The activity that DHS’ CIO organization has supported for years — cloud first, data center consolidation, multifactor authentication, Homeland Security Presidential Directive 12 (a government common identification standard) — has built efficiencies to enable the department’s agility, Evans says.
“The whole promise of the cloud and network modernization was to not build the infrastructure to the nth degree, because you can’t pay for the worst-case scenario,” explains Evans. “It scales as you need it.”
To support the massive spike in remote work, DHS had to accelerate certain features in Office 365. For instance, it scaled out Microsoft Teams’ videoconferencing capabilities and ramped up its VPN capability to ensure it was reliable enough to meet the demand, “because it’s a lot different when you have 120,000 concurrent sessions going versus 10,000,” Evans says.
The Air Force had been in the process of deploying Office 365 and Microsoft Teams when COVID hit, and the virus expedited that rollout. Within a few weeks, it was able to deploy the software on government-owned and personal devices across all military services, and expand VPN access.
“Our ability to accelerate change and rapidly respond to this was truly herculean,” says Knausenberger. “When I talk about meeting the demands of a future digital fight, it’s areas like our response to COVID that give me so much hope in our ability to build a rock-solid digital foundation and improve the warfighters’ experience.”
Cybersecurity Remains a Top Concern with Increased Remote Work
The shift in the way federal employees have been working has also changed agencies’ risk profiles. “The one thing that we can’t take our eye off of is that because we’ve moved into this environment, our threat landscape has changed,” Evans says. “We have to continue to anticipate what our adversaries may do and then put in proper controls for that.”
Part of the problem is that workers are connecting to resources from home networks and using personal devices; another issue is the recently discovered breach of several federal agencies, allegedly by a foreign adversary that tampered with legitimate software updates.
“Our adversaries are seeing additional attack surface and coming at us aggressively,” adds Knausenberger, “so we’ll have to continue to up our cyber game to keep our data secure.”
The Telework Advancement Act of 2010 requires agencies to create policies for remote work, but with the unprecedented shift to virtual work amid the pandemic, and the subsequent heightened security risks, agencies need to be more vigilant than ever, says Laura DiDio, principal at ITIC research firm.
She advises requiring VPNs, regular software patching and data backups, and separating network access and resources based on the type of device connecting. “You don’t want some teleworker’s mobile phone going into a mission-critical mainframe without the proper controls,” DiDio says.
She also recommends increased computer security training for all employees, multifactor authentication and specific policies and procedures that are strictly enforced and reviewed quarterly until the end of the pandemic.
“The big headline here is, pay attention,” she says. “Take all your normal teleworking policies and put them on steroids.”