This article has been saved to your Favorites!

House Dems Urge Review Of COVID Telework Cybersecurity

By Grace Dixon · June 3, 2021, 6:08 PM EDT

Leaders of the U.S. House oversight committee have urged government watchdogs across 10 federal agencies to investigate whether their departments are at a heightened risk for cybersecurity attacks following the pandemic-related shift to teleworking.

Following three high-profile cybersecurity attacks suspected to have been sponsored by foreign nations, committee Chairwoman Carolyn B. Maloney and other Democrats on Wednesday urged 10 inspectors general to examine whether the widespread use of virtual private networks and other technologies that allow workers to continue working remotely exacerbated security vulnerabilities.

"The widespread use of [VPNs] and other remote-access technologies to facilitate continuity of operations across the federal government allowed federal agencies to continue to serve the nation throughout a deadly pandemic but also created additional cybersecurity vulnerabilities that could jeopardize the integrity of federal information technology networks," the letter said.

The committee urged inspectors general to examine the security of remote connections, including VPNs and collaborative platforms such as Slack, Zoom and Microsoft Teams.

It also asked the inspectors to examine agencies' monitoring of remote-access users, their distribution of telework hardware and software and whether they are monitoring networks to pinpoint existing vulnerabilities.

The letter went out to inspectors at the U.S. departments of State, Homeland Security, Justice, Energy, Treasury, Health and Human Services, Veterans Affairs, Education, Defense and the intelligence community.

The request follows a slew of high-profile cyberattacks led by state-sponsored groups in China and Russia.

"The proliferation and growing sophistication of malicious state and non-state cyber actors requires federal departments and agencies to be able to maintain and protect the integrity of their information technology systems," the committee told inspectors.

IT software provider SolarWinds Corp. was the vehicle for a cyberattack first reported in December, which breached systems throughout the federal government, including the Department of Homeland Security and the Treasury Department. Likely led by Russian intelligence agents, according to U.S. intelligence agencies, the attack hid malicious software in a routine security update.

More recently, news broke in March of an attack on Microsoft's Exchange email services carried out by state-sponsored actors in China that exposed hundreds of thousands of users. State and local governments were among the victims of the attack, according to U.S. government agencies.

The letter also cited April reports of an attack that breached multiple U.S. government agencies, critical infrastructure entities and private companies through vulnerabilities in Pulse Secure, a widely used VPN. The hackers have suspected ties to China.

Though exacerbated by the pandemic-related shift in work culture, the danger of security threats connected to telework is not a new concern, the committee wrote, citing a 2016 report from the National Institute of Standards and Technology.

"Major security concerns include the lack of physical security controls, the use of unsecured networks, the connection of infected devices to internal networks, and the availability of internal resources to external hosts," the organization said in a report on security considerations for telework.

The committee urged inspectors to incorporate the investigation of remote-work security as part of its annual cybersecurity evaluation.

--Additional reporting by Ben Kochman. Editing by Nicole Bleier.

For a reprint of this article, please contact reprints@law360.com.