As large numbers of state workers migrate to remote work, chief information security officers are adjusting the best they can. Staying vigilant against evolving threats and learning from past experience are key to survival.
This is the first in a multi-part series looking at how COVID-19 has affected cybersecurity for state agencies.
With COVID-19 forcing states to take their workforces remote, chief information security officers (CISOs) are now faced with a unique set of challenges. Government Technology caught up with several state CISOs to understand how their jobs have changed since the onset of the novel coronavirus pandemic.
A number of states were better prepared for the jump to remote work due to pre-existing telework programs. In recent years, both a desire to cut down on carbon emissions and spend public dollars more efficiently has driven state governments to invest in such programs: two examples are Washington state and Utah.
Washington state, which was initially hit hard by the COVID-19 outbreak, had identified telework as a means of reducing carbon emissions as early as 2012, after a report from the state's Department of Transportation on commuter reduction said so. In 2014, Gov. Jay Inslee signed an executive order aimed at expanding telework and flexible hours, which laid the foundation for an expansion of a remote workforce.
"Washington was one of the few states where telework was already highly encouraged. I think that helped us very much in this situation, because many folks, many agencies, were already used to it,” Washington CISO Vinod Brahmapuram said.
Utah, meanwhile, launched a telework pilot program in 2018, also aimed at reducing daily commutes. The program, which only had 137 participants when it began, eventually grew to a statewide program involving over 2,500 workers. When COVID-19 struck, the government had already been given the opportunity to build out associated infrastructure, said Phil Bates, state CISO with Utah's Department of Technology Services.
"We had already started doing a number of initiatives associated with remote working," said Bates. Those initiatives included issuing vital items — like laptops and tablets — to workers, growing VPN pools, and educating staff about best practices.
"That really helped us a lot because we already had a lot of the infrastructure and processes in place... It was just a question of adding a whole lot more people to it," Bates explained.
At the same time that CISOs have had to quickly stand up security for large groups of remote workers, they've also faced a surge in the malicious activity that has accompanied the COVID-19 crisis. Experts have warned that increases in social engineering attempts, virus-related lures and ransomware should all be considered possibilities.
David Allen, state CISO with the Georgia Technology Authority (GTA), said that his agency has witnessed an undeniable uptick in interest from bad actors.
“This crisis has presented some challenges across all IT fronts. When your capacity is built around a certain concurrent number on any given day and now 100 percent of your workforce is remote, that puts a certain stress on the technology," he said. "From a security standpoint, in the beginning it was kind of business as usual. But now as we enter the third week or so we’ve seen a lot of increased activity; we’ve seen increased phishing campaigns against employees, a lot more scanning activity against networks.”
Bates has seen similar increases in Utah.
“We get anywhere from 1 billion to 1.4 billion scan attempts on our network per day. But that's been ramping up since this [COVID-19] has happened over the past couple weeks. I think we hit 2.1 billion last weekend,” he said.
“A threat actor always tries to exploit the weakness in a human or the weakness in a device,” Brahmapuram said. “There’s a lot about the pandemic that is unknown. That is such a great angle for these hackers to exploit, because they can try to tell people that they have information... It’s heart-breaking to me, because... they are being very inhumane in how they exploit this situation.”
But past mistakes have hopefully helped prepare governments to be extra vigilant. In Georgia, which has seen multiple attacks in the last several years — the city of Atlanta spent $2.6 million to recover from a large ransomware attack in 2018, and a rash of similar malware attacks hit the state's court system last year — Allen said he hopes that previous brushes with ransomware have hopefully made the state workforce wary enough to follow best practices.
“In reality, we got hit pretty hard with ransomware over the past year and so this has really just reinforced some of those good habits that we’ve been impressing upon our users over the past 12 months," he said. "It’s been an opportunity to reinforce some of those lessons and take some of those skills that they learned on our corporate networks and take them home to their home networks.”