Renewed Focus on Cybersecurity

The COVID-19 pandemic has shined a light on cyber vulnerabilities within our country. As nationwide shutdowns were implemented to combat the COVID-19 pandemic, many employees shifted to remote work and operations went fully digital. Businesses, organizations and governments have faced cybersecurity challenges as a result.

Cyber threats have long been a challenge for many businesses and organizations – even prior to the start of the pandemic; but with operations becoming much more digitalized over the past several months, vulnerabilities have been exposed. Hackers and cybercriminals have taken advantage of some of these vulnerabilities. State and local governments and healthcare organizations, for example, have seen an increase in cyber threats during the pandemic. Individuals have been targeted as well. Just last week, 130 high-profile politicians, business leaders and influencers were targeted by hackers on Twitter, once again raising alarm over the state of our nation’s cybersecurity ahead of the November election. While this is the latest high-profile hack in the U.S., cybersecurity threats have been growing over the past several months. In April, The FBI’s s Internet Crime Complaint Center (IC3) announced that the rise in cybercrime reports had nearly quadrupled since the start of the pandemic. Earlier this month, the FBI announced there has been a rise in fraudulent unemployment insurance claims using stolen identities.

Many businesses and industries have already been focused on maximizing their cybersecurity efforts. The utilities industry is an example of an industry that has been addressing cyber vulnerabilities while the industry continues to modernize, and their infrastructure becomes digitalized.

As we reflect on the learnings of the pandemic, the importance of cybersecurity should be one of them. There must be a renewed focus on cybersecurity to ensure our businesses, organizations and governments are best prepared to address and prevent cyber threats and attacks. This will require a collaborative effort – bringing together business and organization leaders, government officials and cybersecurity experts, to develop solid cyber defense programs that will prevent and address cyber threats.

Gloria Story Dittus, Chairman, Story Partners

A Three-Pronged Strategy for Cybersecurity

The United States is at war. Virtually unchecked for years now, our adversaries have been stealing our intellectual property and disrupting American commerce and our democratic way of life. This war is being waged primarily on our nation’s critical infrastructure, mainly the energy sector, telecommunication networks and financial systems. Eighty-seven percent of critical infrastructure in the United States is owned and operated by the private sector, making collaboration between the private sector and the government imperative. Collectively, we must reimagine U.S national security doctrine for this new digital reality.

The layered cyber deterrence approach outlined in the recently released Cyberspace Solarium Commission report, which I co-authored, offers a practical roadmap to protect, prepare, hold accountable and respond to existential cyber threats. We propose a three-pronged strategy for success—reshape behavior on the battlefield, impose costs on our adversaries and deny benefits to our enemies.

Currently, there exist no internationally accepted principles of escalation and de-escalation in cyberspace. The first step in reshaping behavior on this battlefield is to define state accepted behaviors in cyberspace, to include clear consequences for behaviors that are not acceptable. Then we need to communicate these behaviors to not only our friends but also our adversaries.

Our next imperative is to impose real costs on our adversaries who attack us.  Every day, American companies like Southern Company face millions of cyber attacks, including from nation-state adversaries.  With the full support of the private sector, the federal government must advance a strategy to “defend forward” and maintain an offensive posture in cyberspace through regular, persistent engagement with friends and foes alike. This engagement must include the full weight of the federal government—the Department of Defense, FBI, Secret Service, and the Intelligence Community—to allow for rapid and effective responses to attacks.

The third strategic prong is to deny benefits to our enemies. We do this by strengthening critical infrastructure’s ability to maintain continuity and be resilient against a cyber attack. We must also take steps to reshape the cyber ecosystem – the people, processes, technology and data that makeup cyberspace – towards greater security. Finally, we must create a true joint effort between private industry and government. This means moving beyond information sharing towards common access to actionable intelligence, collaborative analysis, joint planning and joint action. It also means clearly identifying the most systemically important critical infrastructure and bringing to bear the full resources of the U.S. government in supporting and defending them from nation-state attacks.

The cost of inaction is too great. The public and private sectors are true partners in this effort, and we must move forward in better harmony. I am confident the Cyberspace Solarium Commission’s report and recommendations will help us do that.

Tom Fanning, Chairman, President and CEO, Southern Company

A Public Power Perspective on Cybersecurity

Electricity is an essential element of every life powering homes, businesses and the national economy. In an increasingly digitized world, effectively managing cybersecurity has become critical to the reliability of the grid and the protection of data. While there are many forms of utility business models, public power systems often operate as part of a larger municipality, as a political subdivision of a state and frequently are formed to serve many smaller municipalities. Given these constructs and the realities of operating a public purpose business, the challenges can be unique.

Over the past fifteen or so years, the electric utility industry began moving to a more formal and regulated approach to the reliability and security of the grid. Reliability and security have always been the cornerstone of the industry, but management of the interconnected grid was maintained system by system with regional coordination. In 2007, the national electric reliability was established as a mandatory reliability and security organization to heighten the coordination of the nation’s interconnected bulk electrical networks and ensure best practice through a set of mandatory enforceable reliability standards.

Since that time, the industry, using the mandatory standards as the foundation, has built additional layers of voluntary best practice guidance and significantly expanded the focus on cybersecurity. As public power utilities, this required adaptations in our governance and communications to ensure that we maintained the public transparency and accountability balanced with the security of critical operational information and the reporting of identified risks. Active benchmarking also began to occur, industry coordination and collaboration with government increased and maturity models provided a roadmap to assess an organization’s cybersecurity readiness.

While cybersecurity readiness has grown significantly over the past several years, built upon this platform of mandatory and voluntary actions, the risks continue to evolve requiring continued engagement, assessment and timely actions to ensure that the security gains that have been achieved do not less effective over time. The recent pandemic-related increase in remote working is an example of a changing condition that introduces a new risk given the volume of data being exchanged via remote network access. Proprietary networks have given way to the internet of things with the promise that the number of connected and interactive devices will continue to grow over time.

Public power, like all utility business models, accept that core reliability is the price of entry in our industry and fundamental to everything we do. Cybersecurity has emerged as a significant risk that must be actively managed to ensure that reliability is maintained. We will continue to evolve our capabilities as new threats emerge, build upon our technical expertise and the expertise of the broader collaboration between industry and government and adapt our governance as public entities to ensure that we are secure, nimble and transparent.

John Di Stasio, President, Large Public Power Council (LPPC)

 

Pandemic Highlights Need for State and Local Governments to Protect Residents in Cyberspace

As we predict the lasting impact that COVID-19 will have on our lives, we cannot ignore two major lessons learned. First, states, and governors, have extraordinary power and responsibility to protect the public from threats. Simply put, it is a mistake to neglect the important role state and local leaders play. Second, our lives will only become more “digital.” We are not just working from home in increased numbers, we are relying on the internet for almost all aspects of our lives—from telehealth appointments to Zoom bridal showers.

At the intersection of these two lessons is a growing need for state and local governments to protect their systems and citizens in cyberspace. As we are reliant on virtual connectivity to maintain essential government functions, the numerous ransomware threats that have taken down state and local IT infrastructure constitute a more pervasive threat. The FBI is also reporting a dramatic uptick in cybercrimes targeting individual citizens at a time where people may be economically vulnerable.

At the National Governors Association, our Resource Center for State Cybersecurity stands ready to provide governors with the latest best practices for enhancing cyber resilience. The Resource Center provides governors, as chief executives of their states, with the tools and state case studies to enhance their state government networks. But it also recognizes their role in protecting the public from cyber threats—including critical infrastructure partners, local government counterparts, and individual citizens.

The good news is that during unprecedented times, governors continue to demonstrate bipartisan leadership in state cybersecurity. During the pandemic, state cybersecurity professionals have deployed a record number of security measures, such as VPNs, to the state government workforce. State governments have thwarted cyberattacks, while simultaneously continuing innovative programs like cyber navigators for local agencies with little IT support, and statewide strategies with evidence-based metrics. Governors have also organized with their counterparts to advocate on the Hill for dedicated cybersecurity grant funding for state and locals, who are on the front lines with few resources. At a time when government is expected to do more with less, governors are providing an example of building resilience to the modern threats that have become all the more pervasive during the COVID-19 crisis.

Maggie Brunner, Program Director, National Governors Association’s Center for Best Practices

Maggie Brunner is a program director in the National Governors Association’s Center for Best Practices, where she specializes in state cybersecurity policy, homeland security, emergency communications and public safety technology.

A Cybersecurity First Approach

As was predicted when the government moved wholesale towards remote telework in response to the COVID-19 crisis, malicious activities targeting federal systems and employees rose dramatically. While nation-state adversaries increased their hacking operations, a proliferation of unintended vulnerabilities – those caused by the extreme reliance on legacy technologies, poor processes, and analog workflows created enormous cybersecurity threats in this dramatically altered, digital-first environment.

In addition to lackluster continuity of operations planning, too many federal agencies spent years (if not decades) and hundreds of millions of dollars on customized, ill-designed, and hopelessly obsolete technology “solutions” that were uniquely vulnerable to this massive shift in telework. These cumbersome, siloed systems impeded to the ability of agencies to deliver necessary services and information to citizens, critical infrastructure partners, other agencies coordinating response activates, and even their own employees, who were no longer based at a federal office or working almost exclusively on an agency network. Because employees still need to serve the mission and complete their tasks, they would often be forced to create workarounds or leverage technologies that might not authorized by agency cybersecurity offices – inadvertently creating a larger ecosystem within their agencies teeming with of new vulnerabilities, shadow IT, and, potentially large amounts of unintentionally exposed data and personally identifiable information.

However, there have also been some bright spots in the massive government shift to telework. Agencies that had begun embracing commercial cloud capabilities were able to handle more seamlessly a dramatic surge in remote access (through either VPNs or more modern commercial capabilities) or increased internet traffic (for online videoconferencing, etc.). Those with digital collaboration tools were able to manage workflow, while keeping data secure, and communicating effectively both internally and with their private sector partners. And, agencies already moving towards zero trust architectures increased their visibility and security around the devices and applications employees needed to access in order to perform their work duties. These commercial best practices and the proliferation of innovative technology solutions across these creative, forward-thinking agencies enabled them to address both known and unknown risks, maintain operational awareness despite constant change, and mitigate persistent cybersecurity threats… all while improving the efficiency and effectiveness of agency operations and digital service delivery.

Finally, it is important to understand that lessons are still being learned, even today, that will influence the future of federal IT modernization and continued maturity and agility in agency cybersecurity practices. Many of the significant changes over the past few months will remain for quite some time. Congress should continue to make appropriate, targeted investments to help agencies scale effective cybersecurity capabilities, retire legacy systems, and embrace the proven commercial technologies and best practices that have led the government through this crisis. These commitments are necessary and will enable federal agencies to plan for and manage next new challenge.

– Matthew T. Cornelius, Executive Director, Alliance for Digital Innovation (ADI)

Matthew T. Cornelius is the Executive Director of the Alliance for Digital Innovation (ADI). ADI serves as a unified voice for commercial innovators with a mission of ensuring the public sector benefits from existing and emerging commercial technologies. For more information, visit www.alliance4digitalinnovation.org.