The entire US economy and government were forced to shut down in-person facilities and operations almost overnight in March as COVID quarantines began. The new conditions forced organizations to quickly find ways to secure tens of millions of new, vulnerable endpoints created by at-home workers. Now, six months later, technology leaders are taking stock of what happened and considering how a post-COVID landscape might look.
COVID has resulted in a lot of forward-looking changes, Jim Weaver, CIO of Washington State, said at the second day of the annual Cybersecurity Summit hosted by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). “COVID has been our chief innovation officer. Now as a state we’re pivoting to change our service methodologies while in the middle of a pandemic and economic downturn.” Washington was the first state with a positive COVID case on January 14.
“Governor Inslee has been a big proponent for remote work for a lot of reasons and so we did have a culture and mindset in place already enabled to support it,” Weaver said. Washington had to jump from an average of 3,000 to 4,000 remote concurrent connections to 65,000 to 70,000 almost overnight. “That went pretty flawlessly, I’m pleased to say.”
COVID gives cyber criminals new opportunities
At the same time, adversaries are changing, too. “The bad actors are not going away. They’re changing. They’re thriving in the chaos,” Weaver said. “We are seeing a significant number of increased attacks, particularly along the lines of ransomware. Fortunately, among CISA, Secret Service, FBI and our state resources involving some of our national guard resources, we’ve been able to do a very good job recovering from them.”
David Shive, CIO of the General Services Administration (GSA), echoed Weaver’s assessment. “One thing that we’ve noticed as we have been moving through the national emergency, our adversaries are not sleeping,” he said. “The adversaries of the United States have unlimited funds and they’re motivated by ideology and they see the United States and other nations going through a tough time and they look for ways to exploit. But the ways they chose to exploit are no different than other times. They take any event to find weaknesses in how we operate.”
Ryan Gillis, CIO of Palo Alto Networks, said the bad guys were no doubt ready to pounce during this critical period. “Bad guys never miss a catastrophe or an opportunity to leverage some of the hardest things we’re facing in real life, to turn those into phishing scams and watering holes and threats of attacks.”
Security must deal with permanent remote workers, elevated stress levels
Shive sees permanent work-from-home status for most employees as the single biggest change that will occur in the post-COVID environment. The GSA is the single biggest property manager in the world and one of the biggest, if not the biggest, real estate design and construction organizations in the world. “For how we operate, how we use technology to operate against the mission of the GSA, I would expect we will never go back to where we were, where there were a large number of GSA people working in facilities,” he said. “The work of government will no longer take place solely or largely in federal facilities. The work of government will take place anytime, anywhere, on any device.”
This permanent shift to non-facilities-based work has huge implications for cybersecurity. “The security overlay sitting on top of that and underneath is going to have to accommodate that reality,” Shive said.
Weaver predicts a more permanent work-at-home status for Washington State, too. “We did a survey here in my own agency, and 98% of the respondents say they either loved it or were okay with remote working. Seventy-five percent of respondents said they wish this would become a more permanent thing.”
Cybersecurity teams will need to address the increased level of duress that employees experience daily due to COVID and working from home. It has forced Shive’s technical workers to change how they communicate. “We had to speak more plainly to them. Their mental cycles were not entirely focused on work. Their mental cycles were also focused on their grandparents and on their children and how they were going to get food at the grocery store.”
Moreover, remote work has altered the definition of working hours. “We could no longer assume that, one, we had this discrete work time where we could expect the mental cycles of all our employees,” Shive said. “Divided allegiances had to be okay. We had to change the way we communicated with our employees to maximize the value of the communications so that we could get the greatest workforce productivity.”
All the CIOs spoke of their optimism for the future in the face of all these changes. “I’ve been heartened by the community that’s been reinforced at this time and the work that has come out of that,” Shive said. “I think at the end of this we’ll be a tighter, more effective cybersecurity community than when we started.”