Last week’s congressional hearing on SolarWinds is yet another reminder of how the past year has exposed major vulnerabilities within our digital infrastructure. We are just beginning to understand the full scope and scale of this cyberattack, but to prevent something like this from happening again, we must make critical investments to shore up our cyber posture.
Last March, Americans rapidly transitioned to a remote environment – one that was only supposed to last a handful of weeks but has morphed into a new way of life. Many large companies have transitioned to a remote workforce indefinitely, with some analysts suggesting this shift could last well beyond the pandemic. The federal government has also indicated plans to expand its remote workforce due to successes and benefits it has seen, including lower payroll costs and wider candidate pools.
While critical to keeping major sectors of our economy operational over the course of the pandemic, the digital infrastructure that has supported this seismic shift to a remote environment was not built to withstand such sustained pressure. Unfortunately, the things that have enabled this digital transformation – cloud, internet of things and operational technology – have also made us more vulnerable to crippling cyberattacks, which has forced organizations, including the federal government, to reevaluate their risk and threat landscape.
According to a recent report from the Center for Strategic and International Studies, the global cost of cybercrime has reached nearly $945 billion each year, demonstrating the risks to our increasingly connected infrastructure.
The new administration has made clear its plans to prioritize a federal infrastructure package this year, and while focusing on physical infrastructure like roads and bridges is important, we must also ensure there is focus on investments in digital infrastructure where security is built in from the start. This includes not only networks that enable working and learning from home, but also networks that support our power and utilities, emergency response and hospital services, transportation, clean water distribution, banking, state and local constituent services and national defense. All these networks are connected to OT and IT systems that create real-world vulnerabilities and support essential services for citizens.
Any infrastructure package should contain legislative provisions that will secure our connected critical infrastructure, enable robust interoperability and ensure our society’s backbone can safely support technological advances. The FY2020 National Defense Authorization Act included important provisions that should be expanded upon by Congress, requiring that “any transit service operator of rail rolling stock develop and execute a cybersecurity risk reduction plan in accordance with certain standards and would include arrangements for third-party testing of certain components.” These standards for OT and critical infrastructure are essential, and we need more.
Other legislation like the Advancing CDM Act should also be a priority for Congress to further support and secure the federal digital infrastructure, especially while much of the federal government will remain working remote. We must also continue the important public-private partnerships that exist through the National Institute of Standards and Technology, the Department of Energy and the Cybersecurity and Infrastructure Security Agency today.
As the recent SolarWinds breach and Florida water hack — where bad actors attempted to spike chemical levels in the water supply of nearly 15 thousand people — have highlighted, our adversaries are looking for ways into our digital and physical infrastructure. We must think about cybersecurity from the start. Shoehorning security solutions in after the fact simply won’t cut it. We can only reap the benefits of this newly enabled remote environment if we have the security infrastructure in place to ensure bad actors, adversaries and criminals can’t access employees’ home networks and critical systems. New endpoints and cloud services organizations leveraged to enable a remote environment must be secure, and employees must practice basic cyber hygiene.
We’ve seen over the past several years bad actors take advantage of these vulnerabilities – impacting the electric grid, the states of West Virginia and Arizona and the oil and gas industry. The time to act is now to prevent further, more damaging attacks on our critical infrastructure.
If Congress, as it should, invests in IT modernization and a 21st-century infrastructure package, they must also invest in security tools and practices to keep the nation’s digital infrastructure – and the physical infrastructure it supports – secure. The costs of not doing so are too great.
James Hayes is the vice president of global government affairs at Tenable. Tom Gann is the chief public policy officer and head of government relations for McAfee.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.