COVID-19 Raises Resilience Red Flags
Virus challenges organizations to protect their systems as they protect their staff.
Although the world is still in the midst of the coronavirus disease 2019 pandemic, technology experts agree lessons the infection teaches about cybersecurity and resilience are emerging. As people don masks to decrease the likelihood of germs entering their bodies, they also must put barriers in place to protect their networks. And, just as they prepare for how they will rebound from the illness or economic downturns, they must examine their options for life after the pandemic.
According to Alexander Kott, Ph.D., chief scientist of the Army Research Laboratory and ST for Army Cyber Resilience, coronavirus disease 2019 (COVID-19) is about resilience. “We can’t be secure from the emergence of microorganisms. We can’t prevent them from entering our bodies. Similarly, we can’t stop viruses from coming into our systems, and that means we have to continue to be productive and lead our lives. This means [we need] mechanisms to allow us to contain and overcome this threat and get things done. In that sense, COVID-19 helps us to understand what cyber resilience is,” Kott said.
Kott joined Maj. Gen. Garrett Yee, USA, assistant to the director, DISA, and Tim Persons, Ph.D., chief scientist and managing director, Science, Technology Assessment and Analytics, GAO, for a SIGNAL Media Webinar Series video about cyber resilience in the post-COVID-19 world. Editor-in-Chief Robert K. Ackerman moderated the conversation.
Kott pointed out that the service needs to focus on resilience because it must be prepared for conflict involving technologically sophisticated competitors with significant cyber operations capabilities. Commanders and warfighters will need to operate after their systems are significantly compromised in conditions that are not typical for today’s cybersecurity defenses, so both people and technology must exhibit a high level of resilience, he stated.
Gen. Yee related that COVID-19 has presented the military, government and industry with an opportunity to learn a lot about their own abilities to act and react quickly. Since March 2020, the U.S. Defense Department went from approximately 95,000 teleworkers to just over a million teleworkers. DISA helped provide services as part of the department’s COVID-19 Telework Readiness Task Force.
DISA’s work included provisioning circuits that increased capacity by 300 gigabytes per second to warfighters around the world. It included providing connections for projects as diverse as individual warfighters and Navy hospital ships in New York and California. The agency also helped increase the Army’s virtual private network access and reliability by nearly 300 percent.
“As strange as it sounds,” Gen. Yee said, “this pandemic created the demand for increased network capacity in a lot of different ways, but we had to do it in a secure way. So, we’re expanding the capacity Internet access points, remote access VPNs.” DISA expanded the security enclaves to ensure that secure remote VPNs could enable remote work, he adds.
Persons related that the GAO previously created a framework for resilience in case of emergencies such as severe storms based on the three I’s: information, integration and incentives. In terms of information, the framework emphasizes the need for information sharing. Integration involves government agencies and other organizations collaborating to share their analysis of this information. Finally, incentives include examining how resilience preparations can involve long-term investments and risk reduction.
In addition to technology resilience, Persons said organizations must be examining supply chain resilience from the component level up to the systems level.
Concerning how COVID-19 has changed cyber resilience, Gen. Yee relayed that the protocols and defense mechanisms didn’t necessarily change, but the focus on enterprise solutions has increased. For example, in the past each of the military services may have had its own way of doing business and there may have been some enterprisewide approaches across the Defense Department.
“Now there’s a focus on doing things across the enterprise level and more focus on the end point to enable remote workers to do their job securely. So, we brought back the Home Use Program for antivirus software that we had for a long time but went away,” Gen. Yee explained.
Kott agreed that in many ways, COVID-19 has made old ways new again. “COVID is showing us the future in a strange way. … COVID-19 is offering useful analogies and lessons about what to do with cybersecurity, he said. For example, citizens are being told to stay home to be safe. In cyber world, they are also being told to stay home to stay safe. Organizations must figure out what set of technologies and techniques will allow them to operate from their homes in a safe way with more sophisticated endpoint protection, including more sophisticated firewalls and VPNs, he related.
Gen. Yee indicated that the obstacles to achieving cyber resilience are many but agreed to share one: scalability. “You have a capability, and it works fine in the lab for 100,000 users, but it’s not the same as 100,000 users on a live network,” the general noted.
“It’s hard to replicate what’s going to happen on a live network in a lab. And we saw this as we were deploying capabilities to ramp up and scale up for the mass telework requirements. There were some adjustments that had to be made because they had not been tested at this level before in real networks.
“And, 100,000 users are a lot, but how about 3 million on the network? So, scalability has always been the challenge especially in the cybersecurity arena where you have tools that are emerging that have great promise that have not been tested at scale,” he added.
For more about how industry and the government are learning lessons from dealing with COVID-19 challenges, watch “What Is the Key to Cyber Resilience in our Post-COVID-19 World?” video on demand.