Apr 02 2020

How to Protect Your Agency’s Networks and Users During Telework

As government employees work from home, IT leaders need to ensure that those users and sensitive data are safe.

The federal government in recent weeks has seen a surge in teleworking. The current environment is giving agency IT leaders a real-time test case for how to secure large numbers of users working remotely, both now and in the future. 

As more workers conduct their missions from home or other remote workspaces, that unfortunately gives malicious actors a much larger attack surface to target government agencies

For example, cyberattacks on Defense Department networks increased over the weekend of March 14-15 as teleworking employees put “unprecedented” loads on the military’s computer networks. 

“They’re already taking advantage of the situation and the environment that we have on hand,” Essye Miller, DOD’s principal deputy CIO, told department employees at a March 16 “virtual town hall.” DOD subsequently blocked access to YouTube for its users, and Miller urged DOD users to only use chat and collaboration services provided by the Defense Information Systems Agency.

In a March 22 memo, Margaret Weichert, the Office of Management and Budget’s deputy director for management, sent a technology-focused memo to agency heads directing agencies to “use the breadth of available technology capabilities to fulfill service gaps and deliver mission outcomes.”

An FAQ section of the March 22 memo covers cybersecurity, and notes that “security protocols, requirements regarding the appropriate use of federal resources, and legal requirements are always applicable.” 

However, agencies are “encouraged to make risk-based decisions as appropriate to meet mission needs as outlined” in a separate OMB memo, issued on March 17

Areas of increased focus concerning cybersecurity and privacy outlined in the memo include: 

  • Updating VPN components, network infrastructure devices and devices being used to enable remote work environments with the latest software patches and security configurations
  • Providing guidance to employees about how to ensure proper information security and privacy controls are in place when working from alternate locations or home
  • Continuing to prohibit the unauthorized forwarding of government business materials or other information to personal devices
  • Continuing to prohibit the unauthorized usage of social media platforms or any unauthorized devices for government business
  • Confirming that the expanded usage of technology tools is in accordance with appropriate legal considerations and does not violate legal terms of service

Agencies Focus on Security, Network Bandwidth

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has given agencies additional cybersecurity tools to help IT leaders navigate increased usage of telework solutions. 

Federal CIO Suzette Kent and her staff have been talking with internet service providers and telecommunications companies about how to ensure users have enough bandwidth and how networks can be made more secure. 

“We started preparing for this a few weeks ago. Agencies did individual assessments of their capacity and took actions then to size it,” Kent tells Federal News Network. “Right now, over the last week and into this week, we see those investments in modernization, like moving to the cloud and the scaling that comes with it, prove the value and give us the results we wanted to see.” 

Agencies have been able to scale from the traffic volumes they would typically experience on a snow day in a region “to much larger scale volumes across the country,” Kent says. “We’ve done virtual private network testing, and vendors have been very responsive to scale up licenses and with technical tweaks that agencies needed.”

How Agencies Can Defend Against Cyberattacks

CISA has also published a set of risk management proposals agencies can use to guard against increased cyberattacks. 

Agencies have a responsibility to enhance their overall cybersecurity defenses for their networks and data, CISA notes. The agency recommends IT leaders do the following: 

As CISA notes, individual users have responsibilities to practice good cyberhygiene too. They should avoid clicking on links in unsolicited emails and be wary of email attachments, CISA advises. Users should not reveal personal or financial information in emails and should not respond to email solicitations for such information.

IT staff and other government users should also review CISA’s tips on avoiding social engineering and phishing scams for more information on how to recognize and protect against phishing. The Federal Trade Commission also has a helpful blog post on scams related to COVID-19.

monkeybusinessimages/Getty Images