Cybersecurity Needs Increase as Federal Agencies Continue to Telework

To thwart hackers, agencies update policies and patches, deploy new solutions.

LISTEN

Your browser doesn’t support HTML5 audio

The federal government is a popular target for cybercriminals and malicious actors — the public sector accounts for 21 percent of all cyber incidents, according to Verizon’s 2020 Data Breach Investigations Report — so as employees moved to remote work amid the COVID-19 pandemic, cybersecurity concerns increased.

With employees working in new environments and on their home networks, agencies had to make sure all of those extra endpoints were protected. Additional training, changes in policy and new work habits have helped to mitigate some of those concerns, especially when it comes to sensitive or private information, agency CIOs say.

“We’re paying extra-special attention to cybersecurity, making sure that we’re keeping our patches up to date, making sure that all of our processes are in place,” says David Bottom, CIO at the Securities and Exchange Commission, where the entire workforce has gone remote. 

“Even though folks are working remotely, we haven’t relaxed any of those processes and procedures when it comes to nonpublic information.”

Extended Time at Home Expands Security Concerns

The federal workforce has experienced emergencies in the past — workers have been sent home for floods, snowstorms, subway closures and official government shutdowns — but rarely simultaneously and across the nation.

Only 15 percent of the 2.1 million employees in the federal workforce are based in Washington, D.C. Some are needed in the field, such as the Department of Veterans Affairs’ medical personnel and Transportation Security Agency airport screeners, and cannot work from home.

“The whole world around us is different now,” says National Science Foundation CIO Dorothy Aronson, whose agency also expanded to 100 percent telework as a result of the pandemic. “The biggest difference between COVID-19 and other emergencies has been the universal impact and the extended time frame over which this emergency has occurred.”

NSF already relied on a virtual private network for its remote employees, but Aronson discovered that the way the agency used the VPN had to change. “People were acting as they would on a normal workday, logging in to the VPN and staying connected all day long. That methodology is not productive when the whole agency is teleworking.”

To ease the load on the VPN, NSF shut down access to some capabilities. For instance, employees could no longer watch training videos on YouTube via the agency network; they would have to use their home network instead.

“The IT organization is continuously sending our community tips and tricks and best practices through email,” Aronson says. “We are getting a lot of help understanding how best to use our equipment and work safely from home.”

LEARN MORE: Seven federal agencies tell their remote work stories.

How to Handle Classified Work in an At-Home Environment

For the Defense Intelligence Agency, cybersecurity was a primary concern; the DIA handles classified information that must remain on a classified network, and remote work was not a part of its regular routine.

“For weather-related emergencies, for example, it’s really not a telework event for us,” says CIO Jack Gumtow. “You’re off for the day, and nobody is really expected to do anything. If you’ve got a sick kid, you take sick leave. That’s how that’s generally accommodated.”

DIA went from no teleworking at all to 45 percent of its workforce at home. The agency kept a small number of people “working inside the wire,” as the DIA refers to its firewall and classified network. 

Others went home and did unclassified training online or conducted open-source research using nonclassified materials; the results were handed off to those inside the wire for further, classified analysis.

“We had to do a lot of retooling on the unclassified environment so that we could work from home,” Gumtow says. “We put in a virtual private network that is up and running right now. We’re migrating rapidly to Office 365, their most secure version.”

Team collaboration tools were also an immediate necessity. “One of the primary concerns was, what’s the security inherent within the tool and their back end so that we can have some semblance of privacy?” Gumtow says. “I made the decision for the agency that we were going to use Microsoft Teams, and that if what you were doing was work related, no other tools were authorized.”

DIA also ordered laptops for employees who didn’t have government-issued ones; personal laptops that might be shared with family members weren’t appropriate for DIA work. And the agency also implemented virtual remote desktops, so that laptops at home would have a virtualized version of the official desktop back at the office.

“We’re constantly concerned about the cyber actions that can occur, especially with that amount of people at home. It creates a huge attack surface for someone to try to exploit,” Gumtow says. “And I can’t control somebody’s home network, so we try to limit that footprint.”

For more on how these agencies adapted to mass telework, visit our Feds in the Field video series page.