The combination of a “high-profile event” and the “rapid change in computing habits” as increasing numbers of federal employees telework has created a situation ripe for hacking and data breaches, a CRS report says.
“Adversaries have a history of using high-profile events to entice and trick users. The coronavirus outbreak is no different. Adversaries are counting on users’ demand for the latest information, a desire to be charitable during a time of crisis, and the heightened public interest to improve the likelihood that a user engages with malicious websites, attachments, and emails,” it said.
There has been an increase in virus-related phishing attempts, it said, which attempt to get a user to click a link in an email, visit a malicious website, or download a compromised file in order to distribute malware to the user’s device or to trick the user into sending money to an illegitimate recipient. Such activity “is not limited to cyber criminals, but is also employed by nation-state actors, as well.”
“Hackers are not limited to compromising an end-user device. Some infiltrate home routers and other network infrastructure to reroute user web traffic from legitimate websites to illegitimate ones that distribute malware,” it said.
Meanwhile, “the rate at which agencies adopted a strategy of maximum telework in response to COVID-19 left little time for administrators to check their networks, improve policies, and apply updates. Employees are no longer accessing agency computing resources from inside agency facilities, with the physical security that comes with those facilities. They may be using unsecured home networks or devices (e.g., unpatched equipment) to access agency information.”
“Agencies may have had to increase network access rapidly to allow for maximum telework, without establishing, testing, and refining security measures to protect data. Even with security measures in place within an agency’s network, the proverbial ‘perimeter’ of the agency’s network is extended well beyond its baseline posture with many more employees teleworking,” it said, citing warnings from DHS and others about such risks.
The report added that it is not clear how well shared cybersecurity services, such as agencies have increasingly adopted in recent years, will operate “in an environment where agency information is being accessed through heavy use of virtual private networks (VPNs), information being accessed directly through cloud service providers, or through other arrangements.”
It added: “Adversaries may seek to compromise federal agency networks during this time of alternative data access. However, they may not need to attack the network itself. With so many users teleworking, an adversary may only need to compromise one or a few user devices, and then use their VPN connection to access agency information, appearing as legitimate traffic and network use to an agency’s internal defenses and logs.
“Other risks may arise if employees are processing federal information outside of a secured device-to-agency connection. If employees are using publicly available, internet-based applications and platforms to conduct their business, they may not be using the cybersecurity tools offered by the agency—potentially exposing government information to malicious actors.”