Mass teleworking causes spike in DOD network attacks

The Defense Department's networks have been stressed since expanding telework to minimize coronavirus at defense agencies.

The Defense Department's networks have seen an uptick in cyberattacks this past week, and officials want to restrict the use of commercial streaming services, such as YouTube, as much of its workforce goes remote in response to the coronavirus pandemic.

The U.S. is grappling with the COVID-19 pandemic with many companies and government agencies calling for telework. But it's a twofold challenge for DOD, which has 37 reported cases, as it tries to meet device demands and keep down network vulnerabilities.

Essye Miller, the principal deputy CIO for DOD, said the organization's networks experienced a surge in cyberattacks as more employees were pushed to work remotely if possible during a virtual town hall meeting March 16.

"With the increased telework capability comes an increased attack surface for our adversary. They're already taking advantage of the situation in the environment that we have on hand," Miller said.

DOD pushed, but has not mandated, a maximum telework policy March 11 and since has rolled out a series of domestic and international travel restrictions since. Tours and visitation to the Pentagon have also been restricted. Personnel who utilize classified systems can physically come into work to execute mission essential duties, a senior defense official told reporters March 15.

But the surge in telework means there's ample space for cyberattackers.

James Yeager, the vice president for public sector business for the cybersecurity firm CrowdStrike, told Defense Systems that cyber adversary behavior during the COVID-19 outbreak is similar to other stressful events, such as natural disasters, and with many of the same bad actors.

"This is the same type of behavior that we've observed and other global events -- think of like elections, think of all of the tension and anxiety that's, that's stemmed from what's been going on in the Middle East and Iran," Yeager said. "This behavior effectively feasts on sensationalism, whether it's real or manufactured in someone's mind."

Miller didn't discuss the types of attacks DOD has been seeing but did stress cyber hygiene -- including not using unapproved applications or streaming services on DOD's networks.

Miller didn't draw a direct correlation, the deputy CIO said that use of streaming services, such as Pandora and other music streaming services, on DOD's network also increased. She asked employees not to use them on the network because they are not "mission essential."

DOD is also shutting down YouTube and will start throttling streaming services starting March 16, Miller said. However, enterprise services, including collaboration and chat, will be made available through the Defense Information Systems Agency's Joint Service Provider, which consolidates DOD's IT services, Miller said.

DOD's IT services and device requests hit an "unprecedented demand" in the past week, Miller said, with 240% increase in requests to DISA's JSP Help Desk.

Yeager said the heightened awareness and anxiety surrounding COVID-19 means that people will behave more recklessly. That means developing and evolving cybersecurity principles and incident response plans for telework will become important the longer that mass policies exist.

"There needs to be a greater focus on privacy, privacy of the data. And inside the [information security and] defense world, there needs to be, maybe, an active campaign for hunting for some of these intrusions that may come from some of these new entry points and new threat vectors," Yeager said.

Miller said the CIO is developing a list of best practices and compiling information for staff, emphasizing the need for basic cyber hygiene practices to maintain network security.

"Please, please, please the same practices that you use in an office environment, need to convey to wherever you're teleworking from," she said, asking employees "not to resort to creative means" or applications that aren't approved for use on the DODIN because it makes the network more susceptible to attacks.

This article first appeared on FCW, a partner site of Defense Systems.