The COVID-19 pandemic forced Federal agencies to shift to majority telework in a matter of days. Over the last 12 months, agencies have had to rapidly learn how to keep their networks secure in a new work environment.
During a GovernmentCIO webinar today, Federal leaders stressed the importance of moving beyond perimeter defense and instead focusing on Zero Trust.
Jennifer Franks, director of Information Technology and Cybersecurity at the Government Accountability Office (GAO), agreed that telework presents new security challenges. She further emphasized the importance of creating an environment where employees can seamlessly conduct the business needs of the agency.
Pivoting to Zero Trust, Franks said that Zero Trust will be “a lifestyle and cultural change.” To fully embrace Zero Trust, she said IT professionals need to work with senior agency leadership to help them fully understand what is at stake with cybersecurity. Without that buy-in at the top of the agency, there will be a lack of understanding about the need to be resilient and consistent, as well as the importance of being more responsive to new cyberattacks that continue to happen.
Department of Homeland Security (DHS) CISO Kenneth Bible agreed with Franks and said the role of cybersecurity professionals in the Federal government is to translate the technical speak to senior leadership to help them understand the challenge.
Bible stressed there is no single solution for cybersecurity infrastructure at this point. “There is no magic box I can buy that gives me Zero Trust,” he said. Rather, there needs to be a concerted effort to build out that infrastructure. “There is no magic bullet, there is just a lot of work to be done,” he said.
Cybersecurity professionals have largely been focused on securing their network’s perimeter. However, in light of telework, that model needs to change. Bible said cybersecurity needs to “move beyond” perimeter defense and instead focus more on “where is the data, and how do we protect the data.”
That said, Bible did stress that while Zero Trust is the path ahead of cybersecurity, “no one is pulling out routers and switches just yet.” He said agencies need to understand that right now Zero Trust isn’t a “clean architecture” that allows agencies to “rip out and replace perimeter defense.”
The challenge facing agencies, Bible said, is Zero Trust is somewhat additive on top of what they are already doing at the perimeter while agencies gain experience and understand how to operate under the Zero Trust model.
Many Federal agencies are also concerned with managing classified information during telework. As to keeping classified information classified during telework, Franks said “I wouldn’t say it was impossible.” However, she did acknowledge that there were some delays at the start of the pandemic with how GAO was going to approach classified information.
She said since then, agencies have work internally, as well as with congressional staff and private sector partners on how to approach conducting business across the government. She said many efforts were suspended – and some remain suspended – to ensure security. But, agencies have taken steps to safely allow employees to work with classified information. The GAO has started allowing individuals on a case-by-case basis to have access to the field office or headquarters office where they reside to conduct some of the work in-person.
As agencies look to conduct classified work at home, she said it is critical to streamline agency initiatives to practice good cyber hygiene, maintain strong vulnerability management, and look at essential network visibility. She also stressed that employees need to consider what threats exist in their home environment, including smartphones, smart TVs, and gaming consoles. She said those devices could pick up audio and visual conversations on what workers may think are unclassified communications but are veering into slightly sensitive information. Franks said employees need to be careful that they aren’t “giving away some tools that the agency would like to protect.”