The need for telework due to the spread of the new coronavirus resulted in several unanticipated changes in cybersecurity policy and controls at the Transportation Security Administration, according to the agency’s top cybersecurity official.
As TSA employees started to work from home, the agency changed some policies and security controls that “we hadn’t really thought about” before telework started, said TSA Chief Information Security Officer Paul Morris on a FedInsider webinar April 2.
For example, the TSA “allowed folks to use their own keyboard, mouse and monitors connected to our PCs as long as they met certain guidelines,” Morris said through a spokesperson after the event. “These are things we would have not allowed a few months ago.”
According to Morris, across the entirety of the Department of Homeland Security, IT officials are “scrambling hard” to increase the amount of users that its virtual private networks can handle “without bringing down the entire enterprise from a component level.”
He also said the agency surprised some employees with recommendations for good cyber hygiene. For example, he recommended that employees turn off smart devices like Amazon’s Alexa, Google Home or iPhone’s Siri if they are in the same room where the employee is working, warning that the devices could be listening.
He also recommended that employees change their WiFi passwords, not email work to their personal devices and completely avoid using their home printers. He said he’s told employees not to use messaging apps, social media platforms or personal emails for business purposes.
“You have to really go out and remind folks that what we do is sensitive,” Morris said. “The nature of our business needs to be held within."
As for cybersecurity monitoring across the TSA’s network, Morris said the agency had to adjust its approach to monitoring the network as well as the digital traffic in the security operations center.
“The normal traffic patterns across our networks are different today than, say, last month — so we are adjusting our view and trying to re-baseline what should be normal," Morris said through a spokesperson after the event. “Our ability to interact (from a cyber perspective) with PCs that are connected to VPN [virtual private network] challenged us early on, but we were able to quickly remediate.”
Other federal agencies likely face similar challenges seen by the TSA as they work to accommodate mass telework for their employees. Many of the comments made by Morris are aligned with the telework cybersecurity recommendations released by the National Institute of Standards and Technology in March as the Office of Personnel Management began releasing work-from-home guidance. Morris credits the TSA’s success to leadership’s early and frequent communication with employees.
“At the need of the day, we have to keep our operations and missions going,” he said.