Insight by Connection and HP Federal

Securing and servicing supply chains and networks in the new normal

This content is provided by Connection and HP Federal.

Everyone is familiar with the great toilet paper shortage of 2020. But that wasn’t the only supply chain in which COVID-19 exposed a weak link. Both the public and the private sector were forced to turn on a dime and convert the vast majority of their workforces to remote. But most organizations didn’t have enough laptops on hand to send everyone home with.

Further complicating the problem, most families only had one computer shared among them. Suddenly everyone was at home, and that computer became a hot commodity. If there were kids in the picture who suddenly needed it for school eight hours a day as well, that just made everything worse.

Of course, not all agencies were caught with their PCs down. On the TechSperience podcast, Todd Gustafson, president of HP Federal, told host James Hilliard that most workplaces already had about 60% of their workforces converted over to mobile products.

“So they had a notebook, if you will, at their desk,” he said. “They undocked it when they left the office and they headed back home. And they had access to all the tools. And not only that, but that system was appropriately hardened to be able to work in those remote environments. But you still had 40% of the government workforce, whether it was civilian intelligence or DoD, that had a traditional desk based system with a traditional display and keyboard. And all of a sudden, one day they get an email that says the office is closed. And the government had a fairly significant amount of workers that were effectively stranded because they didn’t have access and the tools and the underlying security infrastructure to be able to access their networks remotely from the home. So the first thing that we saw people go do is this rush to go out and buy notebooks.”

That caused the aforementioned supply chain problems. And it wasn’t just availability of the computers themselves; many of the parts required to assemble those computers were made in Asia. That means by the time COVID-19 was shutting down office buildings across the U.S., the factories in Asia that produced those computer parts had already been shut down for months.

This is proof, said Thomas Gardner, chief technology officer at HP Federal, that supply chains are vulnerable to broad threat vectors. That said, a little bit of risk management can go a long way towards securing them.

Another security consideration highlighted by COVID-19 is that of the networks themselves. A majority of the remote workforce has vastly changed the cybersecurity game. Suddenly the endpoints are outside the traditional network boundaries, and operation on residential infrastructure rather than commercial.

“If you’re a bad actor, you basically have a couple different choices,” Gustafson said. “Do you want to take the really hard path and try to get in through a DoD network into their cloud infrastructure? Or do you want to take the easiest path, which is find someone from an endpoint device that doesn’t take the necessary precautions and go through that way, or to go in through a printer that’s not secure on your network.”

Complicating matters, the most recent National Defense Authorization Act approved online marketplaces for DoD, and also raised the purchase card limit to $20,000. That means the Defense Department could potentially purchase computer systems without going through traditional, government-approved contracts.

“The concern is that we potentially allow inferior devices that aren’t secure to be purchased on a P-card, put on a network, and be oblivious, if you will, to the potential impact to our government, to our security as a nation,” Gustafson said. “And all those hacks, the vast majority of them are happening at the endpoint device.”

That’s why it’s important to pay attention to the specifications on any system being purchased for remote working purposes, especially by employees working for federal agencies, or private contractors serving classified environments.

“Just because systems will look the same … they are not the same inside,” Gardner said. “The design of the systems are unique. They are not commodities in any way, shape, or form. And so you have to be careful, if you really don’t know what you’re looking for, and you just pick the first thing that looks good on the exterior. What are you getting on the inside? What kind of security protections do you have, particularly if you’re working in government, and you’re going to use this machine on a government, network and VPN? What risk are you providing to your mission execution? Those type of questions really should be going through the federal workers mindset, as well as industry, because the industry has the same risk.”