As was predicted when the government moved wholesale towards remote telework in response to the COVID-19 crisis, malicious activities targeting federal systems and employees rose dramatically. While nation-state adversaries increased their hacking operations, a proliferation of unintended vulnerabilities – those caused by the extreme reliance on legacy technologies, poor processes, and analog workflows created enormous cybersecurity threats in this dramatically altered, digital-first environment.
In addition to lackluster continuity of operations planning, too many federal agencies spent years (if not decades) and hundreds of millions of dollars on customized, ill-designed, and hopelessly obsolete technology “solutions” that were uniquely vulnerable to this massive shift in telework. These cumbersome, siloed systems impeded to the ability of agencies to deliver necessary services and information to citizens, critical infrastructure partners, other agencies coordinating response activates, and even their own employees, who were no longer based at a federal office or working almost exclusively on an agency network. Because employees still need to serve the mission and complete their tasks, they would often be forced to create workarounds or leverage technologies that might not authorized by agency cybersecurity offices – inadvertently creating a larger ecosystem within their agencies teeming with of new vulnerabilities, shadow IT, and, potentially large amounts of unintentionally exposed data and personally identifiable information.
However, there have also been some bright spots in the massive government shift to telework. Agencies that had begun embracing commercial cloud capabilities were able to handle more seamlessly a dramatic surge in remote access (through either VPNs or more modern commercial capabilities) or increased internet traffic (for online videoconferencing, etc.). Those with digital collaboration tools were able to manage workflow, while keeping data secure, and communicating effectively both internally and with their private sector partners. And, agencies already moving towards zero trust architectures increased their visibility and security around the devices and applications employees needed to access in order to perform their work duties. These commercial best practices and the proliferation of innovative technology solutions across these creative, forward-thinking agencies enabled them to address both known and unknown risks, maintain operational awareness despite constant change, and mitigate persistent cybersecurity threats… all while improving the efficiency and effectiveness of agency operations and digital service delivery.
Finally, it is important to understand that lessons are still being learned, even today, that will influence the future of federal IT modernization and continued maturity and agility in agency cybersecurity practices. Many of the significant changes over the past few months will remain for quite some time. Congress should continue to make appropriate, targeted investments to help agencies scale effective cybersecurity capabilities, retire legacy systems, and embrace the proven commercial technologies and best practices that have led the government through this crisis. These commitments are necessary and will enable federal agencies to plan for and manage next new challenge.