Federal employees may soon be ordered to work from home. That could pose serious cybersecurity risks

If U.S. adversaries such as Russia or Iran compromise networks during the pandemic, they could disrupt efforts to mitigate the virus by stopping or slowing vital government communications. They could also sow chaos by sending phony alerts about the virus to the government workforce or the public.

“This is a make or break moment, and we won’t know what we get until we see it,” said Greg Touhill, former federal chief information security officer during the Obama administration.

So far, no federal agency or department has mandated their employees go home and log on to do their business, even as President Trump declared a national emergency to free up $50 billion in disaster relief for state and local governments.

Larger agencies like the Health and Human Services and Energy departments have advised employees about safety precautions while they prepare remote working agreements in case working from home full-time becomes necessary. A handful of smaller agencies have offered employees the opportunity to work remotely, including the Securities and Exchange Commission where a suspected infection caused that agency’s 2,400 workers to head home.

Only about 40 percent of the 2.1 million federal workers were authorized to work remotely as of 2017, the last year in which data is available. And the Trump administration had been working to limit remote work, demanding some civil servants instead come in to the office to perform their jobs. But as broad swaths of the private sector, school districts and local governments have all moved quickly to limit the virus’s spread, the administration’s stance is changing and it’s now urging agencies to sign remote working agreements with as many employees as possible.

Sen. Mark Warner (D-Va.), vice chairman of the Senate Intelligence Committee, called that lapse “inexcusable” in an email.

“As the federal government prepares for what is likely to be an unprecedented experiment in telework, it’s also expanding opportunities for malicious actors to attack and potentially disrupt vital government services,” he said.

Furthermore, it’s far from clear government computer servers are prepared to handle the traffic from thousands of employees trying to access them from outside the office. The virtual private networks through which workers would likely sign on are often decades old and not designed to handle such massive traffic volumes.

Many federal employees also lack government-issued laptops and phones, raising the specter of them logging on from their homes or coffee shops with devices that lack basic security features and aren’t patched against the latest bugs.

“You’re going to have a lot of folks that are going to inevitably be doing government business from their personal devices. I think that’s just a reality,” said Suzanne Spaulding, who led cybersecurity operations for the Department of Homeland Security during the Obama administration. “This just creates an opening for malicious activity of all kinds,”

Federal workers could also be using public WiFi networks that aren’t secure against hackers. And they’ll be more vulnerable to phishing emails and texts that look legitimate but actually contain malicious software. For example, hackers could pretend to be an employee’s boss or co-worker who’s locked out of a government email system and is instead using a personal gmail account.

Cyber officials within the vast federal bureaucracy were working quickly for any contingency.

The Homeland Security Department’s cybersecurity division, the Cybersecurity and Infrastructure Security Agency (CISA), released a checklist Friday to help agencies ensure remote employees are operating as securely as possible. But the agency did not respond to detailed questions about how it plans to deal with a security challenges during what could be an extended telework period. The Pentagon also didn’t respond to questions about secure telework.

The DHS checklist includes requiring employees to perform extra authentication checks beyond entering a password to remotely access government files and to be prepared for an increase in phishing emails.

Besides the SEC, other agencies urging remote work include U.S. Citizenship and Immigration Services and the Federal Deposit Insurance Corporation. DHS announced last week that it had closed its Seattle field office for two weeks after an employee tested positive for coronavirus.

Other agencies have been conducting daylong telework sessions for all or most of their employees as “stress tests” to see if computer systems can handle the strain.

CISA conducted one such test Friday. Similar tests have been conducted by NASA, the National Oceanic and Atmospheric Administration and the Energy Department. One Energy Department employee who worked from home during an agency-wide test told The Post he was able to log on but the agency network was “very slow.”

Chief information officers have been meeting regularly in recent weeks to confront myriad challenges they don’t have ready answers for, such as whether agencies will have enough help desk employees to troubleshoot computer issues and how they’ll handle system crashes.

For government workers that do highly classified work, however, there’s no way to work remotely even if the outbreak gets worse.

A spokesman for the National Security Agency, whose work collecting foreign intelligence is highly classified, said the agency is continuing its work with no “reduction in mission.”

Some top government officials have secure workspaces — known as Secure Compartmented Information Facilities, or SCIFs — set up inside their homes and have phones and tablets they can use to read and respond to classified documents.

The vast majority of intelligence workers, however, have no choice but to do their work in highly secure government-managed buildings no matter how bad the pandemic gets. In the past, officials have managed through snowstorms and other natural disasters by working rotating shifts and agencies have plans for pandemics that include reorganizing workspaces so employees can keep larger than usual social distances between each other, former officials said.

The decision to telework is already taking hold in Congress where numerous lawmakers have announced their offices will be working remotely, including the House Veterans Affairs Committee and the offices of Sens. Ted Cruz (R-Texas), who has extended his self-quarantine after coming into contact with two infected individuals, and Tom Cotton (R-Ark.).

The House Administration Committee sent a memo Wednesday to all lawmakers outlining how offices can set up temporary telework plans for their staffs and directing them to the chamber’s office supply store to buy secure laptops and other technology.

The chamber’s tech support office has also set up shop in the Rayburn House Office Building cafeteria from 9 a.m. to 3 p.m. each day to configure security features on the laptops of staffers who are preparing to work remotely, according to a copy of the memo shared with The Post.

“Members of both chambers are beginning to telework at unprecedented levels, and this means an increased risk of cyber threats,” said Rep. Kathleen Rice (D-N.Y.) who sponsored a bill mandating lawmakers get cybersecurity training that recently passed the House. “This situation is concerning and it underscores exactly why it is so important that members and their staff are well-versed in cybersecurity best practices.”

A memo from the Senate Sargeant-at-Arms office, meanwhile, offers mostly pro forma security advice such as ensuring staff laptops are all up to date on security patches.

“It’s ridiculous that they’re just preparing for this now. This has been a known threat for weeks at least,” said Daniel Schuman, policy director for the liberal advocacy group Demand Progress who writes a newsletter about Congress.

Schuman’s group has urged both chambers to close all congressional offices and hold votes using digital technology while the pandemic unfolds.

Ellen Nakashima contributed to this report.

View original article here Source

Related Posts