COVID-19 and the resulting adoption of widespread telework have forced agencies – federal, state and local – to implement unexpected changes to their security structure. But even with the sudden shift of circumstance, security experts had already foreseen the eventual need for distributed, remotely applied security.
“This pandemic hasn’t really changed the plan, but it has accelerated the plan,” Bill Zielinski, Chief Information Officer (CIO) of the city of Dallas, said.
Zielinski and six other panelists spoke about organizations’ evolving security posture during the second hour of Wednesday’s Briefing Center, a two-hour GovLoop online training event. Featuring government and industry security experts, the panel highlighted numerous security trends in government, including election safety, blanket telework policies and the federal Trusted Internet Connections (TIC) initiative.
Below are speakers’ thoughts on these hot-button topics and more.
Election Security at the Local Level
Safeguarding the upcoming election requires coordination between municipal, local and state governments. Since the summer, Virginia has been preparing election workers and government officials for the inevitable onslaught of attacks coming their way, Chief Information Security Officer (CISO) Michael Watson said.
Virginia has rolled out penetration testing to search for vulnerabilities and protocol testing to trial response plans. The state has also educated its employees on dealing with phishing, or deceptive communications sent to employees’ emails with the goal of extracting information or persuading a person to download a virus.
The pandemic has already further expanded the bullseye painted by hackers on local governments, and Watson said Virginia is doing what it can to help defend them. Local governments provide critical services, but often, a shortage of resources precludes them from instituting necessary cybersecurity programs and technologies.
“The localities are kind of the perfect target, and we’re aware of that,” Watson said.
Zielinski said Dallas, the nation’s ninth-largest city, has seen an uptick in attacks. Surrounding municipalities have joined together and communicated increasingly to strengthen their collective cybersecurity position, he said.
“The adversaries have also accelerated their plans as well,” Zielinski said.
The Different Layers of Data Protection
Before the pandemic, various trends and policies had already presaged a rethinking of security philosophy. Instead of considering security as the protection of one central site or system, the tone has moved in favor of protecting every piece of data and individual application. More than putting titanium bolt locks on all the doors, agencies are locking every single cabinet and drawer in the house, in a sense.
“Data’s the foundational element for everything we do,” said Dovarius Peoples, CIO of the Army Corps of Engineers. “Once you get the data figured out, everything else will plug and play.”
Peoples expounded that the Corps has very closely examined user access to applications and data. The agency operates off a “deny all and allow by exception” methodology, a core tenet of zero-trust cybersecurity strategies, Peoples said. Under this approach, users are given access to only the applications and data they need, and identity is verified frequently.
Policy and Compliance
TIC 3.0, the latest update to the federal government’s most prominent network connection program, is a broader indication of the move to security on an individual level. Though TIC began as a means for agencies to count and reduce connections to their networks, it has since developed into a use-case-driven manual for securing traditional, cloud and distributed environments. TIC Program Director Sean Connelly told GovLoop in prior interviews that the TIC office is looking at zero-trust use cases.
“TIC 3.0 is an enlightened evolution of what the network is and where it’s at today,” said Jose Padin, Director of Sales Engineering for the U.S. Public Sector division of Zscaler.
When it first began in 2007, TIC was prescriptive. For agencies, though TIC tightened up their security standing, it was another policy to comply with. Now, it’s more than that.
TIC 3.0 permits agencies to define their own trust zones and offers them multiple ways to establish secure user connections to the network – either going through the cloud, branch offices or traditional access points. Padin said everyday employees don’t need to know all of this; just hopefully, they’ll be able to tell connecting to networks has gotten easier, he said.
The TIC program office published draft use cases far in advance, allowing agencies to pivot to the new model, said Chi Kang, Deputy Director of Operations for the National Oceanic and Atmospheric Administration (NOAA) Cybersecurity Division. That preparation time was crucial for NOAA, which serves as a TIC access provider for other agencies.
The latest edition of TIC also marks the convergence of several key programs, Kang said, including the Continuous Diagnostics and Mitigation (CDM) program that tracks activity and identity on agency networks and across the federal enterprise.
“There’s a huge paradigm shift here where everything is converging,” Kang said.
Kang seemed to welcome many of the notable changes, including the interpretation of trust zones. In more traditional perimeter security models, the only two trust zones were untrusted and trusted. Now, agencies can define their own levels of trust for cloud, mobile and remote environments.
NOAA has been looking hard at its cybersecurity capabilities to see which might overlap or which might fill in gaps between the policies, Kang said. One best practice he touted is exchanging notes with industry and agency partners to creatively develop use cases and meet compliance requirements.
The Rapid Shift to Telework and Digital Services
One fundamental truth about security hasn’t changed. Security departments’ goal is still to enable the mission of agencies – just making sure it continues safely.
This was put to the test during the pandemic, when the sudden rush of teleworkers and online customers forced security teams to make compromises on their usual standards.
“We have to be comfortable being uncomfortable,” Watson, Virginia’s CISO, said.
Watson said his team had to accommodate a rapid deployment with a lesser degree of review than would have normally been the case. That’s not to say agency databases are left open – but that security teams had to sacrifice some of their standard checks in order to get the workforce up and running remotely. After all, Watson said, sidelining employees for weeks as they set up at home was in no way a possibility.
Zielinski said digital services have met a similar challenge as well. Some services went from 20% online to 100% online overnight, but in a city, essential services can’t afford to go down for even a minute, such as first response branches, he said.
Other Considerations and Future Implications
So what’s next? Security’s likely to gain steam as a business enabler of digital services, remote work and modern technologies, experts suggest.
“The pandemic’s put security in an interesting spot, because security’s never been more important to the business,” said Ian Milligan-Pate, Regional Director in State and Local Government for Zscaler.
Specifically, this would follow two models, said Tony Ferguson, Director of Transformation Strategy at Zscaler. Notably, neither includes virtual private networks (VPNs), a common form of connecting into the network and agency resources.
First, Ferguson said, agencies might look to take parts of the internal enterprise offline. As opposed to employees accessing their systems, such as virtual desktops, through online portals and firewalls, agencies could construct a software-defined network that is not physically based within agency offices. Software-defined networks allow for faster, broader access and more granular control – ideal for cloud computing environments.
Then, agencies would implement zero trust within the network, creating stricter access permissions and verifying identity regularly.
These two steps would be crucial for moving to a security-enabled distributed environment of the future, Ferguson said.
That’s the goal for Peoples, the Army Corps of Engineers CIO, and his department. As the pandemic set long-term plans into motion, the jolt could spur agency security into a place where office setups are soon in the past.
“Completely untethering the end user from their desktop. We’re a very distributed enterprise working in a lot of important areas and disaster relief,” Peoples said.
This online training was brought to you by: