Federal CISOs seek security standards to prevent breaches

Despite official urging, telecommuting within US federal agencies is languishing, in part because standards for how to secure mobile endpoints don't exist -- mainly the laptops telecommuters would use when outside the office.

Federal CISOs, who are aware of data breaches in both the public and private sectors that have compromised personal information of thousands of people, say that security of laptops -- the key to most telecommuter programs -- is their biggest worry.

At the same time, government managers face existing federal laws dating back to 2000 that mandate telework programs. In addition, new pressure is being applied for them to encourage more government workers into telecommuting programs as an attempt to dramatically boost the number of work-at-home employees.

Some government CISOs say the best course of action is to follow best practices set down by the National Institute of Standards and Technology (NIST) -- the closest thing to certification available.

NIST recommendations include basics such as installing, running and updating antivirus software; periodically scanning machines with spyware-removal software; and adopting a "paranoia level" of security awareness when writing personal firewall rules.

NIST also encourages encrypting data on laptops and as it is transmitted and the ability to remotely lock down laptops reported lost or stolen -- good advice but not as formal as top federal network security executives want.

The General Services Administration (GSA) -- which has championed telecommuting for years -- has set a high bar for its own program. At a recent forum run by the industry group Telework Exchange, GSA administrator Lurita Doan called for a dramatic leap in telecommuting for her agency by the end of 2009.

With just 10 percent telecommuting today, she set goals of 20 percent to be telecommuting by the year-end, and 40 percent by the end of 2009. According to published GSA estimates, just 4 percent of federal workers telecommute today.

The U.S. Office of Personnel Management breaks that down further, saying that of those who telecommute, only a quarter of them do so three or more days per week, and 39 percent do so less than once a week but at least once a month.

While other factors weigh into the slow adoption rate, a recent survey of federal CISOs found that 63 percent say securing mobile devices used at home is their top data-security priority, but they have no way to know that their precautions are adequate.

The overriding problem federal CISOs face is that there is no official certification of mobile devices that assures them that laptops they issue comply with the Federal Information Security Management Act (FISMA), which contains the blueprint for all federal telecommuting.

According to a survey by Telework Exchange, 83 percent of these CISOs want certification of what comprises a secure mobile endpoint. The survey is based on responses of 35 out of 117 federal CISOs.

They want secure machines but also want the security to work without much user intervention, a complication that could reduce willingness to telecommute in the first place. "Let's just face it, we as people just want access, we don't really care about security," says Dennis Heretick, CISO for the Department of Justice, at a recent forum on federal telecommuting.

Page Break

As a result, his department issues work-only machines to telecommuters that are maintained by the department. They are locked down using data rights management software that blocks inadvertent copying of sensitive information.

Despite efforts to make working from home as painless as possible, federal agencies are mandated by FISMA to train telecommuters in securing their hardware, another barrier to some potential telecommuters.

For instance, the Department of Energy encourages working from home, but only 9 percent of employees do -- significantly short of the department goal of 15 percent, according to Rita Franklin, Energy Department deputy chief human capital officer. But the demographics of the department reflect an a workforce that averages 49 years of age -- what she terms the dinosaur generation -- that is skeptical about telework, according to Telework Exchange's account of her presentation to the forum.

That is bad news for the Bureau of Engraving and Printing, which is in charge of minting money. Michael O'Leary, the bureau's program manager in operations support, says that offering work-at-home programs is partially intended to delay a "retirement tsunami" that could gut the agency of its most experienced workers.

Meanwhile, CISOs are directed to NIST recommendations for securing mobile devices. These include strong authentication and logging all activity by remote users and guarding those logs.

The guidelines also call for physical security such as cabling laptops in place if they are used in one location for a long period and establishing a procedure for reclaiming telecommuting gear if an employee is fired.

Training users is also key to any home-worker program, including education about risks and the proper use of security software, NIST says.

The recommendations call for double-wrapping laptops in personal firewalls, residing on the device as software and a second hardware-based firewall sitting between the device and the Internet. The hardware device also can include a VPN.

"Operating both a software personal firewall and a separate device provides the opportunity to screen out intruders and to identify any rogue software that attempts to transmit messages from the user's comptuer to an external system," NIST says.

Browsers should be configured to limit potential weaknesses such as plug-ins, Java and Active X, which can increase the attack vectors from Web sites. Disabling or selectively removing cookies should also be considered, NIST says. Similarly, unused elements of operating systems should be disabled. Both Web browsers and operating systems should be kept up to date with patches.

Threats originating in e-mail also are a worry. For example, the Department of Justice has forbidden employees to use their work e-mail from their private home computers because securing e-mails as they crossed the wire and were stored proved to be too difficult, according to Heretick, the department's CISO, speaking at a Telework Exchange panel.

Security isn't the only hurdle or even the most difficult one facing telecommuting, according to the latest report to Congress from the U.S. Office of Personnel Management.

Page Break

Concerns about having enough people in offices to handle public demand is the top barrier to adopting work-at-home programs, with 73 percent of the 78 agencies that participated in a survey by the office. Next is an organizational culture bias against telecommuting with 54 percent, followed by resistance from agency management with 52 percent. Security came in fourth with 44 percent citing that as a barrier.

The top four responses to these hurdles are training managers, training workers who telecommute, spending more on equipment and bolstering in-house marketing programs to make telecommuting seem more attractive.

The prime motivation for encouraging telecommuting for federal workers remainsdisaster recovery, which raises a whole separate set of concerns for government IT security planners. Not only will devices used at home have to be protected, but so will the applications they are accessing, and that set of accessible applications can change dramatically with a sudden spike of home workers resulting from an emergency. Possible scenarios include disasters that destroy government offices, transportation disruptions and widespread epidemics that quarantine the workforce.

That will mean somehow securely admitting workers to sensitive servers formerly banned from use by remote workers, Commerce Department CISO Michael Castagna said at a recent Telework Exchange forum.

"It's going to force us to rethink security on the fly," he said.