The Department of Homeland Security and the General Services Administration are advising agencies not to use the free video teleconferencing system from Zoom.
Instead, GSA and DHS’s Cybersecurity and Infrastructure Security Agency (CISA) say the Zoom for Government platform, which runs on a government community cloud and has received a Federal Information Security Modernization Act (FISMA) moderate level approval under the cloud security program known as FedRAMP, is an agency’s best option.
DHS and GSA issued the advisory yesterday as reports from the FBI and others about potential security vulnerabilities in the free Zoom application surfaced.
The FBI reported on March 30 that it has received multiple reports of VTC hijacking—also called “Zoom-bombing.” This is when video teleconferences are interrupted by pornographic and/or hate images and threatening language.
“CISA and FedRAMP issued joint best practices to federal departments and agencies about the use of the Zoom for Government conferencing software on federal IT systems,” GSA and DHS stated.
A DHS spokesman said the best practices were not available publicly.
Criminals scanning for cyber holes
CISA and the UK’s National Cyber Security Centre (NCSC) issued a joint cyber threat update as well on April 8 where it highlighted concerns over video teleconferencing applications.
“The NCSC and the CISA have also observed criminals scanning for known vulnerabilities in remote working tools and software, which is evidence that they are looking to take advantage of the increase in people working from home,” the alert stated. “This includes exploitation of the increased use of video conferencing software, such as Microsoft Teams, where phishing emails with attachment names such as ‘zoom-us-zoom_##########.exe’ and ‘microsoft-teams_V#mu#D_##########.exe’ aim to trick users into downloading malicious files.”
A spokesperson for Zoom said in an email that the company takes user security extremely seriously and several public and private sector experts have done “exhaustive security reviews” of the product.
“Zoom is committed to ensuring the privacy, security and trust for all of our users and providing regular updates on the steps we are taking to further strengthen our platform,” the spokesperson said.
The good news about the concerns over the free Zoom application is for many agencies, it’s not a big deal.
Federal News Network reached out to eight large agency CIOs and found most weren’t using Zoom or were discontinuing it with little impact on mission.
Two agency CIOs, who requested anonymity because they didn’t get permission to talk to the press, said they are discontinuing the use of Zoom.
One CIO said they were concerned about the encryption certificate being linked to China for at least some percentage of the sessions that users establish.
Another CIO said their agency weren’t big users of Zoom so discontinuing it wasn’t a big deal.
For most agencies, they’re either using the Government Zoom application or using other collaboration tools like Microsoft Teams.
“Over the last few years, NASA has increased the use of secure enterprise tools, including videoconferencing. NASA has assessed and authorized a number of videoconferencing tools that serve many of our requirements. NASA has also invested in maintaining and enhancing the features and security of these tools,” wrote NASA CIO Renee Wynn in an email. “In 2019, NASA deployed the full suite of tools offered by Microsoft Office 365, which includes the Teams communication and collaboration platform. One of the features of Teams is secure video capability. Teams meetings allow both NASA and our external partners to collaborate in a way that adheres to federal IT security requirements. Because Zoom is not authorized for NASA’s use, NASA employees and contractors are not permitted to initiate or host a Zoom meeting, although they may participate in a meeting if invited by an external party.”
Several CIOs said if an employee is invited to use Zoom from an external party, they are allowed to do so. But one CIO did say they are ensuring that any previous client installations are removed from workstations.
Three other agency CIOs also said they rely on Skype or Teams for video teleconferencing.
“We are continuing to monitor the progress being made to address the issues raised around Zoom, just like we’d do for any system that has vulnerabilities discovered,” said Jason Gray, Education Department’s CIO. “While we have been doing very limited testing with Zoom, we are, and have been, using Skype and Teams as our primary collaboration tools for that functionality.”
Another CIO offered a similar take, saying their agency uses Skype and Teams for a majority of their VTCs, and have not adopted the Zoom platform.
“We are carefully following guidance and information from DHS and OMB on the participation in Zoom meetings that originate outside of our network,” the CIO said.
At the U.S. Agency for International Development, acting spokesperson Pooja Jhunjhunwala said the agency doesn’t use Zoom and it is not approved for use on any federal computer due to security and privacy issues.
“We will continue to evaluate its use for emergency situations,” Jhunjhunwala said.
Another agency, which actually is using the secure Zoom for Government application, will continue to use the tool. That agency’s CIO said they have had certain controls set “on” since their initial deployment of the application.
John Pescatore, the director of the SANS Institute, wrote in a blog post that there are more secure alternatives to Zoom.
“On the end-to-end encryption issue — a term that is thrown around a lot — many issues arise across many products. The bigger issue with Zoom has been user-stored sessions being easily findable and accessible on the Internet — another issue Zoom is working on,” he said.
Johannes Ullrich, the chief technology officer of the Internet Storm Center and the dean of the faculty of the graduate school at the SANS Technology Institute, added in the same blog post what Zoom is experiencing is a common problem among startups—an overconfidence in product capabilities and little connection to the reality of what their product is actually capable of doing.
“The part I find most concerning is the fact that simple statements, like the length of the key used, were obviously wrong in Zoom’s description of the encryption protocol,” he said.
“I urge the FTC to issue guidance and provide a comprehensive resource for technology companies that are developing or expanding online conferencing tools during the coronavirus pandemic, so that these businesses can strengthen their cybersecurity and protect customer privacy,” he wrote.
He said at a minimum, this guidance should cover topics including:
Implementing secure authentication and other safeguards against unauthorized access;
Enacting limits on data collection and recording;
Employing encryption and other security protocols for securing data; and
Providing clear and conspicuous privacy policies for users.