ITI and the Congressional High Tech Caucus Examine Cybersecurity in the Time of COVID-19

On Tuesday, May 19, ITI and the Congressional High Tech Caucus held a timely and interactive discussion on Cybersecurity in the Time of COVID-19. The virtual discussion examined the new wave of cybersecurity threats and challenges facing governments, businesses, healthcare providers, and communities in the wake of the COVID-19 pandemic. It also explored how government and the private sector are confronting these risks and creating resilient solutions.

Congressional High-Tech Caucus Co-Chairs Congresswoman Doris Matsui (D-CA) and Congressman Michael McCaul (R-TX) kicked off the conversation with an assessment of the cybersecurity threat landscape during the age of COVID-19 and what the U.S. government is doing to respond.

“This pandemic has required us all to make changes to the ways we work and communicate,” Congresswoman Matsui said. “Though we’re facing pressing challenges, we also have an opportunity to refocus our efforts on policies that will strengthen cyber leadership.”

“Using such outdated legacy technology slows a government’s capability to help their citizens and leaves them vulnerable to cyberattack,” Congressman McCaul said. “Modernizing IT allows us to build faster, more reliable, and more resilient systems.”

Following the Members’ remarks, ITI’s John Miller, Senior Vice President of Policy and Senior Counsel, moderated a panel exploring the kinds of cybersecurity threats that organizations across the private and public sectors are grappling with since the pandemic, as well as the lessons organizations can learn from the crisis, ongoing cyber and risk management challenges in light of the rapid digital transformation spurred by COVID-19, and what policymakers can do to help address the threat. The panel featured Ron Bushar, Senior Vice President and CTO, Government Solutions, FireEye; Bob Huber, Chief Security Officer, Tenable; and Jeanette Manfra, Global Director, Security and Compliance, Google.

The panelists expanded on the Members of Congress’ remarks on how the cybersecurity threat landscape has shifted throughout the crisis.

“You’ve got a combination of a slowdown in cybersecurity transformations or initiatives at companies while you simultaneously have an increased threat environment,” FireEye’s Ron Bushar said. “That creates a perfect storm for attacks."

“The attack surface has shifted, now we have these remote employees and our security controls didn’t necessarily shift along with that, so they are not traversing corporate networks to a large extent so we lose some visibility there,” added Tenable’s Bob Huber.

Looking beyond the threat landscape, the COVID-19 pandemic has brought with it many business continuity impacts, including to remind us of the importance of recognizing technology workers including the cybersecurity workforce as essential to maintaining business operations, and also that organizations weren’t necessarily prepared for the type of COVID-19-related mass business disruptions some have experienced, such as supply chain disruptions. The panelists noted some lessons companies should take away from the pandemic regarding enterprise risk management planning and security.

“Ideally, longer term we can help our own organizations, industry, and our customers think about our digital dependence, and truly understand and articulate that dependence as a part of our overall enterprise risk,” Google’s Jeanette Manfra said.

The COVID-19 crisis is spurring a fundamental shift in the economy, with a significant percentage of the workforce, including the critical infrastructure workforce, currently working from home, and likely working remotely in the future on a much more consistent basis. Manfra and Bushar noted some of the cybersecurity challenges that this ultra-rapid digital transformation is presenting to public and private sector organizations.

"The whole pandemic has highlighted for so many people that the lack of investment in modernizing IT has made it difficult to be agile and secure,” Manfra said.

Bushar added, “To us, it’s a question of prioritization and not trying to do everything at once, and honing in on the things that matter most to the organization, getting those complete, and, most importantly, actually testing your assumptions and making sure they work the way you expect them to against threats.”

In concluding the conversation, the panel touched on the role policymakers can play in helping to prepare government and enterprises, including small and medium-sized businesses, to be more cybersecure after the pandemic.

“National resilience. When you think of the whole nation, there are so many components to the supply chain, so understanding the risk you’re accepting in regard to resilience with respect to supply chain has become very apparent now,” Huber said. “Practicing those scenarios and making organizations accountable for requirements, such as FedRAMP, is something that should be adopted out of the gate and be stressed and exercised as we develop our supply chains.”

Miss the conversation? Watch the full event here.