Connecting state and local government leaders
From increasing the capacity of VPN infrastructure to rethinking the IT help desk, chief information officers had to address new challenges during the early days of the coronavirus pandemic.
The coronavirus pandemic brought about unique cybersecurity challenges for state information technology officials as broad swaths of government employees began working from home this year.
In Colorado, the shift toward remote work meant the state’s Chief Information Security Office had to drastically increase the capacity of the government’s VPN infrastructure. The state scaled up its VPN capacity from 10,000 to 30,000 concurrent sessions over the course of a weekend to improve cybersecurity while employees connected to work systems from home, said CISO Deborah Blyth, speaking during a panel discussion Wednesday at the National Association of State Chief Information Officers online conference.
That was not only to ensure government communications were secure, but also to provide systems and software updates, Blyth said.
“You had to connect to our VPN in order to get patches,” Blyth said. “Our legacy way of doing things was that everybody was in the office, so patches were pushed out automatically over the office network.”
The transition to remote work involved heavy lifting on the part of state information technology staff—who both had to address the infrastructure capacity of legacy systems and educate workers on the new technology, while also promoting proper cybersecurity protocols.
Before the pandemic, 52% of state CISOs said less than 5% of state government staff worked remotely, according to a NASCIO and Deloitte cybersecurity survey. Now 35 states say that more than half of their employees are working from home due to the pandemic. Nine states report that more than 90% of their workers went remote.
“It was the ultimate stress test for infrastructure and organizational skill,” said Maine Chief Information Officer Fred Brittain of the state’s rapid transition to widespread remote work.
To help employees quickly transition so that government services were not interrupted, Brittain said his office worked to acquire and deploy laptops. In some cases, employees were allowed to use personal devices in ways that IT professionals would not have authorized under other circumstances.
To help government employees get used to using new video conferencing systems, VPNs and other applications for the first time, Brittan said his office had to rethink its help desk strategy.
“We realized the traditional support of the help desk number was not going to be enough. People were really struggling,” he said as he spoke on a cybersecurity panel at the NASCIO conference.
So, the staff in Brittain’s office began hosting virtual office hours, sessions that state employees could join so they could ask questions and learn more about the new technology. That proved to be a useful step that also helped the CIO gather feedback on where more technology education was needed.
After the initial infrastructure needs were met, information technology officials found they needed to re-educate their now-remote government workforce on best cybersecurity practices. For Maria Thompson, North Carolina’s chief risk officer, one key practice was checking to ensure workers use the same standard and approved methods for teleconferencing, so they do not use systems with security flaws. She said her staff worked with state agencies to provide updated cybersecurity education to help employees “understand why we want them to use this particular solution over another solution.”
In Maine, Brittain said reenforcing cybersecurity and privacy protocols in workers’ homes means reminding them not to check personal email on state-owned devices or to keep non-public government data out of view when on video conferences. Through the end of the year, Brittain said his focus is on both using CARES Act money to address infrastructure needs and shoring up security concerns ahead of the presidential election.
Andrea Noble is a staff correspondent with Route Fifty.