Connecting state and local government leaders
As government employees move to remote work, agencies’ network infrastructure and security defenses are feeling the pressure.
As government employees move to remote work, pressure on agencies’ network infrastructure and security defenses is increasing. Hackers are poised to take advantage of an increasing attack surface as workers connect from possibly unsecured devices with unfamiliar tools.
The "new normal" being forged by the response to COVID-19 will require smarter data sharing and cross communication between agency mission leaders and top IT managers, experts said.
Federal agencies are quickly learning that they have to become more flexible with remote and data-sharing tools, as well as tadapt to physical limitations, said Melody Bell, associate deputy assistant secretary for resource management at the Department of Energy's Office of Environmental Management. "The virus is testing systems," she said.
The department, for example, is considering giving employees flexible work hours so not everyone is on the network at the same time. "We're having people adjust hours and limit people on the Citrix system," she said.
DOE employees are finding they must adjust their email and file-sharing practices to on-the-ground conditions.
"Email back and forth among employees is confusing," she said. Participants in email strings can wind up working with different versions of messages, which can confuse and slow collaborative work, she said, adding that "we're not using Sharepoint to share files" effectively.
As the Defense Department tries to meet device demands and keep down network vulnerabilities in the face of an expanding remote workforce, officials have reported an uptick in cyberattacks.
"With the increased telework capability comes an increased attack surface for our adversary. They're already taking advantage of the situation in the environment that we have on hand," DOD Principal Deputy CIO Essye Miller said.
Although she didn't discuss the types of attacks DOD has been seeing, Miller stressed the importance of cyber hygiene -- including not using unapproved applications or streaming services on DOD's networks.
"Please, please, please. The same practices that you use in an office environment need to convey to wherever you're teleworking from," she said, asking employees "not to resort to creative means" or applications that aren't approved for use on DOD systems because it makes the network more susceptible to attacks.
Secure online meetings
To keep virtual work discussions private and secure, the National Institute of Standards and Technology has issued advice, most of which is likely to already be specified (if not always heeded) in an organization's existing policies.
"Unfortunately, if virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop," wrote Jeff Greene, director of NIST's National Cybersecurity Center of Excellence. "Using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively -- and not the genesis of a data breach or other embarrassing and costly security or privacy incident."
Limiting reuse of access codes for phone meetings along with one-time PINs and multifactor authentication can help ensure that only authorized users are on more sensitive calls. For virtual or web meetings, waiting rooms and dashboards can help monitor attendees and keep track of unnamed or generic visitors. They can also help an organization keep track of who is (and isn't) supposed to be connected.
Not every work meeting will require the use of every step. Greene encouraged organizations to use different protocols for low-, medium- and high-risk calls, and NIST developed an easy-to-use graphic to help workers determine when to use what option. More sensitive work may require tactics like distributing PINs at the last minute, identifying all attendees and then locking the meeting and ensuring that all attendees are connecting from approved devices.
NIST’s telework cybersecurity guidance is collected here.