Remote work has very suddenly become a hot topic and an incredibly important capability in the midst of the country’s battle with COVID-19.
The ability for organizations and entire teams to work remotely can mean the difference between work stoppage and continuation.
Nobody feels this more strongly than the US government. Government agencies have some of the most stringent cybersecurity requirements for working remotely. And today, many are feeling the sting of having to slow or halt work because not enough of their employees have the necessary equipment to work remotely.
This event has made painfully clear how much needs to change with our country’s ability to continue work when people can’t physically go into an office. There are potential events, aside from a pandemic, which may result in similar circumstances.
Causes aside, it is clear that there will be long-lasting and systemic changes to the way government agencies, and the military itself, approach remote work in the future.
The current state of cybersecurity in the US government and military
There are many groups that this particular concern will affect. This includes military operators in all branches of the military, government agencies like the Department of Defense (DoD), and warfighting labs like the Defense Advanced Research Projects Agency (DARPA).
In each of these different areas, the overall approach to cybersecurity (and technology as a whole) is very similar, and each has the same pains. Understanding the current approach to cybersecurity helps us to see why change takes a long time and provides a bit of an explanation as to why we were less prepared than we should have been for remote work.
In the current environment, you have three major groups of people that have influence over cybersecurity or technology initiatives in some way or another.
First, you have the field operators (e.g. a technician on a ship) who are dealing with specific tactical problems. Their goal is simply to solve the problem that sits in front of them. When they want or need something, they have to identify their needs and send them up the chain of command to request a solution.
These requests then filter up to the Requirements and Acquisition groups within the specific Department or agency that the operator is a part of. It is the job of groups like this to set the overall strategy and policy for the implementation of new technologies for the entire organization.
For instance, the stated job of the Requirements and Acquisitions division of the Air Force Civil Engineer Center is “to develop and implement new technology and systems to address contingency airbase and fixed-base capabilities...to make sure that we are clearly developing our roles and responsibilities and to begin to craft coinciding business practices."
The second group of individuals that are important is the leadership of divisions like this. They are responsible for setting the strategy, and ensuring that they are serving the needs of operational processes across the entirety of the organization with the technology choices they make.
And finally, the third group of individuals is the engineers within these Requirements and Acquisition groups that are making the technical decisions behind the technology strategy. These are the individuals vetting the specifications of products and setting the technical requirements for which technology is selected (and how it is used) to meet a specific goal.
Cybersecurity decisions, in particular, can be difficult in a system like this because the goals of the field operators may be very much at odds with the goals of the requirements directorates.
And, because these two groups are so far removed from each other, they often don’t understand each other’s needs fully.
Further complicating matters is the fact that much of cybersecurity is outsourced, which lends itself to an even larger gap between those who are implementing the solutions and those who are actually using them in the field.
How is remote work approached in the government today?
Prior to COVID-19, government agencies would identify a core group of individuals that needed remote work capabilities for continuity of operations. This group was primarily selected due to a role that required them to be connected whenever they work from home or on the road, in the course of normal life circumstances.
Oftentimes, another deciding factor in allowing remote work for specific individual hinges on what kind of data they access in the execution of their job. The more sensitive the data, the less likely that they would be allowed to access it remotely.
Agencies might also have determined an additional percentage of staff that they might want to be prepared for remote work. In this case, they would have procured the equipment for an additional, say, 10% of their team to be covered. They might not have deployed or set-up all of this equipment, but would have had it available in case the need arose.
In most cases, the combination of the two groups above would have allowed for a percentage of a particular agency’s staff to be up and running remotely. The remaining staff would be placed on administrative leave and their work halted.
How the coronavirus has illuminated gaping holes in our current practices
As we are now experiencing with the spread of the coronavirus, we now have upwards of 80% of government staff that can’t come into the office, and there is nowhere near the infrastructure in place to support that percentage of staff working from home.
This means a very large percentage of them simply can’t work at all.
Because the overall strategy for securing devices for most government agencies relies solely on measures requiring government-furnished devices that must be brought on-premise for updates and maintenance, there has also been no way to quickly and effectively outfit additional workers at scale.
What will remote work for the government look like in the future?
Now that we’ve clearly seen where we are lacking, you can expect the government to make some widespread and lasting changes to reverse those issues in the months and years following COVID-19.
I would expect to see a few common trends influencing the changes we see in both government agencies and the military.
- There will more than likely be an audit into the shortfalls and gaps amongst Governmental Departments in meeting their missions and objectives the during the COVID-19 pandemic.
The National Security Strategy (NSS) outlines major national security concerns for the US and details how the government expects or plans to deal with them.
There currently is not a section on pandemic specifically, and that should be completely re-evaluated based on the learnings from this experience.
A Government Accountability Office (GAO) Audit will likely be conducted to understand what our gaps were in dealing with remote work for such a large portion of government employees and provide recommendations to Congress to fix them.
There will likely be new mandates that come out of this process that require government agencies to be set up to maintain a certain level of operability remotely in the event something like this happens again.
- Centralized Requirements and Acquisitions Divisions will be building strategies to increase the remote capabilities of their organizations.
Each division will have to look at their unique needs and work within the confines of the sensitivity of their data. But you will see a concerted effort from nearly all of them to find a way to mobilize a much larger remote workforce.
- New methods for achieving remote work will be evaluated.
As we have seen, our current methods for allowing government workers to work remotely are insufficient in times of crisis. What we will most likely see as a result of this pandemic is a re-evaluation of other methods for achieving remote work.
For certain applications or roles, we may see allowances for the use of non-government-provided devices, or BYOD (Bring Your Own Device).
We may also see a concerted shift to more cloud-based forms of cybersecurity and connectivity.
And we will definitely see an increase in the use of parallel systems that allow for secure connectivity through VPNs into the current core databases and networks.
How can government agencies begin preparing today for the changes ahead?
There are a few things government agencies can start to do right now to prepare for the changes, and make those changes easier when they come.
Gather Lessons Learned
The first thing you can be doing right now is gathering all the information on what isn’t working while we are in the middle of the pandemic.
It will be easy to forget or lose track of all of the problems you experienced once this is over, so documenting them now will make avoiding them in the future much easier.
You may even run some exercises with your team to collect all of their thoughts and brainstorm potential solutions right away.
Categorize Your Team
Start grouping your team into categories based on how important it is to have them able to work remotely.
Create priorities and assign them to correct members of your team so you understand the number of people that fit into each category.
Now you can start to work on putting in place different solutions for each category that make sense for the level of priority you have for them.
For instance, you might start with your core group of employees that you absolutely must have working at all times. They might have government-furnished devices with specific technical components to support their needs.
The next group, or ring, out may have a completely different solution. And the furthest out rings may have “in case of emergency” type solutions where you can provide them a piece of hardware or software that they can use to outfit their own personal devices for secure communications.
While a pandemic may have taught us that we needed greater capacity and secure ability to work from home, a secure remote work environment is incredibly important for government agencies even when a pandemic isn’t happening.
There are plenty of other situations that may require a large portion of the workforce to accomplish work outside of the office. So, building your strategy and creating plans of action to support that strategy is an incredibly important part of your disaster recovery plan.
One other very important part of this process is the end-users.
Keep in mind that the more difficult you make it for them to simultaneously be secure and easily do their job, the harder the adoption of remote work will be. So, look for ways you can make it as easy as possible to secure them remotely without changing much about the way they go about their work.