Following the mass transition to telework last March, the Department of Homeland Security and the Government Accountability Office have expanded employee management, training and adoption of emerging capabilities to maintain security measures in a remote and increasingly mobile environment.
There were concerns on home security and sensitivities, noted GAO Director of Information Technology and Cybersecurity Jennifer Franks during GovernmentCIO Media & Research’s Infrastructure: Security virtual event Wednesday.
There’s also a difference in cyber hygiene while working at home versus working in the office, added DHS CISO Kenneth Bible. One of the first challenges DHS had to overcome was employee training around operating in a remote environment.
Plus, the transition to telework uncovered a new realm of threats. Bible noted that “smishing” has gained traction. Smishing uses text messages to gain access credentials that can then compromise virtual private networks (VPNs).
“There’s a new set of threats that we have to think about. It’s not so much about ‘bring your own device,’ as much as it’s thinking about how the mobile environment and telework add to the threat surface,” Bible said.
Zero trust has the potential to give employees direct access to the network, without going through a VPN, which would create a more seamless experience. In order to create this environment, agencies have to design an architecture that has built-in identity management and security.
“Zero trust is the goal. It’s the architectural premise that we’re all realizing we have to go after, as mobile becomes the norm rather than the exception,” Bible said. “We’re no longer thinking about it as a perimeter defense.”
Sean Frazier, federal chief security officer at Okta, said zero trust requires a mindset change. Security has had to adapt to a mobile world, and zero trust is becoming a realized standard to meet the evolving needs of the remote environment.
Senior leadership within federal agencies have to work to understand what’s at stake with cybersecurity and IT. Without that awareness, there would be a lack of understanding as to why there’s a need to be more resilient, consistent and responsive to new cyberattacks, Franks noted.
Since his appointment to the office in January, Bible has been faced with challenges across telework, cybersecurity and COVID-19. In light of the SolarWinds security breach, Bible developed a four-pronged strategy alongside the Cybersecurity and Infrastructure Security Agency to drive a stronger focus on the supply chain and supply chain risk management.
“SolarWinds, and then the follow-on pieces with [Microsoft] Exchange, signaled that how we make decisions and what we choose to go into the environment are incredibly important,” Bible said. “As a cybersecurity professional, I want to understand the composition of these new offerings. Those become the longer term risks to the organization.”
Cloud offerings could help agencies and organizations maintain focus on what matters, such as delivering capability and protecting data, Frazier said. It has the potential to fundamentally change how organizations build out capabilities.
“If we can get to that point, and what I truly believe is the heart of ‘SecDevOps,’ we can deliver foundational IT services for a functional community. That becomes the key to transformation and modernization,” Bible said, calling out the “security first” mindset the agency has taken on.
Franks noted that, at the beginning of the pandemic, there were some delays in how GAO approached conducting business across the government and private sector in the classified arena. Many agencies have had to work with congressional staff, agency officials and lawyers to rescope methodologies and shape what it would look like to continue working in a telework environment.
“As federal agency leaders, we should look at how we can conduct more work in the classified environment at home. We would have to streamline agency initiatives to practice good cyber hygiene and strong vulnerability management. We also have to look at essential network visibility that would be at the top of all the minds involved to move toward this enterprise network operation,” Franks said.
GAO has leveraged a remote desktop platform to conduct business, which enables employees to connect to a secure portal using government-furnished equipment or a personal device. This centralizes a security checkpoint for employees and resources and allows them to connect remotely. While the agency had to increase its infrastructure, the platform and training procedures were already in place, and it has been extremely effective throughout the pandemic. GAO’s platform has also presented cost efficiency to the agency, enabling it to reduce its physical footprint and utility cost.
“By creating a barrier between the virtual and the physical environments, the agency has increased the level of protection that we can offer to our information and resources. Given that this was already in place at the start of the pandemic, we were able to maximize telework almost overnight and utilize those telework procedures,” Franks added.