Millions of Americans are Suddenly Working from Home. That's a Huge Security Risk
The dramatic expansion of teleworking by US schools, businesses and government agencies in response to the coronavirus is raising fresh questions about the capacity and security of the tools many Americans use to connect to vital workplace systems and data.
At one major US agency, some officials have resorted to holding meetings on iPhone group calls because the regular conference bridges haven't always been working, according to one federal employee. But the workaround has its limits: The group calls support only five participants at a time, the employee noted.
"Things have worked better than I anticipated, but there are lots of hiccups still," said the employee, who spoke on condition of anonymity because he is not authorized to speak on the record.
Meanwhile, as of last week the Air Force's virtual private networking software could only support 72,000 people at once, according to a federal contractor who was also not authorized to speak on the record, and telework briefing materials viewed by CNN. The Air Force employs over 145,000 in-house civilian workers, and over 130,000 full-time contractors.
Change in routines can create new opportunities for hackers
As they increasingly log on from home, Americans are having to meld their personal technology with professional tools at unprecedented scale. For employers, the concern isn't just about capacity, but also about workers introducing new potential vulnerabilities into their routine - whether that's weak passwords on personal computers, poorly secured home WiFi routers, or a family member's device passing along a computer virus.
"All it takes is one of their kids to get [electronically] infected and it spreads inside the house," said Marcus Sachs, a former vice president for national security policy at Verizon.
From there, experts say, malware could easily jump from a compromised employee's machine into a connected office network.
Experts recommend brushing up on digital hygiene and safety tips as opportunistic criminals seek to exploit the coronavirus crisis. According to the Seattle-based information security company DomainTools, hackers are increasingly creating coronavirus-related websites, apps and tracking tools meant to lure those who are simply seeking information - but which actually spread malicious software that can lock your device.
A big test for government computer systems
Meanwhile federal officials, many of whom are already overloaded as they scramble to coordinate the government's response to the coronavirus, are increasingly being asked to log on remotely. In 2017, just over a third of federal employees teleworked, according to US government statistics. Over half did not, either because they weren't approved for it or because their job requires that they be physically present.
This year, those numbers may shift dramatically.
"I'm sure every agency right now is scrambling to load-test their VPNs and access points to make sure not just 10 or 20 percent of their workforce can log on, but 70 or 80 or 90 percent," said the former chief information officer of a major US agency. "That will be a challenge, for sure."
Not all government agencies use VPNs exclusively anymore. As online storage and computing platforms have taken hold in corporate America, so too have they spread in government IT systems. Now, it's more common to see civil servants logging into cloud-based applications and services from wherever they are.
In 2014, for example, the Federal Communications Commission began transitioning to virtual desktops. That technology allows employees to do their jobs remotely from a digital workstation that exists purely online. All they need to do is log in, and it's as if they're sitting at their usual desks.
Experts note there are a significant number of Americans who will have a problem with telework because they lack a good internet connection at home. At least 25 million Americans, possibly more, do not have broadband at home, according to federal studies.
Others may not have access to office computing devices that they can take home with them - either because they were never expected to work remotely, or perhaps because their work may be extremely sensitive.
How the intelligence community is adapting
Among the federal workers most hamstrung by efforts to reduce their presence in the workplace are members of the intelligence community. Working on topics and systems that are classified makes it difficult at best to work from home, if not impossible.
"There are some very senior military and government officials who have the capability to do up to Secret [work] from their house, but we're talking about four-star generals and admirals and things like that," said Jamie Barnett, a retired US Navy rear admiral and senior vice president of government services for the secure communications firm RigNet.
"For other classified work, there's going to be limited facilities to be able to do that," Barnett added, "so that's going to take some grappling."
Agencies have already enacted safety measures and made leave policies more flexible. The Office of the Director of National Intelligence - which oversees 16 different intelligence agencies - says it is "reducing staff contact88 through a variety of options including staggered shifts, flexible schedules, and social distancing practices."
In a business that demands 24/7 attention, the agencies "are also developing and implementing appropriate response plans" an ODNI spokesperson added.
Dealing with COVID-19, however, "is a contingency for which the IC never prepared," said former National Intelligence Council chairman Greg Treverton.
Some who work in intelligence are contractors who, due to contract provisions, must physically report to a government facility and do their jobs under direct oversight, said the former CIO. It's possible those contracts may be reinterpreted in light of the coronavirus crisis, he said.
Intelligence officials certainly have technology and practices that would make them among the most digitally secure to work outside the office, but they're still exposed. In the best of times, for example, intelligence officials can't even bring their mobile phones into the workplace, recognizing the security risk that they are.
Working at home, "you get more vulnerable and you get much less efficient because you're being careful," adds Treverton, who said that for the country at large, the security issues associated with teleworking are an "enormous vulnerability."
Still, the rise of cloud computing means many workplaces are in a much better position for telework than they were even a few years ago.
"If this had happened five years ago, I would guess that a very, very large percentage of government employees would not be able to remotely access their systems or do anything from home," said Gordon Bitko, a former FBI chief information officer. "Today, that's definitely not true. I can't speak to every agency, but it's far, far greater than it was."