Agencies face the possibility of extended and widespread telework as coronavirus continues to spread throughout the United States, closing schools and canceling events throughout the national capital region. But more federal employees teleworking will likely increase cybersecurity risks for the government, experts said.
“We’ll see employees not connecting to VPN, we’ll see employees doing email just from their phone versus doing it on their laptop with secure VPN. We’ll see employees downloading applications and tools to be able to make their lives as easy as it once was,” said James Yeager, vice president of public sector and health care at CrowdStrike, a threat intelligence company. “And [that] allows some of the security threat vectors to start to creep into these critical business functions."
Ideally, agencies had already prepared for a massive shift to working from home following a March 3 memo from OPM directing agencies to prioritize telework in their operations plans. Several cabinet departments and agencies told Federal Times earlier in the week that they planned or had completed stress tests on their network to gauge if they were prepared for such an event. Even if agency networks are prepared, there are still big cybersecurity risks.
In a March 12 memo, the Office of Management and Budget encouraged federal agencies to “maximize telework flexibilities” to vulnerable populations, a move that will likely greatly increase the stress on federal networks and pushes the government one step closer to a broader telework mandate. That would mean employees could be working from anywhere, at home or a local coffee shop, and as a result agencies need to have strong cybersecurity measures in place, several experts told Fifth Domain.
“It really should be advised the two-factor authentication is empowered and enabled, that VPN connectivity is not optional or preferred, it’s required," Yeager said.
Another uncertainty is just how long federal employees would be encouraged — or required — to telework. In the Washington, D.C., area, several school districts canceled classes for weeks, increasing the likelihood of mass telework as parents need to care for their kids.
If employees are asked to remain at home long-term, agencies need to establish a way to handle remote security patches or to fix bugs in a device’s software.
“A lot of times you’d wait for them to come back to the corporate network to push the security patches just because that’s where you had the most bandwidth,” said Dan Fallon, senior director for systems engineers at Nutanix, an enterprise IT company. “Now they may have extended workers outside of the corporate network where they got to do remote patching, which they may not have really been set up for.”
Susceptibility to spearphishing emails also continues to be a top issue. Experts said that employees were more susceptible to those types of attacks at home because they are likely to browse the internet while teleworking.
In recent days, threat intelligence companies have warned of coronavirus-related phishing attempts. Several reports also mentioned a website that claimed to track coronavirus cases and in the process installed malware.
To defend against these types of threats, often associated with personal internet browsing, Fallon said agencies needed to separate the work environment from the device.
“That ensures that if they’re on Facebook and they click the wrong link, whatever happens is on their home desktop and the virtual session is in the cloud completely separate,” he said.
What work remains?
Greg Touhill, the first federal chief information security officer, told Fifth Domain it was “critically important” that agency leaders determine what information and data employees can access remotely, and from what types of devices.
“Most government entities don’t have the money to send everybody home with a laptop, let alone one that equipped with a CAC or a PIV,” said Touhill, now president of AppGate. “Identifying an architecture that’s going to accommodate BYOD [bring your own device] ... that’s going to be critically important.”
Sean Frazier, advisory CISO for federal at Cisco’s Duo Security, reiterated Touhill’s point, adding that if user laptops can’t accommodate government secure access cards, then agencies have to find a log-in mechanism that “is protected in the same fashion or at the same level as if they were sitting at their desk.”
Another looming possibility is that not all federal employees are allowed to telework and in the weeks ahead, the government could tell those employees to work from home without first teaching them how to do it securely. Simon Szykman, who served as the Department of Commerce’s CIO from 2010 to 2014, told Fifth Domain that agencies need to give non-telework employees security awareness guidance.
“It’s an issue of informing people about the difference between what they’re use to" and teleworking," said Szykman, now managing director and chief technology officer of Attain’s federal services division.
The Cybersecurity and Infrastructure Security Agency, the agency tasked with protecting federal networks, issued an enterprise VPN security guidance in a March 13 alert.
“Any time you got outside the enterprise firewall there’s a little higher risk," Fallon said. “It’s a lot of employees outside of the core office which means they’re outside the security posture both from a physical standpoint and from an IT-virtual standpoint."
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.