The coronavirus pandemic has forced the hands of agency leadership to maximize flexibility on telework for their employees, in some cases making the unprecedented decision to send employees to work from home for about a month.
Agency headquarters in the Washington, D.C., metro area have prepared for mass telework scenarios in the past – such as major snowstorms and Pope Francis’ 2015 visit to the capital.
Insight by Cloudera: Learn about what a few federal agencies are doing to tackle data security challenges and improve their cyber data posture in this exclusive e-book.
But former federal cybersecurity officials warn that this extraordinary volume of employees working from home over an indeterminate amount of time has put a unique stress test on federal IT systems.
Former Federal Chief Information Security Officer Greg Touhill, now the president of AppGate Federal, told Federal News Network that the enterprise-wide virtual private networks (VPNs) most agencies run are expensive to maintain and don’t scale well without significant back-and-forth between IT personnel and front-line users.
That, combined with years of constrained agency IT budgets, could put some agencies in a bind trying to maintain capacity.
“Everybody runs their own networks, so we don’t really have an enterprise approach to secure remote access,” Touhill said. “Some departments and agencies have invested well. Others have taken some risk in the area and have not invested well.”
Sean Kelley, the former CISO of the Environmental Protection Agency and deputy chief information officer of benefits and veteran experience at the Department of Veterans Affairs — now the host of CyberChat, a Federal News Network podcast — agreed that capacity will remain a top concern for federal IT officials.
“Where you might have had 20, 30, 50% of your workforce connecting to the VPN at any time, now you have 80-to-100% of the workforce connecting via VPN all the time. And a lot of CIOs just didn’t plan for that, because that’s just not the scenario that we lived in before this week,” Kelley said.
“There’s going to be some shortages. It’s just a money game — do you buy a VPN that everybody can connect [to], or do you not? Most of us would make the decision ‘no.’ It’s just limited IT funds,” he added.
While agencies are stuck with the capacity that they have, keeping that telework infrastructure up to date raises its own challenges. Agency CIOs typically announce planned outages to update software patches and improve security, but scheduling those updated may become more of a challenge.
“Now they have to be planned in this new paradigm, and that’s something that else that CIOs will have to be struggling with as we go forward,” Kelley said. “If this goes two weeks, not a big issue. If this goes four weeks, six weeks, eight weeks, this is a bigger problem.”
Beyond just capacity, agency CIOs and CISOs must also strike a careful balance between getting employees onto the network, and keeping malicious actors from gaining access.
Through VPN access and compromised credentials, malicious actors in 2015 stole the personally identifiable information of nearly 22 million people from the Office of Personnel Management.
While agencies have implemented much more robust identity management policies since the OPM data breach, enabling this much remote access could undermine some of those efforts.
“You only should be able to see what you’re authorized to see and nothing else, but when you do the VPN, you really don’t have as good an ability to implement that least privilege,” Touhill said.
With telework on the rise, the Cybersecurity and Infrastructure Agency said workers should expect an increase in phishing emails, especially those disguised as updates on coronavirus guidance.
Meanwhile, Touhill said federal employees should exercise caution with what they post on social media, which may be exploited by malicious actors looking to target federal employees working from home.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Given the sudden rush telework en masse, Touhill said that adversaries will also bet — “probably correctly” — that some government work will get done on personal, non-government-issued devices.
That, he said, would make them more vulnerable to ransomware and malware introduced through phishing campaigns.
“If they can get a foothold into those home systems, they may have the tactical and strategic advantage. All employees should be cautioned as to the importance of maintaining their cyber posture at home just as much, if not better, than what they were doing back in the office,” Touhill said.
Employees with telework agreements already in place and who regularly work from home, Kelley said, are likely warier of suspicious emails.
But those who telework less frequently or are new to telework, he added, might be “less vigilant” about targeted phishing emails.
“They may click on an email that maybe if they were in the office, they wouldn’t. They’re going to see really well-crafted phishing attacks that are targeted toward different information, and everybody’s just grasping for all kinds of information as we learn new things every moment,” he said.
Beyond hypothetical threats, the Department of Health and Human Services came into the spotlight Monday with reports of anomalous cyber activity on its networks.
“On Sunday, we became aware of a significant increase in activity on HHS cyber infrastructure and are fully operational as we actively investigate the matter,” HHS spokesperson Caitlin Oakley said in a statement. “Early on while preparing and responding to COVID-19, HHS put extra protections in place. We are coordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure.”
HHS Secretary Alex Azar, at a White House press conference on Monday, clarified: “We had no penetration into our networks. We had no degradation of the functioning of our networks. We had no limitation of our capacity for people to telework. We’ve taken very strong defensive actions.”
“The source of this enhanced activity remains under investigation, so I wouldn’t want to speculate on the source of it,” Azar added. “But there was no data breach or no degradation in terms of our ability to function and serve our important mission here.”