Top Secret Telework
After a federal employee allegedly leaked a trove of confidential documents to anti-secrets website WikiLeaks, the government responded with tighter controls on information sharing. But hunkering down on unauthorized access to official data hasn’t necessarily disconnected teleworkers, say current and former federal security officials.
If information sharing and information protection can coexist then so can telework and data security, as evidenced by the actions of the Office of the National Counterintelligence Executive, or ONCIX, as well as the Defense Department and the Office of Management and Budget. In October 2011, President Obama issued an executive order directing agencies to retrofit classified networks with safeguards to stop intrusions and unauthorized downloads. An interagency insider threat task force, managed by ONCIX, was created to instruct departments on controlling employee access, even at off-site locations.
Task force members are looking at how to apply protections so that they don’t conflict with telework laws. ONCIX officials acknowledge the controls must comply with 2010 legislation that calls for harnessing technology to expand the remote workforce. Separately, the Pentagon is instituting congressionally mandated insider threat detection systems at its classified telework center in Virginia. And OMB released new baseline protocols for securing data when teleworking.
One possible reaction to the data-control policies would have been to say “no telework,” says Josh Sawislak, a former General Services Administration official who was responsible for cybersecurity and remote-work issues. But, he adds, “the administration is trying to fix the leak problem without causing collateral damage on telework.”
New protections could add complexity to a work style known for its efficiency, but no more so than with the widely popular cloud, according to Sawislak. Agencies are embracing cloud computing—logging on to off-site systems through either the Web or a classified network—for many of the same reasons telework is encouraged, he notes. “In the cloud environment, everybody is a remote worker,” says Sawislak, now a senior fellow at the Telework Exchange, a public-private advocacy group.
“Technology is not what’s keeping people from being able to work on classified information from a remote location,” he says, adding the main deterrents are the price of security tools and availability of accredited office space. “You’re obviously not going to sit in your living room with the highest level of classified information.” Nor would you want your most secret info lying around in a commercial cloud provider’s data center, he says.
ONCIX officials make the case that until the task force works out options, the only means of classified telework is the flexiplace concept—a more convenient work site that is government-run.
The Office of Personnel Management declined to discuss whether telework has or will decrease as a result of recent breaches, such as the WikiLeaks scandal. In response to questions, OPM officials referred to a summer 2011 OMB telework memorandum aimed at preventing security incidents that reiterates policies for protecting remote devices, such as the National Institute of Standards and Technology’s 2009 guidelines. The bulletin instructs officials to follow the procedures that best fit their needs.
The memo also sets a new threshold for managing remote workers. Federal telework policies now must spell out rules for controlling access to agency information, protecting the data and safeguarding employee-owned mobile devices used for work. Policies also must address “preventing inappropriate use of official time or resources . . . by viewing, downloading, or exchanging pornography, including child pornography.”
Defense spokeswoman Lt. Col. April Cunningham says the October executive order to tighten classified system controls isn’t necessarily making military telework more expensive or complicated. Most Pentagon teleworkers deal with unclassified materials that aren’t subject to special internal surveillance, she says.
Only the Defense Information Systems Agency operates a classified telework center. The facility, located in Woodbridge, Va., is for personnel who otherwise would have to endure the region’s notorious rush-hour traffic to reach DISA’s new headquarters at Fort Meade, Md. The agency relocated as part of a recent base closure and realignment initiative. “Our agency leadership is very supportive of telework, and the agency has implemented the tools, processes and policy to use it effectively and securely,” DISA spokeswoman Laura Williams says.
Technology at the telework center bans the use of CDs, jump drives and other removable storage devices. A tool called the Host-Based Security System blocks unauthorized applications and spots rogue systems on the network. This year, the Pentagon is rolling out special smart card tokens that personnel will need to sign on to the Secret Internet Protocol Router Network, which handles the military’s classified data. That’s the system Pfc. Bradley Manning allegedly tapped into to aid WikiLeaks. Military employees will need the tokens to log on at the telework center or any other workstation hooked up to SIPRNET. The added layer of protection is separate from a password, badge or smart card ID.
“Like all other computers that connect to the department’s secret network, the computers in the DISA telework center also comply with all DoD policies regarding the cybersecurity of classified systems, including DoD policies and procedures for the use of removable media on classified systems,” Cunningham says. Defense is “driving out anonymity and increasing accountability by giving a cyber identity credential to every DoD person and requiring their use on classified networks.”
According to Sawislak, opening more classified telework centers would reduce lengthy commutes, but so far they haven’t proved inherently useful. “In the past, the government contracted for a dozen or so telework centers without looking at the need or in great detail where they were located,” he says. “The goal to success in this area is to figure out the problem and find a flexible solution that addresses the problem at a reasonable cost that is outweighed by the benefits.”