Deputy Director David Bowdich said, "China is determined to use every means at its disposal, including the theft of intellectual property from US companies, laboratories, and our universities, to degrade the United States' economic, technological, and military advantages."

In response, Representatives Barr and Lucas introduced the NIST COVID-19 Cybersecurity Act as a means to help universities that are conducting COVID-19 research guard against cyber threats. Specifically, the bill lists institutions of higher education as among the entities NIST shall consider when facilitating and supporting the development of voluntary, consensus-based, industry-led standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure. In that spirit, the bill requires NIST to "disseminate and make publicly available resources to help research institutions and institutions of higher education identify, assess, manage, and reduce their cybersecurity risk related to conducting research with respect to COVID-19" within ninety days of enactment. The legislation stipulates that use of the resources shall be voluntary and that the resources must meet the following requirements:

1. Be applicable and usable by a wide range of institutions
2. Vary with the nature and size of the implementing research or higher education institution, as well as the nature and sensitivity of the data collected or stored on information systems at an institution
3. Include elements promoting awareness of simple and basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships in order to assist research or higher education institutions in mitigating common cybersecurity risks
4. Include case studies of practical application
5. Be technology-neutral and capable of being implemented using technologies that are commercial and off-the-shelf
6. Be based on international standards, to the extent practicable

EDUCAUSE continues to monitor reports related to state-sponsored cybersecurity threats to university research and data as well as the federal government's response to such malfeasance and will keep members apprised of any pertinent developments.

Note

1. Eric Geller and Betsy Woodruff Swan, "DOJ Says Chinese Hackers Targeted Coronavirus Vaccine Research," Politico (website), July 21, 2020. ↩

Kathryn Branson is a Senior Associate with Ulman Public Policy.