The Cyber Vulnerabilities of a Work-At-Home Government

A former federal executive, still working within a high level of the national security apparatus, recently had his home network hacked. He was working from home, as most Americans are these days. Rather than reaching out to the U.S. government, he reached out to us.

We run a small nonprofit cyber innovation lab. We became the first responders to what we soon understood to be a devastating cyberattack. We came prepared. Thankfully, we were able to rapidly deploy a “break-glass-in-emergency” remediation. It was not the most elegant of solutions, but it did the job—re-establishing connectivity for the house while mitigating the effect of any remaining malware and restoring basic essential functions like web, email and phone.

But this former executive is not alone. A vast cyber danger to national security has mushroomed almost overnight. Many senior government leaders, whose sensitive work comprise the richest prize for hostile intelligence services, have now been forced out of their secure enclaves and on to home networks that are much easier to attack and exploit.

Through public records and commercial data services, Russian, Chinese, Iranian and other hostile nation-state actors can easily locate the homes of U.S. government officials and employees. With targeted attacks, these nation-states can infiltrate these home networks. From there, they can steal data, eavesdrop on conversations and inject malware into these systems.

The pandemic has accelerated a trend of knowledge workers working from home, to put it mildly. Fortunately, the technology sector was ready, having long been aware of the economic and environmental benefits of telework. Companies like Twitter have such well-developed telework plans that CEO Jack Dorsey offered 100% of his workforce the option to work from home permanently.

In contrast, the U.S. federal government was caught flat-footed. Only 43 percent of its 2.1-million strong workforce is even able to telework. Only 26 out of 51 responding federal agencies in a 2017 Office of Personnel Management audit even have a telework playbook as part of their contingency planning operations.

Necessity is the mother of invention. A massive federal workforce is now working at home, and they are implementing policies on the fly. With few security measures in place, the United States government is dealing with its lack of cyber readiness in real-time.

The U.S. government frequently lectures the corporate sector on being more “cooperative” in the realm of cyber defense. But we are learning now that the U.S. government may not be easily able to practice what it preaches. When senior federal government officials come under cyber attack at home (a vulnerability that existed well before the coronavirus situation), the government does not act with speed or agility to secure the location, preserve the evidence and remediate the damage.

Where the federal government actually mounts a response, the data needed to best understand the threat—and prevent it from continuing—may be lost during the investigation. Even when it is collected, it may never be aggregated amongst the relevant agencies for the comprehensive analytics needed to bolster the government’s cyber posture. And echoing the complaints that the federal government often heard from the corporate sector before the pandemic, when a government employee faces a home network attack, they are often left in the dark. Information is only shared in one direction; private data and information get surrendered to the government, but little feedback or help is offered in return.

The U.S. government must now ramp up its efforts to not only mitigate the threat, but to ensure that two-way communication thrives with both victims and those seeking to prevent cyberattacks. Pilot projects like ours might be able to help. But only the federal government has the resources and authority to deploy a response that matches the size of the problem.

What is needed—immediately—is a U.S. government cyber rapid-response force. It must be able to move quickly, in order to implement household-level cyber defenses. It must be able to scale up, given the staggering numbers of federal employees. And it must prioritize improvising something that works well today, rather than waiting for something that works perfectly tomorrow.

The pandemic has put America on its back foot. State-sponsored hackers know this, and they are actively prodding for ways to exploit it. Federal government employees with sensitive national security portfolios are unquestionably their top targets. They need immediate protection.

Dr. Michael Hsieh is the executive director of the Transformative Cyber Innovation Lab of the Foundation for Defense of Democracies (FDD), where Dr. Samantha F. Ravich is the chair of its Center for Cyber and Technology Innovation. FDD is a Washington, DC-based nonpartisan 501(c)(3) research institute focusing on national security and foreign policy. Following their work on Twitter @FDD_CCTI.