Federal-grade encryption from the comfort of home

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Joel Wallenstrom
 

Connecting state and local government leaders

By Joel Wallenstrom

|

End-to-end encryption gives electronic communication throughout agencies the same level of security and privacy as a face-to-face conversation, especially if the solution has ephemerality baked in.

With the COVID crisis pushing federal employees to work from home, we’re seeing a first-of-its-kind test for the way modern government functions. Even as agencies take great pains to ensure the security of messages, shared documents, video calls and phone chats across offices and missions, outdated computer systems or reliance on common communications platforms outside central offices opens an opportunity for exposure that could put government data at risk.

Only about 40% of the country’s 2.1 million federal workers were authorized to work remotely as of 2017, yet the pandemic has pushed larger agencies such as the Department of Health and Human Services, the Securities and Exchange Commission and the Energy Department to take precautions to prepare employees for a remote shift.

A large majority of intelligence workers still must go into work in highly secure government facilities where stringent policies and procedures ensure robust cyber protection, but for the rest of remote government workers, this could be a make-or-break moment.

As with many in the private sector, the rapid pace at which security threats have evolved has forced agencies to update and secure dated systems piecemeal. A gradual, lagging response to updating systems has now become a top priority due to the coronavirus. This has caused an exponential increase in federal agencies adopting end-to-end encryption (E2EE) as the only way to truly be sure that every employee -- from those working in federal buildings, running missions overseas, to those working from their kitchen counters -- can communicate securely, safe from cybercriminals and nation-state attackers.

From situation room to spare bedroom

The country as a whole made drastic changes to limit the virus’ spread, and so too did government agencies. They urged employees to sign remote working agreements and to be ready to telework full-time if necessary. Even as Zoom made its meteoric rise as the work-from-home videoconferencing standard, many agencies, including NASA, eschewed the service over privacy and security concerns, adding more confusion around which departments could use what tools.

But like most of the American workforce, government employees have been making this telework shift with little guidance and amid misinformation that can leave data exposed despite the best intentions. For example, although Zoom initially boasted about its E2E capabilities, it was only after a slew of headlines around “Zoombombing” that it became clear the company was marketing its services as E2EE, when in fact information was only encrypted client-to-server. This lower-grade security was adequate when Zoom’s use was more limited and sensitive conversations could happen in person, but it couldn’t withstand the extra pressure applied when teams went fully remote and cybercriminals began to take advantage of increased use. When adapting to new conditions in real time, organizations often trust tools and take their claims at face value, but as the nation moves toward more remote work, tools must be scrutinized beyond their marketing claims.

Although the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a checklist to help agencies make sure remote employees are operating as securely as possible, what’s clear is that decades-old government computer services and networks cannot handle the massive remote access needed at the moment.

Nor can agencies control user behavior. Despite having the most powerful technology at their disposal, people are, more often than not, the cause of security breaches.

Basic steps

To stay secure, agencies must reduce human error, and that starts with educating every user on better practices, including the obvious warnings: Don’t use public Wi-Fi; protect devices; use strong passwords and don’t reuse them; back up all data; don’t use work computers for personal matters; and attend regular security awareness training. Research shows that a third of all data breaches start with a user being fooled by a phishing scam into providing credentials or personal information, a technique that’s become even more effective and popular with more reliance on email communication. IT staff should train all employees -- especially remote workers -- how to spot and thwart phishing emails and texts.

Another option is using a virtual private network, which provides a secure, private tunnel from the remote worker’s device to the network. Bad actors cannot easily access VPNs providing a secure connection -- especially those with E2EE -- even if the user is connecting over an unprotected public hotspot.

IT departments should also implement two-factor authentication for any work-from-home devices as an extra layer of protection for government devices and data, especially if passwords or other credentials are weak or leaked in a data breach. This extra step can involve email or text verification or fingerprint or face recognition depending on the importance of the data being protected. 

Using essential encrypted communications

When it comes to the most sensitive data and communications, unauthorized access can be avoided via the use of the strongest E2EE.

Done correctly, E2EE gives electronic communication throughout agencies the same level of security and privacy as a face-to-face conversation, especially if the solution has ephemerality baked in. Messages or other communications are encrypted on a sender’s device, sent to the designated recipient’s device in an unreadable format, then automatically decoded for only the recipient.

No unencrypted data is stored on either device or on any third-party servers or networks. No individual or organization other than the intended recipient can decrypt messages, data or files, and users set message expiration times per the agency’s data retention policies to meet all compliance standards.

There are several ways to ensure this degree of security, with varying levels of complexity. The easiest way is to find a solution that enables devices that guarantee E2EE as a digital lockbox. This means communications generate both a public and a private key. The public key is shared with anyone who encrypts a message, while the private key stays on the recipient’s device to decrypt the messages. A sender has the public key to put something in a lockbox and ostensibly secure it, but the recipient has the one and only key to unlock it.

If agencies can easily enact E2EE for remote workers, they can ensure that no bad actors can eavesdrop on government information. Clearly, different levels of encryption will be needed based on the sensitivity of the materials, but these fundamental steps can be taken. Superficially simple, but incredibly complex -- implementing rigorous E2EE protocols is the one essential way that agencies can remain as secure as possible while the workforce is stuck at home.

NEXT STORY: Securing utilities by detecting bad data

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.