If U.S. adversaries such as Russia or Iran creep inside government computer networks, they could disrupt efforts to mitigate the virus by stopping or slowing down communications. They could also sow chaos by sending phony alerts about the virus to the government workforce or the public. The possibility of hundreds of thousands of government officials working from home is just another way American life is changing as covid-19 spreads, with schools, sporting events, Broadway plays and even Disneyworld closing.
“We’re moving into an environment in which there are inevitably going to be greater opportunities for malicious actors,” Suzanne Spaulding, who led the Department of Homeland Security's cybersecurity operations during the Obama administration, told me.
Federal agencies are trying to get ahead of any problems as telework is being encouraged, though not mandated at this point.
DHS’s Cybersecurity and Infrastructure Security Agency is working entirely remotely today to stress-test whether the agency will be up to the job “if CISA-wide telework becomes necessary in response to the outbreak,” spokeswoman Sara Sendek said.
All employees at NASA and a number of U.S. Air Force workers performed a similar telework experiment last Friday.
But the government has never attempted to work remotely on anywhere near this scale before. At DHS alone, as many as 240,000 workers could be asked to work remotely; the CISA test alone involves 3,500 people.
“We’ve made progress, but we’re not where we ought to be … I have a lot of concerns,” Greg Touhill, a retired Air Force brigadier general who served as the nation’s first federal chief information security officer during the Obama administration, told me.
Officials at DHS and the Pentagon had not responded by Friday morning to a series of questions I sent about their plans to manage security remotely.
Among the problems is government employees working at home or in coffee shops could be vulnerable to a range of hacks — especially if they’re dialing into official networks using personal devices that haven’t been vetted and may not be patched against the latest bugs.
They could also be using public WiFi networks that aren't secure against hackers. And they'll be more vulnerable to phishing emails and texts that look legitimate but actually contain malicious software. For example, hackers could pretend to be an employee's boss or co-worker who's locked out of a government email system and so is using a personal Gmail account.
The government has been prepping for a disruption like this since at least the Cold War era. And it has made substantial progress outfitting employees with government-issued laptops, phones and tablets they can work from home and travel with as telework has become more common in recent years.
But even many tech-savvy agencies have never dealt with all the cybersecurity problems that can arise when an entire agency is working remotely.
“The government's in a much better position than even five years ago. [But] I don't know if anybody is fully prepared for this,” Phil Reitinger, a former top DHS cybersecurity official who now leads the Global Cyber Alliance, told me. Reitinger's organization offered five tips to stay secure against hacking while working remotely.
Doing their jobs will also be far harder for people who do highly classified work.
Some top government officials have secure workspaces — known as Secure Compartmented Information Facilities, or SCIFs — set up inside their homes and have phones and tablets they can use to read and respond to classified documents.
The vast majority of government employees, however, simply can’t do classified work outside a highly secure building managed by the government. That means at least some of them will have to go into work no matter how bad the pandemic gets — perhaps with fewer co-workers so they can keep enough distance between each other to reduce the chances of the virus spreading, Spaulding told me.
And that could mean there are fewer people defending government networks if adversaries ramp up their attacks.
“This just creates an opening for malicious activity of all kinds,” she said.
PINGED, PATCHED, PWNED
PINGED: Facebook and Twitter disabled a Russia-linked disinformation campaign designed to stoke racial tensions among African Americans, my colleagues Tony Romm and Craig Timberg report. The operatives used the same tactics deployed by Russian agents during the 2016 presidential race, stoking fresh alarm about Russian influence operations ahead of 2020.
The posts pushed themes of black pride, racial oppression and police violence but did not focus specifically on the 2020 elections or any candidates, Nathaniel Gleicher, the head of security policy at Facebook, told my colleagues. The pages amassed hundreds of thousands of followers before the companies shut them down yesterday.
The operation was conducted by a mix of phony accounts and accounts run by real people in Ghana and Nigeria who amplified their messages. Many of those people were apparently duped into thinking they were aiding a non-governmental organization, the social media companies said.
The strategy is a notable departure from Russia’s 2016 playbook that lawmakers say should raise serious concerns.
“The potential use of cutouts on another continent meant to mask Russian connections is a startling signal that our adversaries continue to pursue new and inventive ways to cover their tracks and evade detection,” Rep. Adam B. Schiff (D-Calif), chairman of the House Intelligence Committee, said in a statement.
PATCHED: Hackers are leveraging fear of the coronavirus to unleash a slew of new digital attacks, my colleagues Craig Timberg and Tony Romm report.
In one case, a group of Chinese hackers used a fake document from the Mongolian Health Ministry to trick users into sharing their personal information, researchers at the cybersecurity firm Check Point found. Other researchers have found instances where hackers loaded malicious software into maps plotting coronavirus infections, World Health Organization reports and instructions for accessing government benefits. Hackers have even started created ransomware-laced apps to take over users' mobile phones, researchers at DomainTools reported today.
PWNED: President Trump signed legislation yesterday that probably will force rural telephone and Internet providers to rip out and replace gear from the Chinese telecommunications firm Huawei, which officials warn could be a conduit for Chinese spying.
The bill doesn’t, however, include any funding for the rip-and-replace operation, which experts estimate could cost more than $2 billion.
“This funding is essential to successfully transition communications networks — especially those of small and rural carriers — to infrastructure provided by more trusted vendors,” Federal Communications Commission Chairman Ajit Pai said in a statement that otherwise praised the bill.
The bill, which doesn’t directly mention Huawei, prohibits the FCC from subsidizing purchases of telecommunications equipment deemed a national security risk. Lawmakers from both parties praised the law as a major step in steering American telecommunications companies away from Huawei and another Chinese telecom, ZTE.
“Today marks an important victory for our economy and national security,” Sen. Roger Wicker (R-Miss.), chairman of the Senate Commerce Committee and a lead sponsor of the Senate version of the bill, said in a statement.
Separately, lawmakers from both parties introduced legislation yesterday that would use a tool designed to fight terrorism to block Huawei from access to the U.S. banking system.
— The nonprofit U.S. CyberDome, which helps protect political campaigns against hacking, launched the first information sharing and analysis organization for campaigns.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
Apple recently said it is okay to use Clorox disinfectant wipes on your iPhone, reversing previous advice. Just don't use aerosol spray.