Coronavirus tests states’ cybersecurity, IT supply chains
State governments emptying out their offices amid the ongoing coronavirus pandemic is sure to raise pressure on chief information officers responsible for making sure technology-dependent operations continue relatively seamlessly, even as government workforces adapt to the unusual circumstances.
Already, tens of thousands of employees in multiple states have been told they can work remotely to reduce the risk of spreading the virus, with more governors expected to grant those permissions this week, including possibly California Gov. Gavin Newsom, who leads a statewide payroll of 233,000 workers.
But a sudden surge in the number of government workers reporting from home is almost guaranteed to strain IT resources, and will require CIOs to think strategically about how operations will continue as close to normally as possible, said John Evans, a former chief information security officer for the state of Maryland.
“You typically don’t anticipate there’s going to be 100 percent of your workforce that’s going to be teleworking for an extended period of time,” said Evans, now the chief technology adviser at IT services integrator World Wide Technology. “You don’t think about something at this scale and for this long.”
Evans said government networks will have to become more resilient during an extended telework period, especially as their bandwidths for processing data are tested. He suggested organizations consider expanding their use of cloud and hybrid processing platforms “for some bursting capabilities as loads spike.”
‘Beyond just the people’
The National Association of State Chief Information Officers, which recently republished a 2007 document on pandemic planning, issued new guidance to its members Friday on how to prepare themselves and the organizations they lead for the COVID-19 crisis. The 2007 document was written at a time when CIOs were, in the words of NASCIO Executive Director Doug Robinson, mere “plumbers,” rather than government business leaders they’ve become today.
NASCIO’s coronavirus briefing reflects how CIOs’ roles have changed over the past decade, though it still warns that state IT agencies’ supply chains may not be ready to handle a rapid increase in the amount of remote work employed.
“The impact of a pandemic on the state IT organization goes beyond just the people, process and technology aspects,” it reads. “On a larger scale, with the new operating model of the state CIO as a broker of services rather than a provider of services, the CIO must understand the impact to the logistics of contractors and suppliers outside of the state IT organization who may also be experiencing a high rate of employee absenteeism, and potentially greater demand for their services.”
In Ohio, where last week Gov. Mike DeWine ordered many of the state government’s 51,000 employees to work from home if they can, CIO Ervan Rodgers has said his team is leaning more heavily on its virtual private network and Microsoft Office 365 suite of online productivity applications.
“We’re making sure we put the appropriate technology in place to support [DeWine’s] needs,” Rodgers told StateScoop. “A lot of our applications are web-enabled, which is really helping.”
North Dakota CIO Shawn Riley said about 50 percent of his state’s 8,500-person government is already “remote-capable,” but that many in the remaining half may not be ready for the sudden adjustment. That could test the relationships an agency like Riley’s North Dakota Information Technology Department has with other state agencies, as workers not used to remote service adapt.
“Governments are very high on their relationship aspect of their processes,” he said. “While that can work really well when you’re in a building, it is not nearly as easy to do when you’re decentralized.”
The new NASCIO planning document echoes Riley’s concern, noting that IT organizations will need to augment their help-desk capabilities, either through additional contract workers or virtual assistants like chatbots. But even before expanding their support services, IT organizations may have to give workers in other agencies crash courses in the technologies that make remote government work possible, such as voice-over-IP telecommunications and video conferencing platforms like Zoom or Microsoft Teams.
“These systems have a host of advanced features and capabilities that are probably unknown to most of the state government workforce,” the document reads. “State workers have little experience working remotely with advanced configurations and call forwarding to smart phones. Pre-configuration, guidance and end user training will be required.”
‘There can’t be a sacrifice’
But even with all the preparations for extended, widespread remote work, there’s still a big, lingering issue, said Evans, the former CISO.
“Coming out of the cybersecurity side, I see a potential huge impact,” he said. “Adversaries will look to some other impactful event as opportune to launch a cyberattack. Assuming people may be diverted from doing their due diligence the potential impacts could be greater than ever in the past.”
Already, nation-state and criminal hackers have started tailoring phishing campaigns to prey on coronavirus fears, and at least one public-health agency, in Illinois, has fallen victim to ransomware as it tries to warn its public about the COVID-19 threat.
“Things like basic cyber hygiene need to be at a forefront,” Evans said. “Purchase some additional firewalls and get them to support increased VPN traffic.”
Evans said the next few weeks and months will require a closer — if not physically — working relationship between cybersecurity professionals and the rest of the IT workforce. Riley, the North Dakota CIO, said his staff is implementing “an explosion of multi-factor authentication” so government workers can access their applications and files from home securely.
“It’s going to have to be hand-in-hand,” said Evans. “Operations in cyber are going to have to be more communicative than ever. Can’t have any dysfunction between internal groups. There can’t be a sacrifice of cyber.”
Colin Wood contributed reporting.