Jim Weaver, chief information officer of Washington state, refers to the pandemic as the state’s new chief innovation officer. “It is demonstrating to agency leaders the transformative opportunities that some technology tools bring to how business can be done as opposed to how it has always been done,” he said.
One such innovation involved securely shifting thousands of state employees to working from home in March 2020 when Gov. Jay Inslee issued a stay-at-home order.
Washington was the first U.S. epicenter of COVID-19 in January, and as a member of Inslee’s cabinet, Weaver had the insight that a stay-at-home order was on the horizon. “We were able to scale up capacity and get ready for the onslaught that was coming. Overnight we shifted from fewer than 3,000 users to having 29,000 concurrent users on our VPN [virtual private network] at any given time,” he recalled.
The remote work setup, which continues, has challenged Weaver’s team to redouble educational efforts on cyber hygiene and rethink how patching is done. Meanwhile, in a state with a decentralized IT framework, the complexity level increased because his office was in the process of changing VPN platforms, trying to move agencies to Microsoft Teams as a unified communication platform, and dealing with laptop supply shortages. Some employees took desktop computers from the office to set up at home, creating remote support and maintenance issues.
Although many state and local governments have been pleasantly surprised that they were able to rapidly shift a large percentage of their employees to remote work, many CIOs are losing sleep over increased cybersecurity threats.
“As we made the initial transition to remote work, a lot of the typical standard security controls were circumvented in the interest of expediency,” explained Mark Weatherford, chief strategy officer for the National Cybersecurity Center. “Some of the things we might have taken a more measured approach to implement got swept away in the urgency to get things done. We went from one day having everyone in the office to a week later everybody working from home. For government agencies that weren’t prepared to do that, whether it was having laptops available or remote capabilities available to everyone, there was a lot of work that had to be done over a short period of time.”
If the workforce wasn’t prepared to be mobile, IT teams would have to go in and tweak firewall rules and install VPNs, Weatherford said. “The danger would be that in the urgency of the moment, a lot of these security controls would be put on a checklist to get back to, but IT teams would feel they don’t have time to do it right now. They are just going to open up these ports and protocols to allow people to work.”
TELEWORKING WITHOUT A POLICY
Eric Romero, director of information services for Baton Rouge, La., was in a difficult position when the stay-at-home order was issued in March. His office had spent more than a year focused on tightening up security after several organizations in Louisiana, including New Orleans and the state government, had dealt with ransomware attacks. However, Baton Rouge had no official telework policy and very few laptops.
“We were scrounging around for laptops and other all-in-one computers we could possibly send home with key people,” Romero remembers. “But sending someone home with a keyboard, mouse, desktop, and a monitor and expecting them to connect it all to their network properly — that wouldn’t have worked.”
The idea of employees using their own computers was brought up, but cyber-security concerns gave Romero pause. “I know it is possible, but we didn’t have all the security measures in place that would allow that.” The city ended up with about 100 laptops and configured the VPN so that when employees connected, they would have remote access to their desktop computers on the network.
But that left many employees unable to work or coming into the office in shifts to get work done. And while governments in the region have experience determining who is an “essential worker” during emergencies like hurricanes, it gets more complex when the emergency extends into months. For example, clerks in accounting who pay bills may not be essential for the first week, but they are essential after a month has passed.
After two months, the stay-at-home order in Louisiana was lifted and people went back to work, but the virus was still present in the state, and as cases spiked, there was talk that another stay-at-home order might be necessary. “Quite honestly, we still don’t have enough assets to accommodate everybody,” Romero said.
John Gilligan, president, and CEO of the Center for Internet Security (CIS), says that a government’s experience of remote work during the pandemic depends largely on whether there had been a gradual migration to telework.
WORKING FROM HOME, SECURELYHere are a few recommendations related to remote work from the Center for Internet Security’s Resource Guide for Cybersecurity During the COVID-19 Pandemic: Phishing and Malspam Remind employees to be cautious when opening emails about COVID-19, especially those from outside the organization. They should exercise caution when entering credentials into a website, linked from an email, text message, or social media account, or when downloading attachments. Credential Stuffing It may have been necessary to make services available to employees remotely, without the time to secure accounts through multi-factor authentication (MFA). Along with securing accounts with MFA, employees should make sure all passwords are secure, and should never reuse passwords on different accounts. Remote Desktop Protocol Targeting An increase in the number of employees connecting remotely means an increase in the number of systems with the remote desktop port open and potentially being scanned. While your workforce needs to access systems remotely, limited and secure access by VPN can reduce the attack surface. Distributed Denial of Service (DDoS) Attack Downtime from an attack is even more detrimental to a remote workforce. A larger remote workforce can even act as an unintentional DDoS attack, simply because more users are trying to access services at the same time. To handle these possibilities, and ensure you are protected against DDoS attacks, have increased bandwidth allocations ready, temporarily disable unused services to allow for more bandwidth, and discourage your employees from streaming videos, music, or other services through the VPN. |
“Organizations that had a fairly robust telework program had the knowledge of what their technical approach would be to provide the connectivity and security. What they did not have was the capacity,” he explained. “For the most part, I believe we will look back and say the changeover was dramatic, relatively seamless and painless, and a good example of cooperation between government organizations and companies like Microsoft, Google, and telecom companies.”
Nevertheless, a recent CIS survey found that 61 percent of security and IT leaders are concerned about an increase in cyber-attacks targeting their employees working at home. “Whenever there is any disruption in the environment, there is a corresponding increase in attacks,” Gilligan said. “Having been a CIO, I am a little less comfortable when the employees pick up their laptops and are working from home because I have less control over the equipment they are using. When employees worked all within the same physical confines, there was a boundary around them, so the organization could fend off attacks. Now the boundary is in lots of people’s homes. It is a different technical issue. Over the next six months, CIS is going to focus on putting more emphasis on endpoint protection rather than boundary protection, and I think that is where the industry is going as well. For state and local government, the challenge is that the solutions have to be inexpensive because the budgets are going to take a hit from the pandemic.”
In King County, Wash., CIO Tanya Hannah oversaw sending home approximately 5,500 of the county’s 15,000 employees in early March and is prepared to support them for the long haul. “We are not coming back to the office until at least January 2021,” she said. The county’s penetration of laptops or tablets was at about 85 percent, and a number of workers have county-issued mobile phones, so from that perspective, they were well prepared, but she does have heightened security concerns.
“Now you have endpoints all over the place,” Hannah said. “Individuals could be using unsecured networks, so I think the challenges around cyber and privacy and trying to understand your risk is even greater with remote employees.” It gets exacerbated depending on what kinds of tools you have and the work you are doing, she adds. For instance, users dealing with HIPAA privacy rules and protected health information must be sure not to use insecure applications or communications tools without encryption.
When she became CIO two years ago, the county increased spending on cybersecurity by approximately 35 percent. “We are using Microsoft ADP and their information protection tools,” Hannah said. “The threats are always changing and we have legacy applications. In recent years we have seen an increasing number of attacks on state and local, and even federal entities. We probably don’t spend enough of what is required.”
WORKING FROM WALMART
Washington CIO Jim Weaver says that as much as his office thought it was prepared, patching and basic cyber hygiene issues arose. “Instead of having those internal endpoints and the normal way we distributed those security patches, we now had to do that in an external fashion and in a way that does not cripple the capacity of our firewalls or VPN,” he said. “We try to do it during non-peak hours and have our users keep devices connected overnight to allow for downloading of those patches. We had to coordinate the timing of those patches with agencies, so we weren’t having gigabytes pushed out at the same time across a multiplicity of agencies.”
Weaver says the readiness to work remotely in Washington state varied from agency to agency. Some were forward-thinking and had enough laptops for employees; other agencies did not have laptops and employees took their desktop PCs home and are leveraging virtual desktop infrastructure (VDI). In some cases, employees are using their own devices and connecting in through the VPN into a VDI-type situation.
In addition, some employees in remote parts of the state have broadband connectivity issues. “In my own agency, I have one employee who drives to a Walmart parking lot to connect,” Weaver said. “I love her dedication, but that is not the right answer. We are starting to enable workers like that to come back into the office. I don’t want somebody driving to Walmart to work.”
There are other management challenges around having a decentralized IT organization, he says. “In many cases, we were all solving the same problem a multiplicity of times,” he added, “so we set up daily calls with IT leaders to issue guidance and best practices and to ask what we were doing that might be impacting them.” That was well-received, he says, and five months into operating in this model, they are still holding those online meetings three times per week for 30 minutes.
IMPORTANCE OF PATCHING
Both Gilligan and Weatherford stress the importance of continuing to patch and monitor antivirus software during the pandemic. “Failing to keep up with patching during an emergency is short-term thinking that could have really long-term implications,” Weatherford said. “I consider patching and updating part of normal operations, and most security teams do as well. If you are not patching, you are leaving gaping holes.”
King County’s Hannah says there is no way her organization would pause its patching work. “That would be a big mistake,” she noted. “You have to think about all these legacy systems and the vulnerabilities with them.”
Patching was also initially an issue for the state of New Hampshire when it sent its employees home with their desktop computers in March. “When employees were in our offices, the network resources were more robust,” said New Hampshire Information Technology Department Commissioner Denis Goulet. “We had to make changes to the patching infrastructure so we could patch directly over the Internet rather than through the VPN. That was a challenge at first and we got a little behind on patching. We caught up after we moved our Microsoft patching off the VPN. We also did that with our trusted conference solutions like Webex so we didn’t have to go through the VPN for those.”
Because it didn’t have laptops for its employees and didn’t want them to use their personal devices, New Hampshire encrypted the work desktops, purchased Wi-Fi cards for them, and helped employees set them up at home. “We quickly upgraded our remote access infrastructure because like everybody else we had the ability to support many fewer connections than we anticipated connecting,” Goulet said. About 11,500 state employees use computers in New Hampshire, but before the pandemic, remote access to the network topped out at 600, according to Goulet. “We are now doing 10 times that every day. It was a big change.”
Goulet said the fact that IT is centralized in New Hampshire made the switch to home easier. “The benefit is we had one remote access solution and one technology stack that went on the computers,” he explained.
The experience of the pandemic will require looking at cybersecurity and compliance through a different lens, Goulet noted. “We have to focus on it more in the remote context,” he said, adding that it may lead to business process transformation. As an example, he says, many employees felt they had to be able to print at home because they did in the office. “They thought they had to transfer that business process to home. For instance, in my department, I have to sign off on all large purchases. Well, that was largely a manual process before we moved offsite. But now I am not going to print those out, sign them, and send them back to somebody, so we went to a full electronic signature process. It is a lot faster and better.”