(This article was also published on the Cybersecurity Association of Maryland Inc.’s (CAMI) blog.)
From the wildfires that ravaged the planet, to the hurricane season that continued beyond our naming convention, to COVID-19 ravaging nearly 400,000 lives in the US and counting – the year 2020 kept us at the edge of our seat and forced us to adapt quickly to a new set of rules. Additionally, 2020 ushered in what may be the greatest technological shift of our time: the rapid transition from normal in-person business practices to hybrid or fully remote offices, and the urgent shift to online learning across the education spectrum.
However, not only did 2020 deliver culture-shifting changes to the world and society in general, but specifically for the world of cybersecurity. As such, our top three predictions for cybersecurity in 2021 include a deepening of our national awareness and understanding of cybersecurity, a shift in the market dominators with a new focus on regulatory compliance for Federal Contractors (Cyber Maturity Model Certification or CMMC), and finally, the birth of an exciting and lucrative new marketplace where innovative businesses who take swift action ready to help facilitate and guide this new awakening of the cybersecurity landscape will be able to reap great rewards in the near and long-term future.
The chaos and change of 2020 brought forth many challenges and exposed many infrastructural and behavioral vulnerabilities as we rushed to transition our workforces and schools to online platforms. The urgency of the pandemic forced us to make quick shifts, and in doing so, we were forced to adopt or create infrastructure with such speed that it was not properly secured. Not surprisingly, cyber-attacks were rampant. Threat actors caused turmoil from the hacking of online sessions, classrooms, and meetings that allowed unauthorized personnel and sometimes inappropriate material and language that interrupted online learning and commerce, to, in some cases, shutting down whole educational entities and corporations.
A staff member on the Penacity team has a young daughter in the Baltimore County Public School system, which cancelled in-person learning back in March 2020. A quick transition was made to an online meeting platform, and full-time online instruction resumed. Within a relatively short period of time, the online platform was compromised by a malicious actor who was able to gain access and enter a class that was in session. This caused quite a disruption for the students involved, but also for the rest of the students and parents in the school system, who all had to be notified, adding additional stress to people already burdened with adjusting to a radical shift in their routine. The school put additional security measures into place, but despite this, a second ransomware attack forced a total shut down of all online learning for several days.
But even more than any of these relatively small-scale, local attacks, the March 2020 SolarWinds Orion cyber-attack penetrated several branches of our US Federal Government and most of the fortune 500 companies (which was not disclosed until December 2020) deserves our deep and full attention, as the magnitude and replication of this breach is on a scale of devastation akin to a nuclear attack. We have yet to know the full extent of the damage to our infrastructure and national security from the SolarWinds Orion attack, which has since been attributed to hacking group Cozy Bear (APT29), backed by the Russian intelligence agency SVR.
Beyond increasing our knowledge and understanding of cybersecurity in 2021, We also predict we are going to see many small businesses struggling due to the disruptions caused by COVID-19. As a result of this, the surviving IT companies with cybersecurity skills will be well-positioned to dominate a greater share of the marketplace. Additionally, as new Federal regulatory cybersecurity compliance requirements like NIST 800-171, CMMC and Zero Trust are put in place because of the escalating cyber threat environment, this will pose additional burdens of entry for new companies trying to enter the Government Contracting marketplace – thereby strengthening the position of 2020’s surviving players. So, in other words, in the coming 6-12 months, there may be a shift in the key market dominators, with a greater opportunity for growth as we move forward.
Many lessons have been learned in the wake of these attacks, and my hope for 2021 is that we will collectively understand their root causes and take these lessons to heart to adopt new and more robust strategies and cyber awareness training programs to protect against malicious threat actors.
Furthermore, in response to the unprecedented cyberattacks of 2020, I believe 2021 will be the year of compliance. As CMMC becomes the industry-standard for all federal contractors doing business with the DOD (NIST 800-171 will remain the gold standard for Fed-Civ businesses), it will be more important than ever for companies that have not already begun the road to compliance to do so. This could be a make-or-break moment for businesses and their path forward, as they must learn to implement and comply with these new regulations and adapt or perish.
And finally, as CMMC becomes the law of the land (which requires 3rd party certification vs. the NIST 800-171, which is a self-attestation), my prediction is that 2021 will give birth to a thriving and explosive cottage industry for companies that are assisting other companies with CMMC – either by providing support in preparation for audit, or by becoming certified 3rd party assessor organizations or C3PA0s.
In the end those in the cybersecurity field must always be aware that with every crisis comes great opportunity to drive change, grow, and deepen your understanding of life and your way forward. 2020 may have been a difficult year, but with critical thinking, clear focus, and tenacity, there is no reason why 2021 cannot be our industry’s best year yet.