CISA stress tests DHS telework capacity

The Cybersecurity and Infrastructure Security Agency will stress test the Department of Homeland Security's remote working capabilities today as the federal government continues to grapple with fallout from the coronavirus outbreak.

Employees agencywide are taking part in a telework event Friday that allows leaders to test how prepared their systems and networks are to handle an environment where large numbers of employees are logging on from their homes or other off-premise environments.

"This telework event will evaluate the current remote capabilities available if CISA-wide telework becomes necessary in response to the outbreak of the COVID-19 virus," said CISA spokesperson Sara Sendak in a statement.

It's not clear how expansive the scope of the test will be and to what extent it will also focus on potential cybersecurity vulnerabilities that might arise as large portions of the agency move to telework. A CISA spokesperson told FCW the agency is working to make more details of the test available to the public.

Large portions of the federal government are facing the prospect of similar challenges. On March 12, the Office of Management and Budget issued guidance urging agencies to maximize telework flexibilities for eligible federal employees who are at high risk of serious illness from COVID-19, including pregnant women, older workers and individuals with high blood pressure, diabetes, compromised immune systems and other conditions.

Not every agency will be ready. While some agencies, like the U.S. Patent Office, have established histories of teleworking; others like the Department of Defense "have traditionally been laggards" in terms of establishing and testing for widespread remote work, said Ret. Brig. Gen. Greg Touhill, who served as federal chief information security officer under the Obama administration.

The military and intelligence agencies who handle sensitive or classified information operate under even more constraints and must tightly schedule and stagger access to secure compartmentalized information facilities to minimize personnel overlap and ensure rooms are properly cleaned.

"Across all the federal agencies and [military], I did not feel comfortable that every work center, work unit, work agency had a really good feel for the value of their information or who needed to access it under conditions of telework or national emergency," said Touhill, now president of security firm AppGate.

That disparity in mission and planning means not agency will be starting from the same place or able to handle a surge. Some employees don't have access to government-issued laptops, and agencies may have to consider targeted exemptions for CAC and PIV card sign-in for those who do without.

"Every agency was like a dog's breakfast," said Touhill. "When it came to telework, some departments and agencies have invested in VPN technology and had a capacity to handle X number of simultaneous connections. Other agencies did not invest in that," he said .

Cybersecurity risks

In a House Homeland Security Committee hearing this week, CISA Director Chris Krebs said the agency has set up a coordination cell focused on examining the cybersecurity implications of a COVID-19 outbreak "because the attack profile changes" as more and more employees move to telework.

"You might be using more VPNs, so make sure you've got your Citrix and other VPNs patched, things like that," said Krebs. "But also targeting and looking into … phishing campaigns, we've already seen the bad actors using as an incentive or enticement to get people to click on links."

Cybersecurity organizations have also rushed to put out guidance. The Center for Internet Security sent FCW a one-page document put together by former National Security Agency Information Assurance Director Curtis Dukes this week to guide companies and other large organizations' decision-making as they move to a remote posture during the outbreak.

For example, any administrative routers, web portals or mobile apps used for home network management should have password mangers and two-factor authentication, and routers and modems should have automatic updates and patching enabled. Tools like Wireless Protected Setup and Universal Plug and Play network protocols should not be relied on, as they have security flaws that allow attackers to connect to Wi-Fi networks without permission or exploit other vulnerabilities.

"Unsecured off-site routers, modems, and other network devices can cause big headaches for employers. Poorly configured home devices can affect entire organizations," Dukes wrote. "They can still be attacked from any device on the Internet, but they are also vulnerable to unauthorized access from neighbors and passersby."