While the cyber security landscape in 2020 was undeniably shaped by the COVID pandemic and widespread fears that disinformation could delegitimize a democratic election, the first quarter of 2021 was dominated by the “Sunburst” hack that compromised many federal departments and agencies. Amidst those compelling concerns, however, I believe that another vital infrastructure security issue has been largely overlooked. COVID, disinformation, and supply chain vulnerabilities have all underscored the criticality of systemic IT security for mobile devices.
It is time for all federal departments and agencies to fully embrace teleworking and mobile connectivity as one form of standard operating procedure. We cannot afford to be caught off guard again by the next pandemic or another exigency.
As a result of my own 16-year career in the Intelligence Community, I am painfully aware of how difficult the issues of teleworking and “bring your own device” (or “BYOD”) can be for certain organizations — but whether it is for continuity of operations in a crisis, improved efficiency, or quality of life issues for workforce retention, the shift to remote and mobile connectivity that COVID accelerated is here to stay. It is imperative that federal policies allow CTOs, CIOs, or CISOs to evaluate new requirements and procurement officers to acquire (or mandate in the case of BYOD) the needed security solutions.
As Dr. Thomas Wingfield, former Deputy Assistant Secretary of Defense for Cyber Policy, eloquently stated in a speech last November, “Organizations need to move from a paradigm of cybersecurity, to one of cyber resilience.”
Federal CISOs can no longer hope to have a well-delineated perimeter that they can securely administrate; instead, they will need to ensure functional resilience for mobile and IoT devices that are technically and legally beyond their control.
At a December 2020 AFCEA webinar entitled “Paper Security vs. Real Security,” several prominent information assurance leaders spoke to that very concept of federal workplace resilience in the contexts of COVID, BYOD, and FedRAMP. My own recommendation for operating in a zero-trust mobile environment is aimed at…