Before COVID-19 swept the globe, experts were already predicting a disastrous year in cybersecurity. The pandemic offered hackers new attack vectors and proved governments must always be ready for the unexpected.
In March, the Cyberspace Solarium Commission asked Americans to consider the possibility of a disastrous cyberattack, a kind of “cyber Pearl Harbor,” that turned the nation’s infrastructure on its head. The commission, convened by Congress in 2019 to study the threats that lurk in cyberspace, was not optimistic about the nation’s capacity to defend against such an event. Their report, at nearly 200 pages, was filled with analysis and policy proposals, but its basic message was simple: The U.S. was “dangerously insecure in cyber.”
A big part of this insecurity was the lack of adequate defense for state, local, tribal and territorial governments (SLTTs). SLTTs need federal assistance, the report argued, as the current status quo invites ongoing attacks. Someday the attacks may go beyond simply crippling online bill pay options or disabling VoIP and email systems.
The prediction of an impending cyberdisaster took on somewhat new dimensions when, a week or so after the report came out, a global pandemic suddenly and unexpectedly shuttered public offices throughout the country. The virus forced governments into a defensive posture, saddling them with new responsibilities as they also sought to protect their remote workforces against an onslaught of cyberattacks. For Solarium members, the parallels between the virus and their prognostication about a nationwide IT disaster were not lost.
Indeed, if the virus has proven anything, it’s that governments must better prepare themselves for the unexpected. Despite early whispers of a potential detente with hackers, bad actors exploited the pandemic in pretty much every way they knew how. In the early days of the virus, state cyberprofessionals reported that the rate of attacks had doubled. These attacks hit schools, hospitals and health-care systems, transportation agencies, and many other essential services made even more critical by the pandemic.
At the same time, hackers explicitly took advantage of the situation caused by the virus by targeting governments’ need to stand up new, expedient forms of service delivery. In one example, the need to quickly erect unemployment benefit websites was swiftly exploited by a prolific hacker ring from Nigeria, which, over the summer months, led to the loss of hundreds of millions of dollars.
Bad actors didn’t just target new vulnerabilities, however; they also scanned the shifting landscape to assess how the pandemic was transforming certain sectors of government to make them more valuable — and thus more worthy of exploitation. For instance, hackers targeted universities with a renewed vigor, sometimes capturing sensitive research related to COVID-19. Certainly this was the case with UC San Francisco, which in June paid ransomware hackers a whopping $1.14 million for the safe return of its data.
In recent years, legislators close to homeland security committees have tried repeatedly to point out SLTTs’ need for outside assistance — frequently crafting legislation to funnel federal dollars toward the problem. This year was no different, but the troubles associated with COVID-19 made the calls more urgent. Legislators pushed to create new forms of federal assistance for state and local agencies, with bills envisioning plentiful grant programs — everything from $400 million to $28 billion for general cyber-relief.
At the same time, ongoing concerns about election security in a world rife with disinformation and hackers dominated headlines this year. While experts seem to agree that a breach could not meaningfully alter vote counts, the suggestion that systems related to elections are less than secure can cause significant harm to voters’ faith in the democratic process. Taking election security seriously has meant introspection on the part of resource-constrained communities using older systems and equipment (Georgia, for instance, very publicly struggled with this), underlining the need for federal assistance.
Finally, discussions continue about what role the federal Cybersecurity Infrastructure and Security Agency (CISA) should play, as the new group continues to grow and define its mission. Making CISA a source of federal funds for SLTTs seems like a natural move. Other bold new powers and responsibilities could include expanding its role in protecting critical infrastructure, creating regional offices with HIRTs (Hunt and Incident Response Teams), and dispersing “cybercoordinators” to each state to assess SLTTs’ risk. At this point, all options should be on the table.
As governments head into the new year, they will be faced with a dire economic situation that will undoubtedly affect cyberbudgets. At the same time, as governments continue to digitize services, cyberattacks will continue to change and evolve on a parallel track.
With all that in mind, new forms of assistance to SLTTs to lock down cybervulnerabilities should be prioritized. At the same time, public agencies must continue to innovate and think more strategically about how to secure themselves. If this year has taught us anything, it’s that governments should be ready for anything as they look ahead.
This story is part of our 2020 Year in Review series.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.