Teleworking bureaucrats hike government’s vulnerability
Ottawa running its departments from staff homes
• As more and more bureaucrats are working from home and told to stay off government networks when possible, cybersecurity experts warn that the federal government has never been more vulnerable to threats.
“The sudden burst of people working from home is a time of opportunity for threat actors, and you can bet your bottom dollar they’ll be taking advantage of that if they can do so,” said David Masson, director of Enterprise Security at Darktrace, a company specializing in cyber AI defence.
Those “threat actors” can be anyone from local hackers who want to infect your computer in order to hold your data ransom, to foreign states (such as China or Russia) trying to steal government secrets.
Since mid- March, most federal departments are asking staff who were sent home to stay off internal servers if they aren’t working on core or critical services.
That’s because most ministries have significant limitations on how many people simultaneously can access work servers from outside the office. Thus, public servants working on “essential” services with either classified or sensitive information have priority access to the federal Virtual Privacy Network ( VPN).
So bureaucrats working with non- sensitive information or documents are encouraged to use non-government tools to do their jobs. Those range from cloudbased options such as Google Docs to, in some cases, their personal emails.
Though they are told to use governmental devices when possible, some public servants are also allowed to use their own computers or phones if their department cannot provide one.
“When dealing with unclassified, non- sensitive information, TBS promotes open access to modern tools, including access to external tools and services,” Treasury Board Secretariat spokeswoman Bianca Healy said by email.
“Private services are only to be used for unclassified, non- sensitive discussions that would be otherwise permitted in an open, public setting,” she added.
That openness to non-government devices and services stunned cybersecurity expert Steve Waterhouse, who described it as “irresponsible.”
“Underline it, put it in bold and in italics: do not follow that procedure,” said Waterhouse, the former Information Systems Security
Officer with the Department of National Defence. “The government has never been as vulnerable as it is today because everyone is working outside of the office.”
Though a vast majority of bureaucrats will respect IT and confidentiality directives, both Masson and Waterhouse said that a private home is chock full of vulnerabilities that cybercriminals can use to crack into a public servant’s network and, eventually, the government’s systems.
“Up until a few weeks ago, let’s say a government department had 300 people working in one place in a building. That basically means there is one place in the threat landscape for the bad guys to attack,” Masson said.
“Now, those 300 people have left the building and are working from home. So the threat landscape has increased by 300 new opportunities to find a way in to the actual organization. At the office, everything to stay secure is in one place. But now, all that has gone out the window. The security you expect at HQ doesn’t exist in your own home,” he added.
Personal internet and WiFi routers were the first and biggest vulnerability identified by both experts. In many cases, they say, users rarely change the default password, if there even is one.
To help prevent hackers from easily breaking into a bureaucrat’s home network, both Waterhouse and Masson recommended the government provide essential workers with a protected router that should be dedicated solely to work devices.
“This is a time of opportunity for threat actors. There is a lot of malware that is going to land on a lot of devices because of what came from home. At some point, everyone is going to go back to headquarters and the threat that grew outside of their systems is now being brought inside,” Masson said.
Sensing the increased danger from threat actors, Canada’s Communications S e c u r i ty Establishment ( CSE) has published a series of guides to help public servants secure their communications while working outside the office. A spokesperson also said they are actively monitoring any cyber threats that target the government or Canadians.
“While some types of non- protected work such as training or research can be done on personal devices, government of Canada employees have been consistently reminded that activities requiring secure communications must be limited to approved government devices and networks,” CSE spokesperson Ryan Foreman said by email.
“For example, the Zoom conferencing tool has not been approved for any government discussions that require secure communications,” he said.
The security ... at HQ doesn’t
exist in your own home.