Op-Ed: Now is the perfect time for a cyberattack…

This op-ed originally appeared in the Washington Post on May 17, 2020.

Millions of corporate employees, scattered across this country and around the world, are trying to work from kitchen tables, bedrooms, basements and even cars. Sensitive financial and operational data fly, in unprecedented volumes, across VPN networks, personal routers, sketchy home WiFi systems and wireless printers.

Beyond the threat that covid-19 poses to public health, the pandemic has exposed a massive new risk for global corporations: a debilitating cyberattack. In this moment, a powerful attack could be the one-two punch that brings corporations to their knees.

Employees are fatigued, stressed and distracted as weeks turn into months of confinement. Any semblance of separation between work and home has collapsed. People can hardly remember the day of the week. Children roam in and out. Deliveries drop at the door. Dogs bark. We open the refrigerator door again (and again). All the while, our data sit on loosely protected networks, creating vastly expanded attack surfaces for threat actors.

And this is the situation among employees who have not been fired or furloughed. Beyond these ranks, millions of others have lost jobs. Their frustration could fertilize the ground for retaliation against former colleagues or companies — a kind of “insider” attack from the newly outside.

So, how do people and companies protect against these risks? As President Dwight D. Eisenhower advised, plans are useless but planning is indispensable. The public and private sectors should align immediately to plan against this threat.

The pandemic has clarified three steps urgently needed to shore up our cyberdefenses while battling this unprecedented health threat.

First, greater clarity is critical regarding who would lead the government’s response to a major cyberattack. The pandemic revealed serious fault lines, not only within the federal government and its agencies (the Department of Health and Human Services, the Centers for Disease Control and Prevention, the Federal Emergency Management Agency, the Food and Drug Administration, the White House, etc.), but also among the federal government and the states, and between government and the private sector.

The White House lacks a clear cyber leader. The bipartisan Cyberspace Solarium Commission recommended in March that there should be a Senate-confirmed national cyber director in the White House (or “cyber czar”) to coordinate interagency matters and interact with the business community. The cyber agenda has long been a source of vigorous interagency tension, but the Cybersecurity and Infrastructure Security Agency recently established within the Department of Homeland Security has made strides in sharing threat intelligence and best practices with the private sector as well as with state and local governments.

Industry interaction is especially important around cybersecurity. More than 85 percent of our nation’s critical infrastructure is owned or operated by the private sector. This infrastructure includes electrical grids, telecommunication networks, financial markets, nuclear plants, health-care systems and transportation systems. Securing these operations will necessarily be a distributed responsibility, but clear-eyed, decisive federal leadership would help establish the sense of control that is sorely lacking.

Second, businesses must revisit their cyber contingency plans. Tabletop exercises that companies previously conducted assumed that crisis management teams were on premises. Planning must reflect our new, remote reality. This includes providing key personnel with reliable cellphone numbers and backup email addresses for all senior executives — in paper form. The 2014 cyberattack against Sony (widely attributed to North Korea) ground the company to a virtual halt. Communication among thousands of employees was effectively cut off, and the management team relied on in-person meetings, office landlines and, eventually, a stash of old BlackBerrys. A similar attack during quarantine could isolate executives for days. More broadly, businesses should know what’s connected to and running on their networks, aggressively manage administrative privileges and continuously patch vulnerabilities.

Third, employees working from home need to also follow basic cyber hygiene. Personal and home-office routers typically lack the level of security installed on business routers and often rely on default passwords created by manufacturers. In 2018, the FBI found that Russian hackers had compromised hundreds of thousands of home routers, enabling them to steal sensitive data and shut down network traffic. When work devices are being used to access proprietary business data — as well as for personal Zoom calls, TikTok videos, yoga classes and more — each employee has a role to play not just in their company’s cyber resilience but also in the nation’s cyberdefense.

Our main cyber adversaries and other malevolent actors are acutely aware that our country is consumed by unprecedented health and economic crises. This is a critical moment for government and corporate America to come together to protect U.S. cyber resources and critical infrastructure.

A former CGA senior advisor, Jane Holl Lute was deputy secretary of homeland security from 2009 to 2013 and is on the board of the Center for Internet Security. Peter J. Beshar is general counsel of Marsh & McLennan, the world’s largest risk adviser, and has testified before Congress on cybersecurity multiple times.