Resilient Cybersecurity Policies for a Cybersafe New Year

As the year 2020 fades away, we have no doubt that many of the articles and discussions reviewing the impact of the COVID-19 pandemic will focus on the dramatic changes to the way we work, shop, and socialize. The most obvious change in our behavior is our complete dependence on technology for activities we once took for granted like commuting to the office, going to the mall, and meeting friends at a restaurant. For many of these normal activities, the changes brought on by the pandemic will be long lasting, if not permanent.

What may not get the focus it deserves is the critical role of cybersecurity. And, how we each need to change our thinking and behavior to be “cyber ready.” With so much of what we now do conducted online, the pandemic has accelerated the need to secure our businesses and our personal lives. We have known for some time that we need to do a better job protecting our institutions and individuals from hackers and other bad actors, but that need has become more urgent. More than ever, we face significant cybersecurity challenges. If you doubt the need, consider the huge increase in ransomware and phishing attacks since March targeting small businesses, municipalities, schools, and health care facilities. At the Cyber Readiness Institute (CRI) one global company we work with reported a 300 percent increase in phishing and ransomware attacks on the companies in their supply chain.

During the initial months of the pandemic, many companies had to focus on business resiliency and continuity, so they relaxed security policies to help individuals work efficiently from remote locations using whatever devices were available—sometimes business-issued computers and phones, but often a combination of personal and work devices.

Now, companies of all sizes are facing the realization that there is going to be a more permanent “new reality” to the workplace. Many companies are only sending a small percentage of their workforce back into the physical office, which means a hybrid work environment–where some employees work from home, some from the office, and others will shuttle between the two–will become the reality.

This reality requires companies to develop and implement resilient cybersecurity policies that address the hybrid, remote-office workplace. It is critical to replace those relaxed security policies with the development of policies that ensure equal security across all work environments.

Over the last three years, CRI has been helping small and medium-sized enterprises (SMEs) establish secure policies and procedures, and more recently for this hybrid environment.  We emphasize the importance of human behavior as the foundation for security.

Here are some changes we’ve seen during the pandemic that will help all organizations become cyber ready:

  • Companies are now forced to have strong security policies that each employee can follow, regardless of their work environment
  • The increase in ransomware and phishing means that strong authentication policies for all businesses must be in place and easily understood and applied by all employees
  • Establishing security requirements for all businesses in supply chains is now more important than ever. The vulnerabilities of our global supply chains have been exposed throughout the pandemic and large companies need to be doing a better job of helping the small businesses in their supply chains be more secure.
  • With workplace flexibility and a hybrid work environment, creating a culture of cybersecurity is critical and urgent. Businesses need to understand that educated and trained employees can be a force multiplier for security

Here’s to a cyber safe New Year!

-Kiersten E. Todt, Managing Director of The Cyber Readiness Institute, and Christopher G. Caine, President of The Center for Global Enterprise

 

 

Renewed Focus on Cybersecurity

The COVID-19 pandemic has shined a light on cyber vulnerabilities within our country. As nationwide shutdowns were implemented to combat the COVID-19 pandemic, many employees shifted to remote work and operations went fully digital. Businesses, organizations and governments have faced cybersecurity challenges as a result.

Cyber threats have long been a challenge for many businesses and organizations – even prior to the start of the pandemic; but with operations becoming much more digitalized over the past several months, vulnerabilities have been exposed. Hackers and cybercriminals have taken advantage of some of these vulnerabilities. State and local governments and healthcare organizations, for example, have seen an increase in cyber threats during the pandemic. Individuals have been targeted as well. Just last week, 130 high-profile politicians, business leaders and influencers were targeted by hackers on Twitter, once again raising alarm over the state of our nation’s cybersecurity ahead of the November election. While this is the latest high-profile hack in the U.S., cybersecurity threats have been growing over the past several months. In April, The FBI’s s Internet Crime Complaint Center (IC3) announced that the rise in cybercrime reports had nearly quadrupled since the start of the pandemic. Earlier this month, the FBI announced there has been a rise in fraudulent unemployment insurance claims using stolen identities.

Many businesses and industries have already been focused on maximizing their cybersecurity efforts. The utilities industry is an example of an industry that has been addressing cyber vulnerabilities while the industry continues to modernize, and their infrastructure becomes digitalized.

As we reflect on the learnings of the pandemic, the importance of cybersecurity should be one of them. There must be a renewed focus on cybersecurity to ensure our businesses, organizations and governments are best prepared to address and prevent cyber threats and attacks. This will require a collaborative effort – bringing together business and organization leaders, government officials and cybersecurity experts, to develop solid cyber defense programs that will prevent and address cyber threats.

Gloria Story Dittus, Chairman, Story Partners

A Three-Pronged Strategy for Cybersecurity

The United States is at war. Virtually unchecked for years now, our adversaries have been stealing our intellectual property and disrupting American commerce and our democratic way of life. This war is being waged primarily on our nation’s critical infrastructure, mainly the energy sector, telecommunication networks and financial systems. Eighty-seven percent of critical infrastructure in the United States is owned and operated by the private sector, making collaboration between the private sector and the government imperative. Collectively, we must reimagine U.S national security doctrine for this new digital reality.

The layered cyber deterrence approach outlined in the recently released Cyberspace Solarium Commission report, which I co-authored, offers a practical roadmap to protect, prepare, hold accountable and respond to existential cyber threats. We propose a three-pronged strategy for success—reshape behavior on the battlefield, impose costs on our adversaries and deny benefits to our enemies.

Currently, there exist no internationally accepted principles of escalation and de-escalation in cyberspace. The first step in reshaping behavior on this battlefield is to define state accepted behaviors in cyberspace, to include clear consequences for behaviors that are not acceptable. Then we need to communicate these behaviors to not only our friends but also our adversaries.

Our next imperative is to impose real costs on our adversaries who attack us.  Every day, American companies like Southern Company face millions of cyber attacks, including from nation-state adversaries.  With the full support of the private sector, the federal government must advance a strategy to “defend forward” and maintain an offensive posture in cyberspace through regular, persistent engagement with friends and foes alike. This engagement must include the full weight of the federal government—the Department of Defense, FBI, Secret Service, and the Intelligence Community—to allow for rapid and effective responses to attacks.

The third strategic prong is to deny benefits to our enemies. We do this by strengthening critical infrastructure’s ability to maintain continuity and be resilient against a cyber attack. We must also take steps to reshape the cyber ecosystem – the people, processes, technology and data that makeup cyberspace – towards greater security. Finally, we must create a true joint effort between private industry and government. This means moving beyond information sharing towards common access to actionable intelligence, collaborative analysis, joint planning and joint action. It also means clearly identifying the most systemically important critical infrastructure and bringing to bear the full resources of the U.S. government in supporting and defending them from nation-state attacks.

The cost of inaction is too great. The public and private sectors are true partners in this effort, and we must move forward in better harmony. I am confident the Cyberspace Solarium Commission’s report and recommendations will help us do that.

Tom Fanning, Chairman, President and CEO, Southern Company

A Public Power Perspective on Cybersecurity

Electricity is an essential element of every life powering homes, businesses and the national economy. In an increasingly digitized world, effectively managing cybersecurity has become critical to the reliability of the grid and the protection of data. While there are many forms of utility business models, public power systems often operate as part of a larger municipality, as a political subdivision of a state and frequently are formed to serve many smaller municipalities. Given these constructs and the realities of operating a public purpose business, the challenges can be unique.

Over the past fifteen or so years, the electric utility industry began moving to a more formal and regulated approach to the reliability and security of the grid. Reliability and security have always been the cornerstone of the industry, but management of the interconnected grid was maintained system by system with regional coordination. In 2007, the national electric reliability was established as a mandatory reliability and security organization to heighten the coordination of the nation’s interconnected bulk electrical networks and ensure best practice through a set of mandatory enforceable reliability standards.

Since that time, the industry, using the mandatory standards as the foundation, has built additional layers of voluntary best practice guidance and significantly expanded the focus on cybersecurity. As public power utilities, this required adaptations in our governance and communications to ensure that we maintained the public transparency and accountability balanced with the security of critical operational information and the reporting of identified risks. Active benchmarking also began to occur, industry coordination and collaboration with government increased and maturity models provided a roadmap to assess an organization’s cybersecurity readiness.

While cybersecurity readiness has grown significantly over the past several years, built upon this platform of mandatory and voluntary actions, the risks continue to evolve requiring continued engagement, assessment and timely actions to ensure that the security gains that have been achieved do not less effective over time. The recent pandemic-related increase in remote working is an example of a changing condition that introduces a new risk given the volume of data being exchanged via remote network access. Proprietary networks have given way to the internet of things with the promise that the number of connected and interactive devices will continue to grow over time.

Public power, like all utility business models, accept that core reliability is the price of entry in our industry and fundamental to everything we do. Cybersecurity has emerged as a significant risk that must be actively managed to ensure that reliability is maintained. We will continue to evolve our capabilities as new threats emerge, build upon our technical expertise and the expertise of the broader collaboration between industry and government and adapt our governance as public entities to ensure that we are secure, nimble and transparent.

John Di Stasio, President, Large Public Power Council (LPPC)

 

Pandemic Highlights Need for State and Local Governments to Protect Residents in Cyberspace

As we predict the lasting impact that COVID-19 will have on our lives, we cannot ignore two major lessons learned. First, states, and governors, have extraordinary power and responsibility to protect the public from threats. Simply put, it is a mistake to neglect the important role state and local leaders play. Second, our lives will only become more “digital.” We are not just working from home in increased numbers, we are relying on the internet for almost all aspects of our lives—from telehealth appointments to Zoom bridal showers.

At the intersection of these two lessons is a growing need for state and local governments to protect their systems and citizens in cyberspace. As we are reliant on virtual connectivity to maintain essential government functions, the numerous ransomware threats that have taken down state and local IT infrastructure constitute a more pervasive threat. The FBI is also reporting a dramatic uptick in cybercrimes targeting individual citizens at a time where people may be economically vulnerable.

At the National Governors Association, our Resource Center for State Cybersecurity stands ready to provide governors with the latest best practices for enhancing cyber resilience. The Resource Center provides governors, as chief executives of their states, with the tools and state case studies to enhance their state government networks. But it also recognizes their role in protecting the public from cyber threats—including critical infrastructure partners, local government counterparts, and individual citizens.

The good news is that during unprecedented times, governors continue to demonstrate bipartisan leadership in state cybersecurity. During the pandemic, state cybersecurity professionals have deployed a record number of security measures, such as VPNs, to the state government workforce. State governments have thwarted cyberattacks, while simultaneously continuing innovative programs like cyber navigators for local agencies with little IT support, and statewide strategies with evidence-based metrics. Governors have also organized with their counterparts to advocate on the Hill for dedicated cybersecurity grant funding for state and locals, who are on the front lines with few resources. At a time when government is expected to do more with less, governors are providing an example of building resilience to the modern threats that have become all the more pervasive during the COVID-19 crisis.

Maggie Brunner, Program Director, National Governors Association’s Center for Best Practices

Maggie Brunner is a program director in the National Governors Association’s Center for Best Practices, where she specializes in state cybersecurity policy, homeland security, emergency communications and public safety technology.