Recently, the NSA published guidelines for secure collaboration services for telework. Due to COVID-19 concerns, many United States Government (USG) personnel must now operate from home while continuing to perform critical national functions and support continuity of government services. With limited access to government furnished equipment (GFE), such as laptops and smartphones, the use of commercial collaboration services on personal devices for official use has become somewhat unavoidable. However, the sudden surge in the use of some remote teleconferencing and messaging tools triggered a cascade of security issues, which have caused many organizations to move away from those products almost as fast as they came on.
Across all sectors, the rush to communication and teleconferencing solutions during the COVID-19 pandemic has intensified another, pre existing global pandemic called “Shadow IT” - the relentless urge for individuals on the front lines of an organization to find their own solutions to information technology problems, often beyond management’s reach (i.e. on personal devices) and often in violation of organizational security policy. Given what’s happened in the past months, I think it’s fair to say this problem just got a lot worse.
For the military, the stakes are higher. What others see as personal privacy issues the Pentagon sees as operational security issues. Take, for example, the use of seemingly harmless consumer-grade entertainment app TikTok, which was feared could be used by a foreign government to spy on service members. Or, fitness app Strava, which even though it was installed primarily on personal devices, still provided location-based features that could be leveraged by malicious actors to locate secretive military bases and patrol routes and even track soldiers from these locations back home. Simply put, your average consumer-grade social networking or messaging service is not built to address the security and privacy needs of the federal government or other serious business - it’s built to exploit the mountain of user data it collects as a condition of service.
The antidote to Shadow IT? Guidance. I have to say I cringed a little when the Department of Health and Human Services (HHS) decided to waive penalties against medical providers who use remote communication solutions that do not comply with HIPAA privacy and security regulations. Not that anything should get in the way of saving lives, of course, but those of us in the information security business know that security threats don’t respect timeouts for national emergencies. In fact, based on what we’ve seen, the scammers of the world exploit every crisis they can and the weakest among us to perpetrate their schemes. Shameful, but true. I would much rather have seen HHS issue supplemental guidance focused on helping medical providers inexperienced in remote patient care find appropriate tools. It is, after all, patient information that’s at risk when providers reach for insecure solutions.
I believe that desperate times call for rational measures, not desperate measures. In that vein, the new NSA guidelines are a breath of fresh air. They don’t just offer conclusions, they provide a thought process and key measuring sticks to help the reader independently assess the security worthiness of teleconferencing products. They are technical to a point, for example to explain the merits of end-to-end encryption vs. traditional encryption, but speak well to the non-technical too, with simple tips like ensuring you can control who connects to a meeting. And, while they’re aimed at U.S. government employees and military service members, they’re universal enough to be just as useful to those in the private sector.
This kind of advice is sorely needed right now. Millions of people are facing the challenge of working from home under the significant stress of managing their family’s safety, supplies and sanity. More people working remotely means a larger attack surface for cybercriminals and nation states to exploit. While some military branches and federal agencies are ahead of the curve, for many others, best laid plans in preparation for such a contingency went out the window weeks ago, and it’s a fair bet that in the scramble for those decision-makers to find the tools necessary to remain productive, security risk may not have been top of mind. The NSA guidelines come at the right time and remind us that crunch time is the time to be doing security better - not worse. Regardless of where we are or how we got here, it’s never too late to get back on track.