What the Pandemic Tells Us About the State of U.S. Cybersecurity

With the fundamental shifts we have seen in our daily lives, governance, and leadership due to the pandemic, we have learned many lessons on crisis prevention and aversion, and these lessons directly parallel with cybersecurity, not just public health. Like a pandemic, cybersecurity attacks are a global issue that affects many people, and the adversary seeks to harm as many people as possible. Disruptions caused by adversaries interrupt our daily lives, the economy, and our system of government. Also, just how preparing ahead of time by building resilience, bolstering defenses, and increasing prevention strategies is beneficial for future pandemics, these same ideas are beneficial for preventing future cyber attacks. Thus, the COVID-19 pandemic can teach us a great deal about how to best prepare for cyber attacks.
Lesson 1: National leadership and coordination are crucial. Crisis management is heavily dependent on strong national agencies and leaders. For public health, this is Dr. Anthony Fauci and the CDC. For cybersecurity, however, while there is CISA and the DHS, there is no national cybersecurity director, and these agencies do not have enough power to carry out their goals of protecting the United States. It is clear that having a strong national agency and leader to advise the White House on public health policy has been crucial for mitigating the effects of the virus, and this theme is no different for cybersecurity. There must be a national leader and a strong national organization that advises the White House on cybersecurity policy so that the United States can make informed decisions and protect the citizens effectively.
Lesson 2: We need better data and risk assessment. It is clear now that the U.S. was grossly underprepared for disease control. We are on the same trajectory with cybersecurity. It is apparent that we are underprepared for an attack. Preparing ahead for a pandemic means assessing who would be the most at risk, and whether masks or medicine or social distancing are the best mitigation tactic. For cybersecurity, this means assessing who would be the biggest target in an attack and how vulnerable they are. This would allow policy-makers make informed decisions on how best to help the public and targets. Risk management can be heavily enhanced with good data. However, the U.S. does not own the cyber infrastructure it seeks to protect. This is why CISA must be strengthened, so that we can generate more accurate data to better our risk-management strategies.
Lesson 3: We need to build resilience into our economy. Just like how at the beginning of the pandemic, changes to production were needed in order to fulfill the sky rocketed demand for medical supplies and PPE, the United States needs to be braced to be able to keep the economy as smooth and uninterrupted as possible in the case of a cyber attack. Currently, many of our tech supply vendors are unreliable and outsourced. The United States needs to solidify our vendors and ensure that they are reputable and trustworthy.