What’s Next? Securing the New Age of Government Telework

The State Department is supporting 90 percent telework.

The General Services Administration (GSA) jumped from 50 to 100 percent telework.

The Department of Housing and Urban Development (HUD) reports 95 percent telework.

The Department of Energy (DoE) reports 85 percent telework.

The Small Business Administration (SBA) is at 99 percent telework.

The Department of the Interior (DoI) estimates the number of remote workers has tripled.

The Department of Defense (DoD) CIO Dana Deasy declared the telework efforts “the largest rollout ever implemented in this short amount of time” with 900,000 users on the remote work system.

And that’s not counting the thousands of state and local employees working remotely across the country.

According to The Washington Post, 40 percent of Federal employees were set up for remote work before COVID-19. And, the U.S. Bureau of Labor Statistics reported just four percent of state and local employees had telework capabilities. Hundreds of thousands of government workers across Federal, state, and local levels were suddenly in need of remote access.

Meanwhile, demand for government services hasn’t slowed. As small businesses across the country seek help through Federal funding and loans, the SBA, for example, experienced a “huge uptick” in online activity. The volume of emails rose to 10,000 per day and, after a tweet from President Donald Trump linked to the agency website, 93,000 users visited the site.

Even those agencies that previously set up employees with remote capabilities strained their virtual private network (VPN) trying to keep pace with the new level of demand. For perspective, DHS has seen a 483 percent increase in the use of VPNs during the COVID-19 pandemic.

Behind the Numbers

“The most pressing challenge of scaling remote work is the complexity,” Kelsey Nelson, Director of Product Marketing, Okta explained to MeriTalk. “It’s not just agency employees operating in a telework environment. It’s the extended workforce and the constituents who all collaborate to accomplish a mission. We also have a variety of resources across on-premise and cloud environments. With the perimeter completely gone, we must learn to manage all of those different facets at the same level of security we had previously.”

Many agencies, such as the Environmental Protection Agency (EPA) and HUD, started by increasing their VPN server capacity and license to improve connectivity, also leveraging virtual desktop infrastructure and high-computing alternatives where necessary to support the mission. The EPA had the advantage of already using standard-issue laptops to simplify telework, so most users could still access their tools while the IT team augmented VPN services.

Another tactic to reduce virtual network strain is to leverage secure cloud with access controls to reduce reliance on the VPN, shared a HUD spokesperson, saying, “We were able to reserve bandwidth for on-prem capability that required VPN.”

Meanwhile, GSA’s Technology Transformation Services (TTS) has dedicated over 10,000 work-hours – and 20 percent of its talent pool – to work across agencies to address challenges, including authentication technology to support the SBA’s Paycheck Protection Program, which has facilitated more than half a trillion of funding and 110,000 log-ons.

The agencies and organizations that seem to be best navigating the shift to telework credit previous modernization efforts. A DoE official stated that modernization efforts over the last three years included building telework capacity by expanding bandwidth, developing secure solutions for remote access, and developing the capability to manage IT infrastructure from remote locations.

The modernized infrastructure allowed the agency to “rapidly respond to maximum telework… by deploying additional laptops, issuing additional two-factor authentication tokens to employees for remote access, and deploying additional server capability to allow for the increased use of virtual application solutions by remote users.”

But, there isn’t much time to appreciate these impressive feats before government IT leaders must ask themselves, “What’s next?”

Keeping Identity at the Core

Adjusting to telework has tested how quickly agencies can work without compromising security controls. To meet the demands of speed and security, some agencies have shifted their entire security approach. For example, State has adopted an agile and DevOps environment to manage the implementation of the many new minimally viable products.

Nick Ward, Chief Information Security Officer for the Department of Justice (DoJ) stated during MeriTalk’s “Government Telework, Teamwork, & Security in 2020” webinar last week, “We’ve put a lot of effort into our security posture, but… we can’t always control what our partners are using to collaborate.” Ward told agencies to make sure they had the flexibility to partner and collaborate with other organizations, but also ask how those partnerships affect security posture.

To add to the complexity, every provider has different methods for security and reporting, making it difficult for any security team to understand, much less monitor and secure. A zero-trust model can help agencies outline a strong identity and authentication framework to access these different services in a common way.

Brian Forsythe, branch chief of Technical Assessments at DHS, said during an ATARC webinar earlier this month that after enacting zero-trust in Office-365, the department is looking to grow that security work to other areas.

Nelson shared how agencies can get started with zero-trust now, “In this perimeterless environment, agencies will want to approach zero-trust by starting with a strong user identity foundation and building out a robust device context. This approach will help fortify against the current threat landscape, which includes increasing phishing attacks.”

State and local officials across the country are adopting multi-factor authentication (MFA) for issues such as election security. Iowa Secretary of State Paul Pate has required MFA to access the state’s voter registration database, as well as internal systems.

“Authentication is critical,” said Ward, going on to suggest immediate action agencies can deploy by looking at current technology stacks. “Enabling application specific VPNs, for instance, is just one area that you may already have the building blocks to do in your environment… It reduces the load on your VPNs, and it also reduces the risk because you don’t have to have PCs and mobile devices with full remote access into your enterprises. You can rely on device-level certificates, plus the user authentication to secure those connections.”

Show Me the Money

Soon after we ask “What’s next,” we ask, “Where’s the funding?” As of May 1, COVID-19 related government contracts exceeded $8.7 billion.

Anil Cheriyan, Deputy Commissioner of GSA’s Federal Acquisition Service and Director of TTS, told MeriTalk, “I think if there’s one lesson learned it’s now is the time if you are a CIO, let’s push for more telework, let’s push for all of those digital transformation initiatives… Now’s the time to take that and push for it in terms of investments.”

Agencies are addressing how current investments will feed into their long-term budgets. How much will a solution cost? What are the use cases now? What are the use cases post-pandemic? What cost offsets might we see down the line?

When calculating costs and offsets, agencies might consider calculating a cost of delay. “We look at the financial benefits of our investments, that’s a critical part, but we don’t measure the cost of every day that we delay making a decision,” explained Stuart McGuigan, CIO, State.

In essence, the concept calculates the productivity benefit of the potential solution and classifies it as a labor cost for each day spent without the major system upgrade.

The method would allow an agency can compare their current costs plus the additional labor costs incurred by inefficiencies, to the projected future costs. Insight into the cost of delay may encourage agencies to make better decisions more quickly.

At NASCIO’s Midyear Conference, Massachusetts CIO Curtis Wood suggested that the rapid shift to telework has opened doors to sustained efficiencies. He told the audience, “I’ve retooled my conversations to talk about availability, accessibility, resiliency and scalability versus where it actually sits in the state data center.

Continuous Improvement

The DoJ is continually talking to mission partners to understand problems, shared Ward. He cautioned the audience, “If you’re not listening, they are having problems and they’re just not telling you.”

Communication may be more difficult now that all meetings are virtual, but healthy, continuous communication – across teams, across agencies, across partner networks – is key to making progress.

“Today, everyone is part of the security team,” said Nelson. “We are all part of keeping our organizations secure. So, it is important that we have that mindset and partner with our IT teams to make sure we are finding secure alternatives.”

Categories

Recent