Agencies stress workflow, cyber basics in telework blitz
- By Mark Rockwell, Lauren C. Williams, Derek B. Johnson
- Mar 18, 2020
As government employees move to remote work, pressure on agencies’ network infrastructure and security defenses is increasing. Hackers are poised to take advantage of an increasing attack surface as workers connect from possibly unsecured devices with unfamiliar tools.
The "new normal" being forged by the response to COVID-19 will require smarter data sharing and cross communication between agency mission leaders and top IT managers, experts said.
Federal agencies are quickly learning that they have to become more flexible with remote and data-sharing tools, as well as tadapt to physical limitations, said Melody Bell, associate deputy assistant secretary for resource management at the Department of Energy's Office of Environmental Management. "The virus is testing systems," she said.
The department, for example, is considering giving employees flexible work hours so not everyone is on the network at the same time. "We're having people adjust hours and limit people on the Citrix system," she said.
DOE employees are finding they must adjust their email and file-sharing practices to on-the-ground conditions.
"Email back and forth among employees is confusing," she said. Participants in email strings can wind up working with different versions of messages, which can confuse and slow collaborative work, she said, adding that "we're not using Sharepoint to share files" effectively.
As the Defense Department tries to meet device demands and keep down network vulnerabilities in the face of an expanding remote workforce, officials have reported an uptick in cyberattacks.
"With the increased telework capability comes an increased attack surface for our adversary. They're already taking advantage of the situation in the environment that we have on hand," DOD Principal Deputy CIO Essye Miller said.
Although she didn't discuss the types of attacks DOD has been seeing, Miller stressed the importance of cyber hygiene -- including not using unapproved applications or streaming services on DOD's networks.
"Please, please, please. The same practices that you use in an office environment need to convey to wherever you're teleworking from," she said, asking employees "not to resort to creative means" or applications that aren't approved for use on DOD systems because it makes the network more susceptible to attacks.
Secure online meetings
To keep virtual work discussions private and secure, the National Institute of Standards and Technology has issued advice, most of which is likely to already be specified (if not always heeded) in an organization's existing policies.
"Unfortunately, if virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop," wrote Jeff Greene, director of NIST's National Cybersecurity Center of Excellence. "Using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively -- and not the genesis of a data breach or other embarrassing and costly security or privacy incident."
Limiting reuse of access codes for phone meetings along with one-time PINs and multifactor authentication can help ensure that only authorized users are on more sensitive calls. For virtual or web meetings, waiting rooms and dashboards can help monitor attendees and keep track of unnamed or generic visitors. They can also help an organization keep track of who is (and isn't) supposed to be connected.
Not every work meeting will require the use of every step. Greene encouraged organizations to use different protocols for low-, medium- and high-risk calls, and NIST developed an easy-to-use graphic to help workers determine when to use what option. More sensitive work may require tactics like distributing PINs at the last minute, identifying all attendees and then locking the meeting and ensuring that all attendees are connecting from approved devices.
NIST’s telework cybersecurity guidance is collected here.
This article is a combination of three reports from FCW, a sibling site to GCN.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.
Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.
Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.
Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.
Click here for previous articles by Wiliams.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.