Hackers Take Advantage of Mass Teleworking

Illustration: Getty

Adversaries are likely to exploit the widespread movement toward teleworking by government workers and federal contractors during the COVID-19 pandemic, experts warn.

Essye Miller, principal deputy to the Defense Department’s chief information officer, said because of the spread of the novel coronavirus, there has been unprecedented demand on the Pentagon’s network systems as employees work remotely. And with so many personnel working from home, there are cybersecurity risks.

“With the increased telework capability comes an increased attack surface for our adversary,” Miller said during a virtual townhall in March.

To mitigate that vulnerability, the Defense Department has developed a list of best practices for employees to use when working from home. Additionally, it has stood up a COVID-19 telework readiness task force, which meets daily to review and address various technical issues.

“The same practices that you use in an office environment need to convey to wherever you’re teleworking from,” Miller added.

Gen. David Goldfein, chief of staff of the Air Force, said enemies are already working to exploit the challenges created by the novel coronavirus.

“We are seeing … [adversaries] try to take advantage of this situation,” he said during an online event hosted by the Air Force Association in April. While remaining mum on specific details, he noted that the observation is especially true when it comes to information systems.

Peter W. Singer, a strategist and senior fellow at New America, a Washington, D.C.-based think tank, said the Pentagon — along with the rest of the government — faces steep challenges because it waited too long to prepare for the effects of the COVID-19 virus and how that could impact the workforce.

“What was coming was staring us right in the face,” he said. “The measures that were … needed were clear and obvious.”

However, the Defense Department and other federal agencies waited too long to come up with a tested transition plan for mass scale telework, Singer said.

There were ways agencies could have been more prepared, such as by implementing simple safety measures and running cyber “fire drills” ahead of time, he said.

“Just as you have fire drills for physical [threats], you need to have fire drills for networks,” he said. Very few agencies have ever run such an event, but the importance of them cannot be overstated, he added.

“It allows you to understand everything from overall network node [issues] … to people going, ‘Huh, I thought I’d have good WiFi, but I didn’t,’ or, ‘My expectation was that I would work from a coffee shop. I’m not maybe able to do that,’” Singer said. “It’s from the larger level all the way down to the bottom.”

The current telework situation, with its varying levels of security, creates “a target rich environment” for an adversary, he said. Obtaining access to a user’s account could lead to a treasure trove if the hacker is a foreign intelligence officer, he noted.

While such hacks certainly pose short-term risks, there are also long-term concerns, Singer said.

“If you are an adversary you may not use that beachhead now, you may just leave it there for future abuse,” he said. “The savvy one will just stay in there and use this at a future time.”

It is not just the Defense Department that is at risk, he added. The defense industry should also be on alert.

“That, of course, is wonderful for intellectual property theft or maybe planting something later on that can cause chaos,” he said.

In order to mitigate risks, the Pentagon’s workforce needs more awareness of cyber best practices and robust implementation of them, Singer said.

“The more people that are doing that, the easier it is for the network defenders,” he said. “Just like in public health, not everyone’s going to do it perfectly, but everyone that is is one less risk and more time for the defender to work on the most dangerous threats.”

The Defense Department will also need to embrace strong deterrence and make it clear to adversaries that there will be consequences for any cyber attacks, he said.

“You’ve already started to see discussions of that, not just related to the Pentagon network, but healthcare networks,” Singer said. “The messaging needs to be as loud and clear as possible, that we will interpret attacks on healthcare networks in this period in a way that attackers should not just think twice, but should not even think about it.”

Ainikki Riikonen, a research assistant at the Center for a New American Security’s technology and national security program, said practicing good cyber hygiene will be key to protecting networks.

“As people are going home, what devices are they plugging in? What applications are they using? What kind of access do all these different kinds of things have?” she asked.
Riikonen noted that the famous Stuxnet computer worm — which in 2010 targeted an Iranian nuclear plant and caused physical damage to centrifuges — was able to spread through a shared printer.

“Every device counts,” she said.

With the Defense Department seeing massive growth in help desk requests as personnel work from home, it is possible some employees may turn to non-approved, risky methods of getting work done, such as personal email or chat platforms. The Pentagon is working on a chat platform that should boost the ability of employees to telework effectively with an approved system, she noted.

Another area to watch out for is the way cybersecurity and misinformation are working together, she said. Many citizens are on high alert and sharing information with their networks without necessarily verifying it, Riikonen added.

“There could be an increased risk for spearphishing or phishing,” she said. “As people are stressed, they might be making poor decisions over what links they open, what information they believe.”

Topics: Contracting, Cyber, Cybersecurity