Security

How to Protect Your Agency’s Networks and Users During Telework

As government employees work from home, IT leaders need to ensure that those users and sensitive data are safe.

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist. He lives in Washington, D.C., with his wife and their animals: a dog named Brenna, and two cats, Grady and Princess.

The federal government in recent weeks has seen a surge in teleworking. The current environment is giving agency IT leaders a real-time test case for how to secure large numbers of users working remotely, both now and in the future.

As more workers conduct their missions from home or other remote workspaces, that unfortunately gives malicious actors a much larger attack surface to target government agencies.

For example, cyberattacks on Defense Department networks increased over the weekend of March 14-15 as teleworking employees put “unprecedented” loads on the military’s computer networks.

“They’re already taking advantage of the situation and the environment that we have on hand,” Essye Miller, DOD’s principal deputy CIO, told department employees at a March 16 “virtual town hall.” DOD subsequently blocked access to YouTube for its users, and Miller urged DOD users to only use chat and collaboration services provided by the Defense Information Systems Agency.

In a March 22 memo, Margaret Weichert, the Office of Management and Budget’s deputy director for management, sent a technology-focused memo to agency heads directing agencies to “use the breadth of available technology capabilities to fulfill service gaps and deliver mission outcomes.”

An FAQ section of the March 22 memo covers cybersecurity, and notes that “security protocols, requirements regarding the appropriate use of federal resources, and legal requirements are always applicable.”

However, agencies are “encouraged to make risk-based decisions as appropriate to meet mission needs as outlined” in a separate OMB memo, issued on March 17.

Areas of increased focus concerning cybersecurity and privacy outlined in the memo include:

Updating VPN components, network infrastructure devices and devices being used to enable remote work environments with the latest software patches and security configurations
Providing guidance to employees about how to ensure proper information security and privacy controls are in place when working from alternate locations or home
Continuing to prohibit the unauthorized forwarding of government business materials or other information to personal devices
Continuing to prohibit the unauthorized usage of social media platforms or any unauthorized devices for government business
Confirming that the expanded usage of technology tools is in accordance with appropriate legal considerations and does not violate legal terms of service

Agencies Focus on Security, Network Bandwidth

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has given agencies additional cybersecurity tools to help IT leaders navigate increased usage of telework solutions.

Federal CIO Suzette Kent and her staff have been talking with internet service providers and telecommunications companies about how to ensure users have enough bandwidth and how networks can be made more secure.

“We started preparing for this a few weeks ago. Agencies did individual assessments of their capacity and took actions then to size it,” Kent tells Federal News Network. “Right now, over the last week and into this week, we see those investments in modernization, like moving to the cloud and the scaling that comes with it, prove the value and give us the results we wanted to see.”

Agencies have been able to scale from the traffic volumes they would typically experience on a snow day in a region “to much larger scale volumes across the country,” Kent says. “We’ve done virtual private network testing, and vendors have been very responsive to scale up licenses and with technical tweaks that agencies needed.”

How Agencies Can Defend Against Cyberattacks

CISA has also published a set of risk management proposals agencies can use to guard against increased cyberattacks.

Agencies have a responsibility to enhance their overall cybersecurity defenses for their networks and data, CISA notes. The agency recommends IT leaders do the following:

Ensure VPNs and other remote access systems are fully patched
Enhance system monitoring to receive early detection and alerts on abnormal activity
Implement multifactor authentication for all users
Ensure all hardware has properly configured firewalls as well as anti-malware and intrusion prevention software installed
Test remote access solutions capacity or increase capacity
Ensure continuity of operations plans or business continuity plans are up to date
Increase awareness of IT support mechanisms for employees who work remotely
Update incident response plans to consider workforce changes in a distributed environment

As CISA notes, individual users have responsibilities to practice good cyberhygiene too. They should avoid clicking on links in unsolicited emails and be wary of email attachments, CISA advises. Users should not reveal personal or financial information in emails and should not respond to email solicitations for such information.

IT staff and other government users should also review CISA’s tips on avoiding social engineering and phishing scams for more information on how to recognize and protect against phishing. The Federal Trade Commission also has a helpful blog post on scams related to COVID-19.

monkeybusinessimages/Getty Images