Welcome to this week’s security newsletter. Let’s get started:
State CISOs talk about cybersecurity in the age of COVID-19. Security challenges have emerged as states expand their telework programs to allow staff to work from home. Some states are better prepared than others, thanks to early efforts to reduce commuting time and carbon emissions, reports GT’s cybersecurity reporter Lucas Ropek. Washington state has been pushing remote work options since 2014, when Gov. Jay Inslee signed an executive order to encourage telework and flexible working hours.
“Washington was one of the few states where telework was already highly encouraged. I think that helped us very much in this situation, because many folks, many agencies, were already used to it,” Washington CISO Vinod Brahmapuram told Ropek.
Utah has had a statewide telework program since 2018, involving more than 2,500 workers. When COVID-19 struck, the government had already been given the opportunity to build out associated infrastructure, according to Phil Bates, state CISO with Utah's Department of Technology Services.
Increasing the number of remote state workers has forced CISOs to move quickly with security provisions, as government, business and individuals have seen a surge in malicious activity that has accompanied the pandemic. Experts have warned that increases in social engineering attempts, virus-related lures and ransomware should all be considered possibilities.
David Allen, state CISO with the Georgia Technology Authority (GTA), said that his agency has witnessed an undeniable uptick in interest from bad actors.
“This crisis has presented some challenges across all IT fronts. When your capacity is built around a certain concurrent number on any given day and now 100 percent of your workforce is remote, that puts a certain stress on the technology," he told Ropek. "From a security standpoint, in the beginning it was kind of business as usual. But now as we enter the third week or so we’ve seen a lot of increased activity; we’ve seen increased phishing campaigns against employees, a lot more scanning activity against networks.”
Utah has seen a similar increase in phishing campaigns since the coronavirus forced the state to curtail office work. The state gets anywhere from 1 billion to 1.4 billion scan attempts on its network per day. “But that's been ramping up since this [COVID-19] has happened over the past couple weeks. I think we hit 2.1 billion last weekend,” said Bates.
Will surveillance be part of the new normal? Along with rapid and repeated testing of large segments of the population, a key component to reopening the economy during the pandemic will be tracking how COVID-19 spreads. Government and public health systems will have to track and monitor Americans as they get on with their daily lives.
Technology could gauge the spread of the disease and help identify and isolate the infected by pulling data from diagnostic testing labs and hospitals to mobile phone-based apps where individuals who are infected would voluntarily identify themselves to help others avoid contact.
For example, the state of Connecticut is considering a plan to ease the state and its economy out of its current shutdown that includes investing in not just more testing, but also measures to track and even confine those officially known to have COVID-19. This form of contact tracing has been recommended by a report from the American Enterprise Institute, but the word “surveillance” has entered the conversation, alarming privacy advocates.
Massachusetts has already made an investment in contact tracing, allocating $44 million and hiring 1,000 people to track the contacts of people who are infected.