Presented by Fortinet Federal
By Jim Richberg, Chief Information Security Officer (CISO) at Fortinet
Some people continue to talk about how we're somehow going to go back to "normal" (whatever that was) when the pandemic is over, it's time we all accepted the fact that nothing is ever going to be the same.
The reality is that the pandemic is going to leave all of us and society at large inexorably changed. These changes include the systems that keep society going. The way we work, where we work, and the networks that keep businesses and cities operating are all different than they were two years ago. And they're not going back.
According to the security leaders I speak with, the pandemic did not cause organizations to slow their pace of digital innovation, especially State or local governments, it merely changed the direction.
Instead, operational, security, and networking teams worked together to get people set up to be able to work from home securely virtually overnight. In addition, services were created out of thin air almost, it seemed, to help keep citizen services functioning. This convergence of networking and security made it possible for remote workers to securely access resources in the cloud and at the office. It also kept government services functioning with new or changed services approaches to accommodate the shifts needed.
If there's any silver lining to the pandemic, it might be that it forced people to finally take security seriously. When people are connecting from everywhere, the stark reality that cybersecurity affects everyone becomes much more difficult to ignore. This is good news long-term for government IT leaders down the road.
Cybersecurity Affects Everyone
As we move forward into 2022, cybersecurity needs to become a routine and expected part of daily life. It needs to be part of our lives as government employees, as consumers of online services, and as users of infrastructure.
In year three of the pandemic, the realization has set in that not everyone is going to be returning to the office, or at least not full time. Hybrid work is here to stay and organizations have had time to figure out what their post-COVID setup might look like.
The pandemic also brought into focus the societal impact of the digital divide and the recognition that despite years of efforts to expand high-speed connectivity, many areas remain appallingly underserved. Addressing the impact this lack of infrastructure has on education, health, and prosperity goes beyond solutions the private sector can provide. The government’s response, especially the new infrastructure law, means that upgrades are likely to be made to infrastructure elements that are clearly recognized as digital, such as broadband. But even when infrastructure is "bricks and mortar," it is increasingly likely that it's networked and has a digital element as well. Smart buildings and the sensors and control devices on roads and dams are just a few examples.
Partnering for the Public Good
Making the wide-ranging improvements to infrastructure outlined in the new law will require public-private partnerships. The role of government is obviously to provide funding, but the private sector will end up building and operating virtually all of the infrastructure upgrades.
In addition to providing money, government also needs to play a continuing role in establishing and enforcing standards. Left to its own devices, the marketplace won't solve all the problems related to securing infrastructure. But government can help shape behaviors for the public good. For example, pharmaceutical production is highly regulated for good reason. What that means for cybersecurity is that government shouldn't dictate exactly how something is secured (because that will undoubtedly change over time), but it does need to set goals that can be operationalized as standards, and then to create any regulation or funding requirement needed to drive implementation of these standards.
The Colonial Pipeline attack last year is just one example of why infrastructure needs to be further secured. Few want to contemplate the potential impact of a serious attack on an electrical grid or airline communications, but it's important to face the truth head on.
Threats are increasing according to Fortinet’s FortiGuard Labs latest threat report, and when it comes to infrastructure, the consequences of inadequate cybersecurity can be devastating, so tolerating failure to implement basic cyber hygiene should be nonnegotiable.
Government is involved in shaping the protection of many systems like infrastructure where there is no room for error. For example, the zero-trust access security model was called out in the recent cybersecurity Executive Order as a key operating principle for protecting government networks and data. Zero trust dictates that the level of access should not be based on location, so the same degree of validation and security is applied whether a user or device are located within the network perimeter or outside of it. In this era of smart devices and on-demand networking, the notion of a static network perimeter is increasingly irrelevant, so zero trust has become a key part of any robust cybersecurity strategy. Fortunately, viable private sector cybersecurity solutions exist for zero trust access as well as many of the other security problems we face.
As both threats and cybersecurity technology continue to evolve, it's important to include flexible, scalable security solutions and avoid falling victim to paralysis by over-analysis when evaluating options. In other words, focus on what to accomplish—a goal such as zero trust—without dictating how that needs to be delivered. Because cybersecurity affects everyone, it's more important than ever for governments and the private sector to work together to ensure that systems are protected now and in the future.
Learn more about protecting government data and infrastructure with Fortinet.