Congress Highlights Agencies’ 2020 Cyber Struggles and Need for Reform

Legislators are calling for Congress to push IT modernization efforts across federal agencies following the 2020 spike in cybercrime due to the COVID-19 pandemic.

Republicans on the House Financial Services Committee say cybercrime increased with the shift to remote work since March 2020 and also with the passage of the CARES Act in April.

“Financial institutions were put in a position to balance the government’s interest in disbursing money quickly against their long-standing interest in implementing a robust system to prevent cyberattacks and scams,” according to the committee’s report. “The federal financial regulatory agencies — which were similarly dealing with a new threat environment as their employees shifted to remote work status — were tasked with strengthening cybersecurity throughout the financial industry and with respect to their own functions.”

The report underscores the cyber struggles federal organizations faced throughout the year, culminating in the SolarWinds software supply chain attack, which federal agencies now believe Russia instigated.

“Hackers sent emails featuring World Health Organization markings and phony information about the pandemic to hack into recipients’ computers,” Republicans said in the report. “Cybercriminals used the pandemic to target corporate and government networks. They used phishing schemes and other tactics to target government employees working from home on less secure networks.”

Federal agencies’ relative unfamiliarity with remote work put them at a cyber disadvantage, the report added, and lawmakers are suggesting operations will need to embrace the digital pivot for good.

“Many agencies were conducting certain aspects of their regulatory work remotely for the first time, including hosting meetings using web-based platforms, employing e-delivery systems and otherwise adapting new end-to-end processes,” the report said. “With regulated entities encouraging employees to continue work remotely, Congress should consider reforms to address the need for federal regulators to modernize their operations to accommodate what may be a permanent transition toward digital interactions.”

The report concludes with a call to action: lawmakers should aggressively pursue IT modernization and cybersecurity oversight policies to help federal agencies prepare for potential similar seismic events like the COVID-19 pandemic and SolarWinds hack.

This is especially urgent, “as remote work and virtual interactions will continue permanently in some form,” the report said.

The departments of Health and Human Services and Veterans Affairs both said the pandemic accelerated their cybersecurity strategies last year. To assist federal agencies working remotely, CISA recently updated its TIC 3.0 guidance with remote user use cases.