As a former head of the third largest department in the federal government, I know the critical importance of being able to communicate with key staff quickly and clearly to make operational decisions. But what if your communications have been disabled or compromised?
As a leader or manager, what would you do in that situation? Do you have a list of the personal phone numbers and email addresses of your key staff? How would you give direction to your essential workers? How would you communicate with other relevant leaders to coordinate an appropriate response?
In government as in business, chaos is the ultimate enemy.
Interfering with a government’s ability to communicate among itself is one of the easiest ways for an adversary to sow chaos. This goes beyond simple inconvenience; this is a matter of national security.
This vulnerability has been staring us in the face for quite some time. It became painfully clearer in early 2020, when Russian hackers inserted malicious code in SolarWinds’ Orion software, allowing them to rummage through the computer files of many organizations using Microsoft Office 365 for their email and document drafting needs.
That breach and this year’s Hafnium zero-day attack impacted nine federal agencies, three state governments and over a hundred U.S. companies,
I have first-hand knowledge of this type of chaos. When I was acting secretary of the Department of Homeland Security, our email system was compromised. It forced the department’s senior leaders to use alternative means to communicate. That was bad enough. But what if such a breach rendered the entire government unable to email? How would the government communicate?
Securing our clouds, servers, networks, and computer endpoints to ensure that federal, state, and local governments can continue to operate must be considered a core function of government. It is essential that our leaders assure continuity of communications, including email, chat, video conference, and other services. And there must be better resiliency built in the overall system.
While the government must have practical communications technologies in place to assure continuity of operations, it must also be careful to use a diversity of companies to ensure communications tools remain available. It is inherently dangerous if everyone is dependent on the same software from the same company. We can’t afford to put all our eggs in one basket.
The most recent breach taught me that the government should be using varied products and services at agencies to ensure continuity of communications, and not rely on one provider. Vendor diversity, layered technologies, and continuity of operations planning is needed to ensure the government can communicate in a time of crisis.
Innovation and competition in the cybersecurity arena is critical to ensuring that the federal government gets the latest technology at the best value. Competition also ensures that a “defense in depth” strategy, where multiple technologies from many vendors are layered, is in place to shrink the attack surface. At a time when Big Tech controls much of our content, the federal government should be looking to diversify its offerings and reduce its risk, while saving tax-payers money from cost over-runs.
Now is the time to rethink how the government can ensure communications and use all the innovative services available from U.S. technology companies. These recent hacks and data breaches are just opening salvos. If we don’t heed them and take practical countermeasures, we will face chaos in a time of crisis.
This piece originally appeared in The Daily Signal.