Secure Videoconferencing Security and Privacy in Government
Until the recent surge of videoconferencing to enable productivity for remote workers, there was less of a focus on cybersecurity with the platforms and more of an emphasis on accessibility, Jeff Greene, director of the National Cybersecurity Center of Excellence at NIST, tells FedTech. Videoconferencing tools are merely information-sharing platforms that have the same vulnerabilities as any services that transfer data, Greene says.
NIST’s tips for securing virtual meetings may require IT leaders to change their respective platform defaults, Greene points out. “These tools are there, if you take advantage of them.”
There are two major security concerns when it comes to videoconferencing systems, says Mike Chapple, associate teaching professor of IT, analytics and operations at the University of Notre Dame (and a FedTech contributor).
The first is that agencies “should seek to protect the confidentiality of their videoconferences, especially if they will be discussing sensitive material,” he says.
To achieve this, IT leaders should choose a videoconferencing service that “supports encryption and is a trusted provider under contract to keep communications confidential,” Chapple says.
While many videoconferencing solutions are working on platforms that will provide end-to-end encryption, Chapple says, “the reality of modern commercial videoconferencing services is that they provide encryption between the client and server, but the provider could theoretically monitor those communications. That's where contractual protections play an important role.”
The second major concern is the “disruption of videoconferences by unwanted interlopers” who eavesdrop on meetings.
After the FBI warned of these threats in late March, Zoom enhanced its security. On April 27, Zoom released Zoom 5.0, with stronger security features. With AES 256-bit GCM encryption, Zoom says it will provide “increased protection for meeting data and resistance against tampering.” After May 30, 2020, all Zoom clients on older versions will be required to upgrade before joining meetings.
The Zoom for Government platform, which runs on a government community cloud and has received a Federal Information Security Modernization Act “moderate” level authorization from the Federal Risk and Authorization Management Program, is a secure and approved option as well.
Agencies using commercial videoconferencing solutions can protect against such tampering by requiring the use of passcodes or other authentication for private conferences, Chapple notes. “Agencies conducting large, public meetings online should configure security settings so that nonpresenting participants are automatically muted and prevented from sharing their screens unless the moderator grants them permission to speak,” he says.
Videoconferencing Security Privacy vs. Security
Security of agency data is a paramount videoconferencing security concern, notes Karen Scarfone, the principal consultant for Scarfone Cybersecurity (also a FedTech contributor).
“With videoconferencing taking the place of in-person meetings, many sensitive topics could be discussed, and that information could be acquired by people and made public or otherwise misused,” she says
“Ninety-five percent of conference calls are not confidential,” Charles Henderson, global head of IBM’s X-Force Red, tells BizTech. “In fact, there’s probably a good portion of those that should be an email. But the remaining 5 percent, those range from mildly sensitive all the way up to board-level meetings. If somebody is there listening, that can be catastrophic” for an organization, he notes.
If sensitive information being discussed or transmitted via videoconference includes personal information, privacy breaches would be a concern as well, Scarfone says “There may also be privacy concerns regarding the people participating in the video conferencing; an unauthorized person might be able to see the conference participants and their surroundings,” she says.
Abhay Kulkarni, vice president and general manager of Cisco Webex Meetings, tells BizTech that “privacy is almost a tandem track for security in many ways. A participant in a meeting should be able to join a meeting without having to worry about whether their private information is disclosed.”
Consequences of Videoconferencing Privacy and Security Attacks
There are many possible consequences of videoconferencing privacy or security attacks, experts say.
For example, a denial of service attack against the videoconferencing services could “cause outages or negatively impact videoconferencing performance for agencies,” Scarfone says.
If a malicious actor compromised the service, they could gain unauthorized access to videoconferences, including possibly gaining access to agencies’ existing and future videoconference recordings, Scarfone says.
“There could also be attacks against the client software used for some videoconferencing services, which could enable an attacker to compromise agencies’ client machines,” she adds.