NSA outlines requirements for secure collaboration services for US government telework

June 26, 2020

Recently, the NSA published guidelines for secure collaboration services for telework. Due to COVID-19 concerns, many United States Government (USG) personnel must now operate from home while continuing to perform critical national functions and support continuity of government services. With limited access to government furnished equipment (GFE), such as laptops and smartphones, the use of commercial collaboration services on personal devices for official use has become somewhat unavoidable. However, the sudden surge in the use of some remote teleconferencing and messaging tools triggered a cascade of security issues, which have caused many organizations to move away from those products almost as fast as they came on.

Across all sectors, the rush to communication and teleconferencing solutions during the COVID-19 pandemic has intensified another, pre existing global pandemic called “Shadow IT” - the relentless urge for individuals on the front lines of an organization to find their own solutions to information technology problems, often beyond management’s reach (i.e. on personal devices) and often in violation of organizational security policy. Given what’s happened in the past months, I think it’s fair to say this problem just got a lot worse.

For the military, the stakes are higher. What others see as personal privacy issues the Pentagon sees as operational security issues. Take, for example, the use of seemingly harmless consumer-grade entertainment app TikTok, which was feared could be used by a foreign government to spy on service members. Or, fitness app Strava, which even though it was installed primarily on personal devices, still provided location-based features that could be leveraged by malicious actors to locate secretive military bases and patrol routes and even track soldiers from these locations back home. Simply put, your average consumer-grade social networking or messaging service is not built to address the security and privacy needs of the federal government or other serious business - it’s built to exploit the mountain of user data it collects as a condition of service.

The antidote to Shadow IT? Guidance. I have to say I cringed a little when the Department of Health and Human Services (HHS) decided to waive penalties against medical providers who use remote communication solutions that do not comply with HIPAA privacy and security regulations. Not that anything should get in the way of saving lives, of course, but those of us in the information security business know that security threats don’t respect timeouts for national emergencies. In fact, based on what we’ve seen, the scammers of the world exploit every crisis they can and the weakest among us to perpetrate their schemes. Shameful, but true. I would much rather have seen HHS issue supplemental guidance focused on helping medical providers inexperienced in remote patient care find appropriate tools. It is, after all, patient information that’s at risk when providers reach for insecure solutions.

I believe that desperate times call for rational measures, not desperate measures. In that vein, the new NSA guidelines are a breath of fresh air. They don’t just offer conclusions, they provide a thought process and key measuring sticks to help the reader independently assess the security worthiness of teleconferencing products. They are technical to a point, for example to explain the merits of end-to-end encryption vs. traditional encryption, but speak well to the non-technical too, with simple tips like ensuring you can control who connects to a meeting. And, while they’re aimed at U.S. government employees and military service members, they’re universal enough to be just as useful to those in the private sector.

This kind of advice is sorely needed right now. Millions of people are facing the challenge of working from home under the significant stress of managing their family’s safety, supplies and sanity. More people working remotely means a larger attack surface for cybercriminals and nation states to exploit. While some military branches and federal agencies are ahead of the curve, for many others, best laid plans in preparation for such a contingency went out the window weeks ago, and it’s a fair bet that in the scramble for those decision-makers to find the tools necessary to remain productive, security risk may not have been top of mind. The NSA guidelines come at the right time and remind us that crunch time is the time to be doing security better - not worse. Regardless of where we are or how we got here, it’s never too late to get back on track.

Chris Howell is Wickr’s co-founder, co-author of numerous patents for Wickr’s underlying technology and CTO responsible for technical strategy, security architecture and product design. Prior to Wickr, Chris spent nearly a decade in law enforcement with the NJ Office of the Attorney General/Division of Criminal Justice specializing in computer crime investigation and forensics. He also spent several years in the private sector, working in information security and incident response with Pershing and in application security consulting with Aspect Security. Chris graduated from Rutgers University with a B.S in Computer Science and Administration of Justice and received a M.S in Information Assurance from Capitol College in Maryland. He has earned a CISSP and various other industry certifications and has served for more than ten years as an Adjunct Professor at the New Jersey Institute of Technology, teaching courses ranging from Computer Security to Digital Privacy.

In today's world of growing dependence on digital landscape expansion, companies are becoming more reliant upon cloud-based security services that protect both the company and customers they service.

Join a fast-paced webinar on October 7 when 3xLOGIC’s experts discuss the many advantages of cloud surveillance. Learn why end users are demanding cloud solutions, and how this can empower business owners to view, manage, and share video from anywhere, at any time, on any device.

Poll

Which metric comparing peer organizations to yours would be most beneficial for your security program?

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

NSA outlines requirements for secure collaboration services for US government telework

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

NSA outlines requirements for secure collaboration services for US government telework

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.