The Washington PostDemocracy Dies in Darkness

Opinion Now is the perfect time for a cyberattack. Here’s how to stop one.

The Department of Homeland Security St. Elizabeths campus in Washington. (Carolyn Van Houten/The Washington Post)

Jane Holl Lute was deputy secretary of homeland security from 2009 to 2013 and is on the board of the Center for Internet Security. Peter J. Beshar is general counsel of Marsh & McLennan, the world’s largest risk adviser, and has testified before Congress on cybersecurity multiple times.

Millions of corporate employees, scattered across this country and around the world, are trying to work from kitchen tables, bedrooms, basements and even cars. Sensitive financial and operational data fly, in unprecedented volumes, across VPN networks, personal routers, sketchy home WiFi systems and wireless printers.

Beyond the threat that covid-19 poses to public health, the pandemic has exposed a massive new risk for global corporations: a debilitating cyberattack. In this moment, a powerful attack could be the one-two punch that brings corporations to their knees.

Employees are fatigued, stressed and distracted as weeks turn into months of confinement. Any semblance of separation between work and home has collapsed. People can hardly remember the day of the week. Children roam in and out. Deliveries drop at the door. Dogs bark. We open the refrigerator door again (and again). All the while, our data sit on loosely protected networks, creating vastly expanded attack surfaces for threat actors.

Full coverage of the coronavirus pandemic

And this is the situation among employees who have not been fired or furloughed. Beyond these ranks, millions of others have lost jobs. Their frustration could fertilize the ground for retaliation against former colleagues or companies — a kind of “insider” attack from the newly outside.

So, how do people and companies protect against these risks? As President Dwight D. Eisenhower advised, plans are useless but planning is indispensable. The public and private sectors should align immediately to plan against this threat.

The pandemic has clarified three steps urgently needed to shore up our cyberdefenses while battling this unprecedented health threat.

First, greater clarity is critical regarding who would lead the government’s response to a major cyberattack. The pandemic revealed serious fault lines, not only within the federal government and its agencies (the Department of Health and Human Services, the Centers for Disease Control and Prevention, the Federal Emergency Management Agency, the Food and Drug Administration, the White House, etc.), but also among the federal government and the states, and between government and the private sector.

By trying to reassign seats in the White House briefing room, the Trump administration is attempting to stifle real journalism, says media critic Erik Wemple. (Video: The Washington Post, Photo: Jabin Botsford / WP/The Washington Post)

The White House lacks a clear cyber leader. The bipartisan Cyberspace Solarium Commission recommended in March that there should be a Senate-confirmed national cyber director in the White House (or “cyber czar”) to coordinate interagency matters and interact with the business community. The cyber agenda has long been a source of vigorous interagency tension, but the Cybersecurity and Infrastructure Security Agency recently established within the Department of Homeland Security has made strides in sharing threat intelligence and best practices with the private sector as well as with state and local governments.

Industry interaction is especially important around cybersecurity. More than 85 percent of our nation’s critical infrastructure is owned or operated by the private sector. This infrastructure includes electrical grids, telecommunication networks, financial markets, nuclear plants, health-care systems and transportation systems. Securing these operations will necessarily be a distributed responsibility, but clear-eyed, decisive federal leadership would help establish the sense of control that is sorely lacking.

Second, businesses must revisit their cyber contingency plans. Tabletop exercises that companies previously conducted assumed that crisis management teams were on premises. Planning must reflect our new, remote reality. This includes providing key personnel with reliable cellphone numbers and backup email addresses for all senior executives — in paper form. The 2014 cyberattack against Sony (widely attributed to North Korea) ground the company to a virtual halt. Communication among thousands of employees was effectively cut off, and the management team relied on in-person meetings, office landlines and, eventually, a stash of old BlackBerrys. A similar attack during quarantine could isolate executives for days. More broadly, businesses should know what’s connected to and running on their networks, aggressively manage administrative privileges and continuously patch vulnerabilities.

Third, employees working from home need to also follow basic cyber hygiene. Personal and home-office routers typically lack the level of security installed on business routers and often rely on default passwords created by manufacturers. In 2018, the FBI found that Russian hackers had compromised hundreds of thousands of home routers, enabling them to steal sensitive data and shut down network traffic. When work devices are being used to access proprietary business data — as well as for personal Zoom calls, TikTok videos, yoga classes and more — each employee has a role to play not just in their company’s cyber resilience but also in the nation’s cyberdefense.

Our main cyber adversaries and other malevolent actors are acutely aware that our country is consumed by unprecedented health and economic crises. This is a critical moment for government and corporate America to come together to protect U.S. cyber resources and critical infrastructure.

The Opinions section is looking for stories of how the coronavirus has affected people of all walks of life. Write to us.

Read more:

Allison Peters and Ishan Mehta: This is not the time to leave our hospitals unprotected against cyberattacks

David Ignatius: We weren’t ready for a pandemic. We better be ready for a cyberattack.

Max Boot: Covid-19 is killing off our traditional notions of national defense

Josh Rogin: It’s time to take off the gloves against Chinese cybercrime

Coronavirus: What you need to know

Where do things stand? See the latest covid numbers in the U.S. and across the world. In the U.S., pandemic trends have shifted and now White people are more likely to die from covid than Black people.

The state of public health: Conservative and libertarian forces have defanged much of the nation’s public health system through legislation and litigation as the world staggers into the fourth year of covid.

Grief and the pandemic: A Washington Post reporter covered the coronavirus — and then endured the death of her mother from covid-19. She offers a window into grief and resilience.

Would we shut down again? What will the United States do the next time a deadly virus comes knocking on the door?

Vaccines: The CDC recommends that everyone age 5 and older get an updated covid booster shot. New federal data shows adults who received the updated shots cut their risk of being hospitalized with covid-19 by 50 percent. Here’s guidance on when you should get the omicron booster and how vaccine efficacy could be affected by your prior infections.

For the latest news, sign up for our free newsletter.