Homeland Security Watch

Federal News Radio continued its reporting yesterday regarding the Department of Homeland Security mandate for a department-wide telework and COOP review this week. The article quotes Elaine Duke, the Undersecretary for Management, saying:

We have some specific concerns about the potential of H1N1 to make its next surge in the United States, potentially next month, and this fall. One of the things we want to be ready for is potential absenteeism among our federal workforce. And with the telework week, we are asking that each employee who is on a telework agreement, who is on a telework agreement as part of our continuity of operations planning, or COOP planning, to telework, to test it, to make sure they have the right connectivity, the right equipment, to make sure they can work from home.

Teleworking to counter a pandemic is not a new idea. Indeed, the National Strategy for Pandemic Influenza Implementation Plan discusses how teleworking can help slow the spread of pandemic influenza through social distancing (i.e. coughing over the Internet or phone instead of face to face).  As telework.gov notes, the key to successfully using teleworking to fight off H1N1 (or any pandemic) requires a systematic approach to teleworking with roles and responsibilities understood by all.   DHS’s announcement this week is especially welcome as it is testing its agencies systems in a moment of calm instead of a time of crisis.

That said, as DHS and other agencies look to teleworking this fall, they should not only be testing for access and connectivity, but for security.  While security training and configuration have been key parts of the government’s telework program, it is imperative that they are stressed to the potential newbies who will be signing up to avoid the H1N1 spread. There is a level of trust when teleworking becomes the norm. That trust, with regards to security, requires extensive training and understanding of the “dos and don’ts” of being online.  The more people who sign up to work from home, the more risks of security breaches, whether from unencrypted data being stolen remotely off a compromised system or a laptop disappearing from the backseat of a car.

NIST has recognized the need for telework security. This past June it revised its guidance in the area in Guide to Enterprise Telework and Remote Access Security, Revision 1.  NIST noted in the Executive Summary:

The nature of telework and remote access technologies—permitting access to protected resources from external networks and often external hosts as well—generally places them at higher risk than similar technologies only accessed from inside the organization, as well as increasing the risk to the internal resources made available to teleworkers through remote access.

In its findings, NIST made the following recommendations to agencies on steps to take to ensure that employees and contractors have improved security for teleworking and remote access:

• Plan telework security policies and controls based on the assumption that external environments contain hostile threats

• Develop a telework security policy that defines telework and remote access requirements.

• Ensure that remote access servers are secured effectively and are configured to enforce telework security policies.

• Secure telework client devices against common threats and maintain their security regularly.

Given today’s increased cyber threat, these steps, while seemingly common sense, are critical, especially if we see an influx of new teleworkers.

Another issue to consider is whether the bandwidth for increased teleworking, especially in the DC area, is available.  The tests run by DHS this week are good but will not go to demonstrate whether bandwidth needs can be met if a significant number of government employees are working from home in the event of a pandemic.  On September 4, the FCC put out a notice on this issue, asking what kind of bandwidth and speed will be needed to support teleworking.  The notice also asked what is needed to support government workers at home in a time of emergency.  The FCC will use the comments and its findings as part of its National Broadband Plan, due to Congress on February 17, 2010.  Obviously, that plan will not be out before this fall’s potential H1N1 outbreak, though the telecommunications carriers have been preparing for this issue nonetheless.

While this post has focused on government’s systems,  the same issues are relevant to the private sector.  Like the government, the private sector has seen an increased reliance on teleworking to counter pandemic incidents.  Jeff Goldman wrote an interesting piece on this phenomenon on Wi-Fi Planet back in May entitled Pandemic Preparedness: Teleworking Best Practices, which details the steps to take for implementing teleworking.  Interestingly, one of the potential issues he points out is the need for enabling broadband access in remote locations.  Broadband and net neutrality issues, especially in a time of crisis, could fill a separate post but are especially worth noting given at Brookings yesterday by FCC Chairman Julius Genachowski on the topic.