Commercial Solutions Could Help DoD Solve Teleworking Security Puzzle
The approximately 4 million Department of Defense employees currently working from home due to the pandemic have faced a unique dilemma—how should classified information be kept secure as employees have to utilize commercial solutions for teleworking? While the DoD has traditionally relied on its own networks for handling classified information such as the SIPRNET, this has become difficult as millions of employees transition to working from home. As a result, the DoD has begun to increasingly utilize commercial solutions for teleworking such as Commercial Virtual Remote, a DoD specific version of Microsoft Teams. However, transmitting classified information over commercial platforms could potentially make the information vulnerable to malicious actors. For example, in an April 13th briefing Lt. Gen. BJ Shwedo described a “surge” in spear phishing attacks, in which malicious actors attempted to gain access to secure information by sending emails that appeared to be from a trusted source but actually installed malware. While using cybersecurity best practices can mitigate the risk, the massive increase in people working from home on unsecure devices or platforms means that steps must be taken to prevent cyber vulnerabilities being exploited.
Securing classified information on a commercial teleworking platform can be done in a variety of ways. Charlie Kawasaki, a cybersecurity professional, recently suggested that the DoD should adopt and expand the NSA’s “Commercial Solutions for Classified,” program. CSfC is a program that allows commercial vendors to become qualified to sell products to the DoD by meeting a set of cybersecurity guidelines stipulated by the NSA. Mainly used to secure communications between the DoD and partner nations and communications in tactical environments, Kawasaki states that implementing CSfC standards to allow for using commercial platforms with classified information is the most cost-effective and feasibly solution. This is already being done within the Air Force. As part of the Advanced Battle Management System, the Air Force Research Laboratory developed “deviceONE,” a way to allow remote workers to securely access classified information. deviceONE consists of three elements: a SecureView laptop that doesn’t allow the user to save on the hard drive or do much besides accessing a classified network, a Virtual Desktop Information system on the cloud servers at Pacific Air Force’s headquarters in Hawaii that stores data and applications for the laptops so that they can be run remotely, and the CSfC program which allows the SecureView laptops to connect to the Virtual Desktop Information servers in Hawaii.
While deviceONE looks promising, scaling the project up to accommodate everyone who needs to remotely access classified information might be a problem, and there are still potential risks. Expanding the remote end user base makes a breach much more likely due to the operational security risks that accompany remote access. Additionally, more end users could push the Air Force to the limits of its digital network capacity. The initial deviceONE batch only consisted of 40 machines, and Air Force acquisition czar Will Roper has stated that he hopes to deploy 4000 machines across the Air Force in the near future, which could pose a challenge as the DoD works to expand server capabilities. However, any solution to allow remote access to classified information could be subject to the same kind of hurdles. As the pandemic changes the way people work and interact with one another, innovative solutions such as deviceONE are going to be required.