The telework rush tested states’ cybersecurity, IT maturity
When the COVID-19 pandemic forced state government employees to start working from home earlier this year, no one was fully prepared. Most employees hadn’t been acclimated to the isolation they would soon experience, states didn’t have enough equipment or software licenses to go around and cybersecurity officials didn’t have enough time to ensure operations could continue under the same conservative privacy and data-security standards.
As Daniel Dister, chief information security officer for the State of New Hampshire, watched staff leave government offices to work from home, ZIP codes or even states away, he said he sometimes had no choice but to vet and approve new tools with “just one-tenth” of the time normally afforded for such sensitive decisions.
“In some cases we didn’t have adequate time to do a full vetting and we still are not completely comfortable with some of the approvals that had to be given,” Dister said, noting that when the pandemic ends, many of the tools to have been granted provisional approval will go back on the shelf. “Our cybersecurity resources were ripsawing from one mini-crisis to another, trying to solve problems.”
But other IT officials told StateScoop they were surprised at how successfully their organizations adapted. And with the prospect of remote work becoming more common in the coming years, they’re questioning old technology frameworks that had never been been tested so strenuously.
“Maybe government can operate in a dispersed fashion,” said John MacMillan, Pennsylvania’s chief information officer.
Attack surface
The rushed experiment in mass telework has exposed long-present weaknesses in governments’ IT and cybersecurity plans.
The pandemic has forced states to accelerate adoption of virtualization and cloud-based services, and the states that seem to have had the easiest time moving their employees to remote working environments are those that had already been riding those particular technological waves. Virginia CISO Michael Watson said building the capacity to support 40,000 concurrent users on a remote-working platform within a matter of weeks was “not so bad” and attributed the state’s agility to its previous adoption of an IT framework that had been designed with decentralization in mind.
“Our critical systems were already not tied specifically to a central network,” Watson said. “I thought it was going to be a huge problem for us and really we were able to just make it work.”
There were challenges, he said. Watson’s office spotted applications running on its network that it hadn’t been aware of. Virtual private networks, a common solution to connect remote users securely, weren’t appropriate for everyone and alternatives like on-premise private cloud solutions sometimes had to be quickly provisioned.
But one of the biggest challenges to be presented by mass telework, officials said, is protecting the broadened attack surface attendant with a distributed workforce. Though most states have at least dabbled in telework, they must now overcome an IT tradition that takes for granted a paradigm in which devices are plugged into the network from predictable locations. In New Hampshire this may have been especially true, where Dister said “we were very telework-adverse.”
“Previously this equipment had largely been within the state network, protected by our firewalls and all the other security mechanisms,” he said. “Now they’re spread all over the place. Some state employees even left the state, so now we have state workers essentially working in states all across the country, which is just a bizarre situation.”
Bizarre or not, the rearrangement upends long-held assumptions that now prove dangerous. A guide published last year by the Center for Internet Security — in response to what was then a mild increase in telework — notes that “the network devices used by small organizations and teleworking employees are significantly less sophisticated” yet are “still subject to many of the same threats,” which include the potential compromise of personal information, the possibility of government devices being hijacked for botnets, a panoply of legal liabilities and the threat of organizations ceasing to comply with cybersecurity-insurance requirements.
Bad timing
The enterprises that states have spent decades building and protecting were replaced nearly overnight by a network of “less sophisticated” home offices. Curtis Dukes, a vice president with CIS, said the timing is unfortunate given the near doubling of data breaches tallied by Verizon’s 2020 Data Breach Investigations Report.
“We went from a modest increase in teleworkers to pandemic and almost everyone sheltering in place,” he told StateScoop. “Many organizations just didn’t have the time to think through what added security protections might be needed.”
Moving tens or hundreds of thousands of state workers to telework without cutting off critical public services has kept IT security offices busy. North Dakota CISO Kevin Ford estimated that before the pandemic hit, less than 5% of his state’s roughly 15,000 employees were working remotely, but after a 72-hour transition period that he said felt “very rushed,” now “around 95%” of the executive branch has stopped coming into the office. Soon after the transition, he noticed many employees were plugging their laptops or borrowed workstations directly into their home modems and then “almost immediately” getting hit by brute-force attacks.
“We can’t really secure it to the same extent to which we can secure the government network,” he said. “When we do try to secure it, all kinds of privacy considerations come into play. It’s not the case that we can just buy a whole bunch of firewalls for people to have them install them in their house because then we would be collecting personal information on off-work web browsing or their kids’ TV habits.”
The security challenges extend far beyond privacy. Officials said it’s more difficult patching users’ devices when they’re remote. In New Hampshire, Dister said he noticed some employees had started using the free version of Zoom, a practice he deemed “not appropriate.” Officials in other states said they noticed their application portfolios were suddenly growing with little regard for standardization — each agency installing different, incompatible tools seemingly at random. States and local governments have received so many security advisories from different sources during the pandemic, Dister said, that he’s come to regard himself as an information gatekeeper, responsible for ensuring that employees aren’t overloaded or desensitized to the countless warnings.
In North Dakota, Ford said, the long-term solution to all these challenges is to focus the state’s cybersecurity efforts “on the asset and the data level and less on the corporate network level, because we do see working from home being something that the state shifts to in the future.” Dister said he plans to suggest that New Hampshire’s post-coronavirus IT scheme include more virtual desktop infrastructure to support growth in remote work.
‘Tragedy…crisis…opportunity’
MacMillan, Pennsylvania’s CIO, said the key lesson that technology officials should take away from the remote work rush is that it’s primarily mindsets that have changed, because none of these technologies are new.
“In Pennsylvania, we had and continue to have an outstanding set of cybersecurity capabilities,” he said. “Just because somebody is working from another building, that problem persisted regardless of the business continuity scenario. Those opportunities were always there. We’re just doing more of it.”
Ford said the months of working and studying from home brought on by the COVID-19 pandemic offer a preview of government’s IT future.
“This is a tragedy, this is a crisis, but this is also an opportunity,” Ford said. “It’s an opportunity for growth for the government, it’s an opportunity to bring in new IT capabilities. I think the network cybersecurity boundaries that we were once aligning to were going to melt away anyway and this just kind of pushes the period in which they were going to melt away just a little closer. This enables us to get a vision of what the future looks like and helps prime the pump for what probably the majority of computing for the mid-21st century looks like.”
This story is part of StateScoop & EdScoop’s Special Report on Remote Workforce.
Correction: North Dakota state government has 15,000 employees, not 70,000.
This story was featured in StateScoop Special Report: Remote Workforce (2021)