Work from Home in Government: A Cybersecurity challenge amidst COVID Pandemic

“Government employees may have to Work from Home”, “Government planning 15-day Work from Home for its employees”, “Work from Home to be new normal in government offices” –  these are a few of the many headlines reported by various print and web-based news agencies as the Government of India prepares itself for a long stand-off with the COVID-19 pandemic, writes Dr Yudhishthira Sapru, Senior Consultant, Chandigarh’s State eGovernance Mission, National eGovernance Division (NeGD), MeitY, Government of India

In the era of Digital India, almost all government organizations have IT resources which they use for public services. Various Central Ministries are already fully or partially using the eOffice platform (an online platform developed by National Informatics Centre (NIC) for electronic processing of files). A few State Governments have also some solution in place to process government files electronically. Others are also preparing themselves for a work from home (WFH) culture by taking their IT applications and processes out of the secured government environment.

Government organizations especially those dealing with essential services including public health organizations are perhaps the most critical in the midst of the pandemic and their continuity is on top in the priority list. Further, prolonged lockdown in the wake of the surging cases is compelling other government organizations also to promote WFH culture. IT teams are struggling to strike a balance between continuity and security. They have been challenged to meet the unprecedented and urgent demand for WFH especially in the wake of increasing cyber-attacks.

As a part of the WFH culture, we are witnessing some never before events in government functioning. Government applications which were protected by proxy-firewalls are moving out from the government network for the first time. To facilitate WFH, user privileges are being relaxed. Of equal concern is that personal laptops and mobiles of the employees are being increasingly put to use to access critical resources.

With more and more people staying at home, the start of the COVID-19 pandemic has provided a new ground to cyber-criminals to wreak havoc. According to a EUROPOL (a law enforcement agency of European Union) report, the ways for cybercriminals seeking to exploit emerging opportunities and vulnerabilities have multiplied. The stage is set for cybercriminals to attack government infrastructure with increased ferocity and a larger number of vulnerabilities. Not surprisingly, we are already witnessing a growing number of DDOS attacks on public health infrastructure and Ransomware attacks on government data along with COVID themed phishing attacks (like links to illicit donation websites) which are denting the confidence of government and citizens. According to a recent McKinsey report, WFH has opened a large number of cyber-attack vectors and government organizations are under acute pressure. Already stressed workforce is being made victims of social-engineering.

In complete contrast to business functioning, government functioning was never designed for a WFH culture. Many organizations are witnessing that employees are accessing their IT systems for the first time outside the government secured environment. Many teething issues have started popping up be it technical, procedural, or tactical. But what is concerning the authorities is the threat of cyber-security. However, there are multiple ways in which government agencies can take on these threats.

Also Read: Tamil Nadu sets benchmark of eGovernance in India

Technology interventions have always been crucial for ensuring cyber-security. In these times tried and tested methods always bear good results.  It needs to be ensured that VPNs, antivirus programs, and government applications must be secured and security patches must be applied as soon as they are released thus reducing vulnerabilities. Government applications that are still using a username and password-based authentication must introduce additional layers of authentication say some OTP on mobile and other ‘factors’ if the information involved is highly sensitive. It also calls for reviewing user privileges and access to resources should be available on the ‘need’ basis only. Interventions are also required to secure access to applications that were earlier available on government intranet say making them SSL enabled.

As true for any cyber-security measure, the preparedness should not only be limited to technology but also calls for people involvement. It is also imperative for government organizations to sensitize and train employees on cyber-security hygiene. The basic dos and don’ts they should be kept in mind. Most importantly, employees must show prudence in their day to day WFH. Often it is seen that employees may feel that their working is not monitored as strictly as in-office and there may be a tendency to visit a prohibited or malicious website that can jeopardize the whole system. Communication channels must be opened for employees to not only respond to their queries and incident reporting but also to redress their reservations.

The consequences of unaware employees using unauthorized tools can be catastrophic. In the haste of completing work, unaware employees tend to use unsecured channels and risk-prone hacks. Government organizations must specify a list of approved software (for emails, messaging, video calling, file transfer, meetings, document preparation etc.), and employees must be encouraged to use these only. The down-side of using un-approved software must be clearly communicated and compliance must be enforced using fear of negative consequences.

Before allowing WFH, user profiling must be done to identify high-risk prone users who may be database administrators or users having access to citizen data like bank account numbers for DBT. Their activity may be monitored and any un-expected activity like bulk data transfer must raise triggers.

Employees must be provided helpdesk support in setting VPN or biometric authentication devices or DSCs. This is where government IT support organizations like NIC, which has a reach up to the district level, can help.

Also Read: Unlock 3: MHA releases guidelines, discontinues night curfew

The sole mantra for success is to make it convenient for employees to comply with the standards and ensuring robust security controls. A culture of committed employees must be created by making them warriors of the Government who form the human firewall.

The pandemic has also provided many government organizations with a situation where their disaster management plans (DMP) and business continuity plans (BCP) have been tested in actual situations and most of them have gone haywire. It is time to make them more practical and workable as more and more strain on IT resources is witnessed. Many Central Ministries, State Governments, and PSUs have already drafted their Cyber Crisis Management Plans (CCMPs). There is a need to have a re-look into it. Given the non-availability of certain resources and WFH scenarios, the escalation mechanism and response needs to be re-drafted.

Many government departments have outsourced certain activities to third party agencies like software services, network or operations support like providing citizen services, payment collection, bill generation to name a few. It should be realized that their employees would also now be working from home. Thus, policy considerations must address as to modalities of such engagement and sharing of data over non-government networks. These agencies must be asked to demonstrate security controls that they have put in place. Further, government organizations may also ask certain security compliances.

While the COVID-19 pandemic is an unfortunate event, it has punched the government organizations even harder. They are made to think of innovative ways to ensure continuity and become more agile using technology-enabled solutions. A work from home culture may be the need of the hour but there is a need for appropriate security safeguards in place along with a highly robust ‘human firewall’ of their employees.

About the author:

Dr Yudhishthira Sapru

The author has close to 16 years of experience in consulting, cybersecurity, data science and program management. He is currently working as Sr. Consultant, Chandigarh’s State eGovernance Mission, under the National eGovernance Division (NeGD), MeitY, Government of India. He has also been certified by PMI-USA, UN-APCICT and University of Cambridge. His research papers have been published in well known national and international journals. He has received awards and accolades for various government organizations for his work.