As pandemic restrictions linger, federal agencies are preparing for a rise in classified telework. Here’s why a continued focus on cybersecurity fundamentals is imperative.
The COVID-19 pandemic accelerated the move to remote work beyond all prior expectations. While there were many exceptions to the rule in the early days of the pandemic response, we are seeing those exceptions decrease as the remote work environment matures. The sudden need for secure remote work drove innovation and flexibility as necessary attributes of a successful transition. Leaders at the Defense Information Systems Agency (DISA), for example, commented that this demand, and the resultant security upgrades, were a sort of "silver lining" within the pandemic “cloud.”
The pandemic has restricted all organizations from working in their traditional ways, and the Pentagon is no exception. Approximately one million personnel are now working remotely as a result of the Department of Defense (DoD) expanding its telework capabilities. Currently, the majority of remote work done by DoD employees is low-risk and unclassified. But as the pandemic lingers, the Pentagon and its agencies are being pushed to do more classified telework. For example, former DoD chief information officer Dana Deasy signaled that the Pentagon aimed to support sensitive, classified telework for its employees by the end of 2020. Classified work – which is defined as handling secret or top-secret designated data – has historically been completed by DoD personnel in physical facilities. These sensitive compartmented information facilities (SCIFs) safeguard classified data with physical barriers.
As the DoD looks ahead, enhancing secure telework capabilities is at the top of its “to do” list.
The quick transition to remote work across organizations has bad actors ready to take advantage, and the increase in sensitive – even classified – information being accessed remotely will frame the Pentagon and its employees as a larger target, making it even more important for the DoD to secure its cyber infrastructure.
As always, regardless of how many security measures are built into a network, continued focus on the fundamentals is necessary to maintain security. Below are three critical elements of a successful and secure remote work program that should continue to be priorities for DoD as the move to classified telework accelerates.
1. Maintain good cyber hygiene
Getting the basics right – maintaining good cyber hygiene – is essential to a successful cybersecurity program. An increased attack surface due to more telework means that before any new programs can be implemented or classified documents can be viewed remotely, the Pentagon must have a clear image of its whole environment, where it’s exposed and how those vulnerabilities could impact the organization. Good cybersecurity requires basic cyber hygiene, something that requires discipline – a foundational DoD strength – but is not unreasonably difficult to achieve. If the DoD can get the basics right, they can prevent most breaches and attacks on their systems.
Shiny new cyber tools don’t improve cybersecurity if organizations aren’t maintaining that critical focus on the fundamentals. One great resource for cyber basics is the Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Essentials Toolkits, which outline the steps IT and executive leaders need to work toward to fully implement basic cybersecurity. Maintaining good cyber hygiene must be a top priority for both the DoD and other organizations doing more telework during this time.
2. Outline vulnerability management procedures
The vast majority of breaches occur as a result of known but unpatched vulnerabilities. According to one recent study, 60% of security breaches were linked to a vulnerability for which a patch was available but not applied. Additionally, Tenable Research has found that 26% of vulnerabilities are never fixed. These exposures pose a significant threat to organizations, and better prioritization methods are needed to focus remediation efforts on the risks that matter most .
Risk-based vulnerability management may seem complicated at first, but it can be relatively easy to implement if organizations know what to expect and plan accordingly. This includes building good authentication and identity management practices, establishing strong cyber hygiene and having unified visibility across your attack surface, including dynamic environments such as cloud instances or web applications.
Pentagon leadership must have strong management to identify and fix vulnerabilities. This will help agencies proactively manage their cyber risk, instead of making retroactive efforts in times of emergency.
3. Establish streamlined network visibility
Breaking down silos is another critical step for organizations to achieve network visibility. Too many organizations see their cybersecurity and other critical initiatives go in opposite directions because security and executive leaders are not communicating effectively or understanding each other.
According to our recently commissioned study of more than 800 business and cybersecurity leaders, conducted by Forrester Consulting on behalf of Tenable, when security and business leaders are aligned, they deliver demonstrable results in their ability to assess and manage critical cyber risks. Aligning overall organization and cybersecurity objectives not only improves security posture, but it also advances agency goals and benefits the entire organization.
There will be challenges in breaking down these silos and establishing better network visibility for the DoD, just as there are for private industry. But the benefits for personnel and the organization as a whole are significant, and agencies should work to make it a top priority. Without alignment, security teams risk chasing down issues that may pose little risk, while leaving their most critical assets and systems exposed.
Conclusion
As the DoD moves to increase the number of employees doing sensitive, classified telework at home instead of in SCIFs, it is critical for DoD leadership to reinforce secure remote work practices. Good cyber hygiene, strong vulnerability management and central network visibility must remain top of mind for the DoD as they continue to move toward more classified telework.
The recent SolarWinds breach added an exclamation point to the importance of network visibility, as noted recently by CISA’s acting director, Brandon Wales. Mr. Wales cited insufficient visibility into agency networks and cloud deployments as “blind spots” that prevented early detection and needed to be eliminated to prevent similar breaches in the future. With increased telework expanding the enterprise network, the risk of more blind spots becomes even greater, heightening the importance of this essential step in the process.