February 2021
Dear Washingtonians!
Cybersecurity professionals at the start of each year dust off their crystal ball and try to predict what the next 12 months may bring.
As you might expect, 2020 was not a good year for predictions. Who knew a pandemic would sweep the planet and turn our lives upside down? The resulting global shift to remote work forced unprecedented shifts in technology that created new avenues for attackers. Every state was impacted by these forces, including Washington state.
Unfortunately, I expect 2021 to bring more of the same, in terms of the cyber threats we face. I believe the state must collectively focus on the following five areas to prepare ourselves for what's ahead:
Remote work: Teleworking for state employees is likely to be with us for several more months at least. And even after the pandemic passes, it may continue at higher levels than we've seen in the past. We know from experience that bad actors always focus on exploiting behavior and vulnerabilities. So, what does this mean? The prediction for 2021 is that bad actors will exploit home networks to pivot into work computers to enter organizations networks. This underscores the importance of timely patches and appropriate security protections on home devices and enhanced endpoint protection on work computers
Virtual Private Network (VPN): Because most of the state workforce is still teleworking, we rely heavily on our VPN technology to securely access key resources within the state system. So, what about our VPN? Do we think it's solid, do we think access is at the appropriate level to be managed and controlled? 2020 saw an increase in bad actors exploiting vulnerabilities in VPN platforms. Is it time for a zero-trust model?
Digital Transformation: Washington state is focusing on digital transformation, including the use of different collaboration tools and providing more efficient ways of delivering services. Certainly, there is an urgent need, as demonstrated by the pandemic, for modernizing government services and doing things differently. But again, what does it mean for security? Does this transformation warrant a case study for Secure Access Service Edge (SASE)?
Cloud: Cloud services provide the backbone for digital transformation. But there are pain points that come with the opportunities. The cloud is only as secure as we make it and I believe there are many things that must happen in terms of cloud governance and cloud control - a cloud security control framework. As a state do we need to evolve our approach to security for cloud services?
Multi-factor Authentication (MFA): Our increasing reliance on technology and cloud services also raises questions about access to all these different tools. What does the password management look like? How are these services protected? I believe we must increase our use of multifactor authentication and make that a large part of our practice.
As you can see, I'm raising questions, not proposing solutions. But these are the key areas I believe we need to focus on in 2021 so we can continue to improve the state's security posture.
I welcome your thoughts and ideas and look forward to our continuing partnership to serve this great state. Thank you for all that you are doing.
Vinod Brahmapuram
State Chief Information Security Officer