If federal agencies were constantly on guard the past several years, as cyber-attacks grew in intensity and effectiveness, the past several months of the pandemic has dumped fuel on that fire of fear and paranoia.
In March, like so many large work forces, VA was facing an uncertain future. With nearly 400,000 employees, it is predominantly an on-premise environment.
“Pre-COVID, we had roughly 56,000 folks enterprisewide who were accessing remote access. About 40,000 of that was through a virtual private network or VPN,” Gfrerer said onFederal Drive with Tom Temin.
As the pandemic-driven stampede to telework began, the VA nearly tripled its work-from-home employees.
“We ended up leveling out at about 140,000. It was our high water mark,” Gfrerer said. “One of the interesting things is, for IT folks, you rarely if ever get the opportunity or demand to test in your production environments.”
So with no time to spare, VA put its internet connection gateways through stress tests, pushing all of one day’s traffic through one gateway. The line was rated to handle 35,000 to 40,000 and they were pushing 40,000 through.
“That was with cooperation and the patience of our business lines. They said, ‘No, we understand you need to test it, we need to do it now, so that folks are ready if we go into some significant telework, you’ve got to stabilize and upgrade the infrastructure,’” he said.
Gfrerer sang the praises of his vendor partners, the carriers and infrastructure providers, as well as those at the data centers.
“We’re always going to need to provide a certain amount of both VPN and non-VPN access into the network. We’re working to balance that solution, but more importantly, we’re working — and this is consistent with [the Office of Management and Budget] and other federal cloud initiatives — to provision those in some sort of cloud environment. With the pandemic, I think you had a lot of folks who were scrambling with on-premise environments, and that’s a lot harder to scale up and scale down. In the future and even going forward, we are in a much better position to efficiently, from a cost standpoint, but also effectively from an infrastructure standpoint, look at our cloud service providers and scale up and scale down, as needed, in both environments,” Gfrerer said.
VA and all agencies will have to remain vigilant to avoid being successfully targeted by hackers, which means technical superiority as well as an educated workforce.
“We put a high premium on ensuring our workforce is aware and trained. The human is always, at least now, going to be the weakest link. And so, our previous efforts around our phishing campaigns in education, we added some additional functionality both in our email and our web services, so people could report phishing attempts a lot easier. All that created a much better security awareness environment with our workforce. I’m really proud of our workforce and how they’ve responded because as everyone’s experienced, the threat actors are still out there, and they’re looking to take advantage of the chaos and the pandemic. So I think from a human-factor standpoint our folks performed really, really well and will continue to enable and double down on the education,” Gfrerer said.