Federal-grade encryption from the comfort of home
- By Joel Wallenstrom
- Jun 08, 2020
With the COVID crisis pushing federal employees to work from home, we’re seeing a first-of-its-kind test for the way modern government functions. Even as agencies take great pains to ensure the security of messages, shared documents, video calls and phone chats across offices and missions, outdated computer systems or reliance on common communications platforms outside central offices opens an opportunity for exposure that could put government data at risk.
Only about 40% of the country’s 2.1 million federal workers were authorized to work remotely as of 2017, yet the pandemic has pushed larger agencies such as the Department of Health and Human Services, the Securities and Exchange Commission and the Energy Department to take precautions to prepare employees for a remote shift.
A large majority of intelligence workers still must go into work in highly secure government facilities where stringent policies and procedures ensure robust cyber protection, but for the rest of remote government workers, this could be a make-or-break moment.
As with many in the private sector, the rapid pace at which security threats have evolved has forced agencies to update and secure dated systems piecemeal. A gradual, lagging response to updating systems has now become a top priority due to the coronavirus. This has caused an exponential increase in federal agencies adopting end-to-end encryption (E2EE) as the only way to truly be sure that every employee -- from those working in federal buildings, running missions overseas, to those working from their kitchen counters -- can communicate securely, safe from cybercriminals and nation-state attackers.
From situation room to spare bedroom
The country as a whole made drastic changes to limit the virus’ spread, and so too did government agencies. They urged employees to sign remote working agreements and to be ready to telework full-time if necessary. Even as Zoom made its meteoric rise as the work-from-home videoconferencing standard, many agencies, including NASA, eschewed the service over privacy and security concerns, adding more confusion around which departments could use what tools.
But like most of the American workforce, government employees have been making this telework shift with little guidance and amid misinformation that can leave data exposed despite the best intentions. For example, although Zoom initially boasted about its E2E capabilities, it was only after a slew of headlines around “Zoombombing” that it became clear the company was marketing its services as E2EE, when in fact information was only encrypted client-to-server. This lower-grade security was adequate when Zoom’s use was more limited and sensitive conversations could happen in person, but it couldn’t withstand the extra pressure applied when teams went fully remote and cybercriminals began to take advantage of increased use. When adapting to new conditions in real time, organizations often trust tools and take their claims at face value, but as the nation moves toward more remote work, tools must be scrutinized beyond their marketing claims.
Although the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a checklist to help agencies make sure remote employees are operating as securely as possible, what’s clear is that decades-old government computer services and networks cannot handle the massive remote access needed at the moment.
Nor can agencies control user behavior. Despite having the most powerful technology at their disposal, people are, more often than not, the cause of security breaches.
To stay secure, agencies must reduce human error, and that starts with educating every user on better practices, including the obvious warnings: Don’t use public Wi-Fi; protect devices; use strong passwords and don’t reuse them; back up all data; don’t use work computers for personal matters; and attend regular security awareness training. Research shows that a third of all data breaches start with a user being fooled by a phishing scam into providing credentials or personal information, a technique that’s become even more effective and popular with more reliance on email communication. IT staff should train all employees -- especially remote workers -- how to spot and thwart phishing emails and texts.
Another option is using a virtual private network, which provides a secure, private tunnel from the remote worker’s device to the network. Bad actors cannot easily access VPNs providing a secure connection -- especially those with E2EE -- even if the user is connecting over an unprotected public hotspot.
IT departments should also implement two-factor authentication for any work-from-home devices as an extra layer of protection for government devices and data, especially if passwords or other credentials are weak or leaked in a data breach. This extra step can involve email or text verification or fingerprint or face recognition depending on the importance of the data being protected.
Using essential encrypted communications
When it comes to the most sensitive data and communications, unauthorized access can be avoided via the use of the strongest E2EE.
Done correctly, E2EE gives electronic communication throughout agencies the same level of security and privacy as a face-to-face conversation, especially if the solution has ephemerality baked in. Messages or other communications are encrypted on a sender’s device, sent to the designated recipient’s device in an unreadable format, then automatically decoded for only the recipient.
No unencrypted data is stored on either device or on any third-party servers or networks. No individual or organization other than the intended recipient can decrypt messages, data or files, and users set message expiration times per the agency’s data retention policies to meet all compliance standards.
There are several ways to ensure this degree of security, with varying levels of complexity. The easiest way is to find a solution that enables devices that guarantee E2EE as a digital lockbox. This means communications generate both a public and a private key. The public key is shared with anyone who encrypts a message, while the private key stays on the recipient’s device to decrypt the messages. A sender has the public key to put something in a lockbox and ostensibly secure it, but the recipient has the one and only key to unlock it.
If agencies can easily enact E2EE for remote workers, they can ensure that no bad actors can eavesdrop on government information. Clearly, different levels of encryption will be needed based on the sensitivity of the materials, but these fundamental steps can be taken. Superficially simple, but incredibly complex -- implementing rigorous E2EE protocols is the one essential way that agencies can remain as secure as possible while the workforce is stuck at home.
Joel Wallenstrom is the CEO of Wickr.