Security

Teleconferencing Tools Require Tough Security Measures to Maintain Privacy

From Jill Biden’s remote classes in the White House to standard team meetings across agencies, preventing intrusion is crucial.

Melissa Delaney

Melissa Delaney is a freelance journalist who specializes in business technology. She is a frequent contributor to the CDW family of technology magazines.

Jill Biden made history when she decided to keep her paid job while serving as first lady, but she barely had time to mark the milestone. The day before her husband was sworn in as the 46th president of the United States, Dr. Biden was on Zoom, teaching her English composition class at Northern Virginia Community College.

“In this pandemic, educators have shown heroic commitment to their students,” she said the day after the inauguration on another Zoom call she hosted with the presidents of the National Education Association and the American Federation of Teachers. “I know how hard it is. I am teaching hybrid this semester myself.”

She was speaking to the 11,000 teachers on the call who, like her, adapted their classes to accommodate remote students amid the COVID-19 pandemic. Unlike them, however, she was connecting from one of the world’s most high-profile cybertargets — the White House.

As organizations around the world closed all or part of their physical locations during the pandemic, teleconferencing tools enabled them to continue operations remotely. Government agencies were no exception.

Federal employees have spent much of the past year working from home, and agencies have offered a growing number of virtual services. But the teleconferencing tools that enabled these changes also posed unprecedented security challenges.

“COVID-19 drove a rapid transition to telework for government and industry alike, expanding the attack surface for foreign adversaries and malicious cyber actors,” says Neal Ziring, technical director of cybersecurity at the National Security Agency.

Teleworkers can connect to sensitive networks from personal phones and computers, and they can download software and collaboration platforms that may not implement strong cybersecurity standards, leaving data vulnerable, Ziring explains.

Malicious actors can also gain access to conferences, data or other enterprise systems if organizations’ infrastructure or purchased cloud services aren’t configured securely, he adds.

“Cybercriminals and nation-state actors are not only capitalizing on these opportunities, they are also conducting campaigns that take advantage of the pandemic,” Ziring warns.

VA Deploys Trusted Tools for Telehealth Connections

Like most organizations, the Department of Veterans Affairs saw a massive spike in the demand for teleconferencing tools at the start of the pandemic. Workers used them for internal meetings, communicating and collaborating with outside agencies and onboarding new employees virtually.

Meanwhile, VA’s clinics went from a daily average of 2,500 telehealth appointments to 60,000 per day in May 2021, all powered by the Pexip Infinity solution.

That number continues to climb, but at a slower rate than earlier in the pandemic as doctors return to clinics that still offer remote appointments, explains Brian Mahlum, deputy director of unified communications infrastructure engineering at the VA.

“It is about as much growth as you could ever want,” says Eddie Pool, executive director of solution delivery at the VA’s Office of Information and Technology. “That’s a massive increase in utilization and an enormous challenge for us from an IT perspective, but we did it quite successfully.”

Sean Mitts, VA’s director of unified communications infrastructure, attributes part of that success to “fortuitous timing.” In early 2020, the VA began a modernization effort to upgrade from Skype to Microsoft Teams for internal communications and collaboration, with Cisco Webex as a secondary solution. It also expanded its Pexip Infinity telehealth solution, which it calls VA Video Connect.

President Joe Biden and Cabinet members hold a Zoom meeting with world leaders at the White House in April. Adam Schultz/The White House

In addition to hosting its telehealth solution on-premises, the VA created a tier 2 environment on its Amazon Web Services cloud space to provide more capacity and redundancy. It now runs about half of its telehealth solution in the cloud environment.

“What COVID-19 did was give us an opportunity to drastically accelerate those modernization capabilities, because it was no longer a drawn-out, methodical, multiyear plan. It was a critical need to be met now,” says Pool. “So we just kind of stepped on the gas.”

Security was a top priority, and having Teams and Webex in place “saved the day,” Pool adds, because the VA knew those tools were hardened and secure. All of the teleconferencing tools are encrypted in transit and at rest, and the agency has the authority to operate security reviews on them. They all require an authenticated user with a Personal Identity Verification–enabled account to initiate sessions.

FREE RESOURCES: Get your agency ready for a new way to work.

Such measures gave Pool’s team confidence in the security and privacy of the Webex and Teams platforms. “It was really more the one-offs, where a doctor in, say, Omaha would for some reason need to use some other solution,” says Pool. “Those are the ones that gave me concern.”

Such one-offs led to a few video intrusions early in the pandemic, so Pool’s team reminded workers to use the agency’s hardened, Transport Layer Security 1.2 encrypted teleconferencing solutions that used Federal Risk and Authorization Management Program–compliant hosting data centers.

“It was really critical that we got these secure solutions out there and made sure that the entire enterprise knew how to use the platforms,” says Pool. “I think that’s why we can say today that we really haven’t had any security incidents that involve any of our VA-hosted platforms.”

Standing Guard to Ensure Security for Teleconferencing

Like the VA, the Food and Drug Administration employed a variety of risk-based strategies and technologies to protect information and its teleworking platforms, including Microsoft Teams, Cisco Webex, Zoom for Government and Adobe Connect.

One of those strategies was to integrate its network and security operations center into a central command-and-control center for the escalation of security incidents.

The FDA’s Systems Management Center, manned by government and contract personnel, provides 24/7 monitoring and protection, 365 days of the year. “It establishes near real-time enterprise awareness to forecast, identify, protect, detect, respond, recover and report on cybersecurity and infrastructure incidents,” says FDA spokesperson Audra Harrison.

It’s also critical for agencies to stay alert and use the tools available to them to keep their networks secure. For instance, all enterprise collaboration platforms provide logs; it’s essential that agencies actually review those logs for both on-premises collaboration platforms and cloud services, says the NSA’s Ziring.

“Log event analysis can identify compromised end users, attempted attacks, cases of human error and more,” he explains.

In addition to logs, there are a variety of standard tools and practices to keep teleconferencing technologies secure. The key is to utilize them.

Greg Smithberger, CIO and director of the NSA’s Capabilities Directorate, reminds agencies to ensure they have robust identity and access management, provide security controls and guidance to the workforce on secure behavior (such as not allowing anonymous attendees in virtual meetings), implement zero-trust principles between and within offerings and leverage multifactor authentication.

“With teleconferencing in particular, we have many of the same risk vectors as any modern company,” Smithberger says.