May 29 2020

Federal Telework: How to Ensure Secure Videoconferencing

Agencies need to consider both keeping sensitive data safe and protecting users’ privacy as they engage in virtual meetings.

As federal agencies continue to operate with most of their workforces teleworking or working remotely, and with the possibility that they will need to return to doing so in the future, agencies have embraced videoconferencing for many tasks out of necessity.

In March, the Office of Personnel Management requested that agencies temporarily use videoconferencing and e-signature tools to hire, administer the oath of office and train new employees.

As agencies have ramped up their use of videoconferencing there have also been a raft of security and privacy concerns. The National Institute of Standards and Technology has offered tips on how agencies can secure videoconferencing platforms for meetings. Those include limiting the reuse of access codes; using one-time PINs for sensitive meetings; not allowing the meeting to begin until the host joins; using a dashboard to monitor attendees; avoiding recording the meeting unless it is necessary; and disabling features such as chat and file sharing unless they are needed. 

Many agencies that have moved to Microsoft’s Office 365 platform have been using Microsoft Teams for secure videoconferencing. “In 2019, NASA deployed the full suite of tools offered by Microsoft Office 365, which includes the Teams communication and collaboration platform,” former NASA CIO Renee Wynn tells Federal News Network. “One of the features of Teams is secure video capability. Teams meetings allow both NASA and our external partners to collaborate in a way that adheres to federal IT security requirements.”

Secure Videoconferencing Security and Privacy in Government

Until the recent surge of videoconferencing to enable productivity for remote workers, there was less of a focus on cybersecurity with the platforms and more of an emphasis on accessibility, Jeff Greene, director of the National Cybersecurity Center of Excellence at NIST, tells FedTech. Videoconferencing tools are merely information-sharing platforms that have the same vulnerabilities as any services that transfer data, Greene says.

NIST’s tips for securing virtual meetings may require IT leaders to change their respective platform defaults, Greene points out. “These tools are there, if you take advantage of them.”

There are two major security concerns when it comes to videoconferencing systems, says Mike Chapple, associate teaching professor of IT, analytics and operations at the University of Notre Dame (and a FedTech contributor).

The first is that agencies “should seek to protect the confidentiality of their videoconferences, especially if they will be discussing sensitive material,” he says. 

To achieve this, IT leaders should choose a videoconferencing service that “supports encryption and is a trusted provider under contract to keep communications confidential,” Chapple says. 

While many videoconferencing solutions are working on platforms that will provide end-to-end encryption, Chapple says, “the reality of modern commercial videoconferencing services is that they provide encryption between the client and server, but the provider could theoretically monitor those communications. That's where contractual protections play an important role.”

The second major concern is the “disruption of videoconferences by unwanted interlopers” who eavesdrop on meetings. 

After the FBI warned of these threats in late March, Zoom enhanced its security. On April 27, Zoom released Zoom 5.0, with stronger security features. With AES 256-bit GCM encryption, Zoom says it will provide “increased protection for meeting data and resistance against tampering.” After May 30, 2020, all Zoom clients on older versions will be required to upgrade before joining meetings.

The Zoom for Government platform, which runs on a government community cloud and has received a Federal Information Security Modernization Act “moderate” level authorization from the Federal Risk and Authorization Management Program, is a secure and approved option as well.

Agencies using commercial videoconferencing solutions can protect against such tampering by requiring the use of passcodes or other authentication for private conferences, Chapple notes. “Agencies conducting large, public meetings online should configure security settings so that nonpresenting participants are automatically muted and prevented from sharing their screens unless the moderator grants them permission to speak,” he says.

MORE FROM FEDTECH: Discover how to prepare technology in advance of a virtual meeting.

Videoconferencing Security Privacy vs. Security

Security of agency data is a paramount videoconferencing security concern, notes Karen Scarfone, the principal consultant for Scarfone Cybersecurity (also a FedTech contributor). 

“With videoconferencing taking the place of in-person meetings, many sensitive topics could be discussed, and that information could be acquired by people and made public or otherwise misused,” she says

“Ninety-five percent of conference calls are not confidential,” Charles Henderson, global head of IBM’s X-Force Red, tells BizTech. “In fact, there’s probably a good portion of those that should be an email. But the remaining 5 percent, those range from mildly sensitive all the way up to board-level meetings. If somebody is there listening, that can be catastrophic” for an organization, he notes.

If sensitive information being discussed or transmitted via videoconference includes personal information, privacy breaches would be a concern as well, Scarfone says “There may also be privacy concerns regarding the people participating in the video conferencing; an unauthorized person might be able to see the conference participants and their surroundings,” she says.

Abhay Kulkarni, vice president and general manager of Cisco Webex Meetings, tells BizTech that “privacy is almost a tandem track for security in many ways. A participant in a meeting should be able to join a meeting without having to worry about whether their private information is disclosed.” 

MORE FROM FEDTECH: Learn about the technology behind videoconferencing tools and how to keep them running.

Consequences of Videoconferencing Privacy and Security Attacks

There are many possible consequences of videoconferencing privacy or security attacks, experts say. 

For example, a denial of service attack against the videoconferencing services could “cause outages or negatively impact videoconferencing performance for agencies,” Scarfone says.

If a malicious actor compromised the service, they could gain unauthorized access to videoconferences, including possibly gaining access to agencies’ existing and future videoconference recordings, Scarfone says.

“There could also be attacks against the client software used for some videoconferencing services, which could enable an attacker to compromise agencies’ client machines,” she adds.

Videoconferencing Options for Government

There are multiple tools agencies can turn to for enabling collaboration while users telework. Here are best practices for using some of them.

Google Meet

When Google Meet is on, users can start a meeting from a browser, mobile phone or a Google Calendar event that includes a video meeting link, Google notes. Users can also start or join video meetings in just one click from Gmail on their desktop.

Admins can change settings to allow users to join video meetings, create video meetings and manage premium Meet features, such as joining a meeting by phone, and recording and streaming meetings. With Google Meet, agencies can host meetings from anywhere with up to 250 participants, record for later viewing or livestream to up to 100,000 people.

Zoom/Zoom for Government

Zoom’s secure video communications solution is easy to deploy, manage and scale, the company says. “With consistent and reliable high-quality video, even in low-bandwidth environments, government departments and agencies can reduce costs, improve efficiency, enhance internal collaboration, and extend citizen services,” Zoom notes.

Zoom says agencies need to first get the right license and software downloaded, set up the software and ensure that users have the necessary webcams and audio peripherals. Then, users need to be trained on features such as screen sharing, whiteboarding and integrating their calendars.

Microsoft Teams

Microsoft Teams enables agencies to host audio, video and web conferences and offers features such as scheduling assistance, meeting note taking, screen sharing, meeting recording, and instant messaging. Admins and users can preset video and audio when joining meetings and can use “intelligent, background-blur technology to help focus and minimize distractions,” Microsoft notes. F or large virtual meetings, Microsoft notes that IT teams should take into consideration factors such as camera quality.

“Whether you’re broadcasting with a built-in webcam or an external device, look for a high-quality camera that shoots in HD,” the company says.

As for sound quality, Microsoft says that “unbalanced or extreme sound fluctuations distract audiences. Your IT department can help by researching the best mics available and ensuring that none of the other technology in the room will distract from the broadcast.”

READ MORE: Check out these tips for making your federal telework plan a success!

LeoPatrizi/Getty Images