Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

More telework for feds will lead to more risk for networks

Monday, March 16, 2020

Categories: ASCF News Emerging Threats Cyber Security

Comments: 0

Agencies face the possibility of extended and widespread telework as coronavirus continues to spread throughout the United States, closing schools and canceling events throughout the national capital region. But more federal employees teleworking will likely increase cybersecurity risks for the government, experts said.

“We’ll see employees not connecting to VPN, we’ll see employees doing email just from their phone versus doing it on their laptop with secure VPN. We’ll see employees downloading applications and tools to be able to make their lives as easy as it once was,” said James Yeager, vice president of public sector and health care at CrowdStrike, a threat intelligence company. “And [that] allows some of the security threat vectors to start to creep into these critical business functions."

Ideally, agencies had already prepared for a massive shift to working from home following a March 3 memo from OPM directing agencies to prioritize telework in their operations plans. Several cabinet departments and agencies told Federal Times earlier in the week that they planned or had completed stress tests on their network to gauge if they were prepared for such an event. Even if agency networks are prepared, there are still big cybersecurity risks.

In a March 12 memo, the Office of Management and Budget encouraged federal agencies to “maximize telework flexibilities” to vulnerable populations, a move that will likely greatly increase the stress on federal networks and pushes the government one step closer to a broader telework mandate. That would mean employees could be working from anywhere, at home or a local coffee shop, and as a result agencies need to have strong cybersecurity measures in place, several experts told Fifth Domain.

“It really should be advised the two-factor authentication is empowered and enabled, that VPN connectivity is not optional or preferred, it’s required," Yeager said.

Another uncertainty is just how long federal employees would be encouraged — or required — to telework. In the Washington, D.C., area, several school districts canceled classes for weeks, increasing the likelihood of mass telework as parents need to care for their kids.

If employees are asked to remain at home long-term, agencies need to establish a way to handle remote security patches or to fix bugs in a device’s software.

“A lot of times you’d wait for them to come back to the corporate network to push the security patches just because that’s where you had the most bandwidth,” said Dan Fallon, senior director for systems engineers at Nutanix, an enterprise IT company. “Now they may have extended workers outside of the corporate network where they got to do remote patching, which they may not have really been set up for.”

Susceptibility to spearphishing emails also continues to be a top issue. Experts said that employees were more susceptible to those types of attacks at home because they are likely to browse the internet while teleworking.

In recent days, threat intelligence companies have warned of coronavirus-related phishing attempts. Several reports also mentioned a website that claimed to track coronavirus cases and in the process installed malware.

To defend against these types of threats, often associated with personal internet browsing, Fallon said agencies needed to separate the work environment from the device.

“That ensures that if they’re on Facebook and they click the wrong link, whatever happens is on their home desktop and the virtual session is in the cloud completely separate,” he said.

What work remains?

Greg Touhill, the first federal chief information security officer, told Fifth Domain it was “critically important” that agency leaders determine what information and data employees can access remotely, and from what types of devices.

“Most government entities don’t have the money to send everybody home with a laptop, let alone one that equipped with a CAC or a PIV,” said Touhill, now president of AppGate. “Identifying an architecture that’s going to accommodate BYOD [bring your own device] ... that’s going to be critically important.”

Sean Frazier, advisory CISO for federal at Cisco’s Duo Security, reiterated Touhill’s point, adding that if user laptops can’t accommodate government secure access cards, then agencies have to find a log-in mechanism that “is protected in the same fashion or at the same level as if they were sitting at their desk.”

Another looming possibility is that not all federal employees are allowed to telework and in the weeks ahead, the government could tell those employees to work from home without first teaching them how to do it securely. Simon Szykman, who served as the Department of Commerce’s CIO from 2010 to 2014, told Fifth Domain that agencies need to give non-telework employees security awareness guidance.

“It’s an issue of informing people about the difference between what they’re use to" and teleworking," said Szykman, now managing director and chief technology officer of Attain’s federal services division.

The Cybersecurity and Infrastructure Security Agency, the agency tasked with protecting federal networks, issued an enterprise VPN security guidance in a March 13 alert.

“Any time you got outside the enterprise firewall there’s a little higher risk," Fallon said. “It’s a lot of employees outside of the core office which means they’re outside the security posture both from a physical standpoint and from an IT-virtual standpoint."

Link and photo: https://www.fifthdomain.com/civilian/omb/2020/03/13/more-telework-for-feds-will-lead-to-more-risk-for-networks/

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.

Search