February 2, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

Last week President Biden sent to Congress a $1.9 Trillion COVID relief package. Included in the package was about $9 billion for cybersecurity.

What has cybersecurity got to do with addressing a medical pandemic?

A lot.

As we all know in addition to massive death and social destruction the pandemic has also brought economic collapse on many dimensions.  Our economy, like just about everything else, is ultimately reliant on cyber systems.  If the purpose of the legislation on the Senate floor is COVID relief then that needs to include making sure our economy recovers and our economy cannot recover unless the core systems of the economy – which in the 21st century are cyber – also recovers.

This is another, perhaps more subtle, dimension of our #Rethink Cybersecurity campaign.  The reason we need to rethink our approach to cybersecurity is that our current approach is not working. A core reason our cyber policy – on multiple dimensions – isn’t working is that we have taken an excessively narrow conceptualization of the cyber threat. Too often we  think of it only as a tech problem that can be resolved with more tech. What we have learned is that although obviously there are tech issues involved in cybersecurity, in reality the cybersecurity issue is far broader and to be effectively addressed we need to take a broader perspective.

Those who would oppose including cybersecurity in the COVID relief bill may, similarly, be thinking of COVID relief too narrowly.  Obviously, there are critical health issues that need to be addressed in dealing with the COVID Pandemic.  However, we make a critical mistake if we think of COVID relief as only addressing issues like vaccine replenishment and distribution.

One of the most dramatic results of the pandemic was that it ushered in the largest alteration of how work was done in human history.  Almost overnight an economy that was based on people “going to work” shifted to one wherein an enormous percentage of work was done at home over cyber systems.

Just as we are learning that COVID has subtle, and dangerous, impacts on a victim even after they have weathered the initial sickness, so too, we have discovered that while our cyber systems – amazingly – were able to sustain an enormous proportion of the economy even on an emergency and unplanned for circumstance – that there are subtle and dangerous after-effects

Cyber criminals have exploited the unplanned and ill-secured cyber systems we have come to rely on in the pandemic and much like the medical effects of COVID we may not yet fully realize the negative impacts to our overall system – systems that may remain in place long after the pandemic has passed.

Just as to recover physically we will need to more closely adhere to basic health requirements so too in order to fully recover economically we need to assure we secure our foundational economic systems, our cyber systems, are secured.

Hence, cybersecurity funding is not simply a convenient rider on a “must-pass” bill.  Cybersecurity is an endemic part of COVID recovery.

However, while cyber funding in the bill is appropriate, even with that understanding the direction and use of the funding ought to be properly targeted. Here again it may be helpful to think in broader terms.   

It appears that the majority of the money in the bill is targeted for upgrades to federal systems.  While it is clear that upgrading the systems is in many cases needed, it is also true that too often federal process has procured technology and not provided the adequate training to properly use the new tech.

Moreover, while the proximate cause for including money for federal systems in the COVID bill is likely the recent SolarWinds attack which impacted multiple federal agencies, thinking of cybersecurity between the federal (nonmilitary) systems and the private sector  as separate systems is faulty.

SolarWinds was not an attack on the federal government.  It was an attack in the software systems used by the federal government – and thousands and thousands of private sector entities.  We can’t secure the federal systems by cordoning them off from private systems – they are in fact not cordoned off – they are all part of the same system of systems.

We have to rethink our approach to cyber security, and cyber funding. We can’t secure systems just by going agency by agency, company by company.  We need to realize that attackers are attacking both private and public systems and we, the defenders – not just the government – need a much closer alignment.  This alignment needs to go well beyond the (largely ineffective) information sharing systems and creates a true partnership model. COVID relief cyber money ought to address the systemic issues not just the government tech upgrades. We need to rethink our approach

Join the Rethink Cybersecurity Community click here