The global novel coronavirus pandemic has changed the way people are working, even those working in traditionally Top Secret, classified environments. According to data from research firm Gartner, more than two-fifths of employees around the country are likely to continue to work remotely, as it has improved efficiency and reduced costs for many businesses.
Despite the demand from candidates and benefits for employers, one of the major concerns has been how secure are the devices, platforms and networks that teleworkers use to do their jobs. Cybersecurity experts have warned that the information traveling on, and accessed by the devices on the networks, are only as safe as the weakest link. In the case of those in the military, the Department of Defense (DoD) and even government contractors, there is highly classified information that is needed for individuals to do their jobs that can’t be – or at least shouldn’t be – accessed on an unsecured Internet.
To address those concerns the Air Force Research Laboratory has reportedly accelerated the rollout of its new deviceONE initiative, which can allow aerospace engineers, intelligence analysts, research physicists and others working with the United States Air Force to access classified networks remotely but also securely.
Aerospace America reported that contractors authorized to handle such classified information will began using modified off-the-shelf laptop computers that featured hardened security that included software developed under a National Security Agency project. This will allow workers to maintain social distancing that is required to stay safe from COVID-19 while still being able to securely access the classified networks hosted on servers in Hawaii.
Not everyone will get such a laptop however, at least not yet. So far about 20 of the specially modified machines have gone out from an initial batch of 40 machines. The plan is to get thousands more laptops from such makers as Dell, HP and Panasonic to AFRL for modification.
Each computer will reportedly cost less than $2,500, including the upgrades, but a concern could be availability – as more individuals in the private sector as well as government employees shift to working from home there could be a run on the supply, particularly as manufacturers get hit by coronavirus-related supply chain delays.
More Than Virus Protection
The deviceONE machines are getting true cybersecurity hardening, and it is a lot more than installing an advanced anti-virus and firewall software suite. This effort is part of Air Force’s Advanced Battle Management System initiative – a program that provides new ways to securely connect aircraft, satellites and even operations centers and allow for the sharing of data in the field.
There are three main elements to the program:
1. Virtual Desktop Information (VDI), which is a series of cloud-type servers at the Pacific Air Force’s Hawaii headquarters where applications can be accessed remotely, as well as off-site storage for sensitive military data.
2. SecureView, a lightweight, thin clients-style laptop that can be used to access a classified network but doesn’t allow for local storage to its hard drive.
3. Commercial Solutions for Classified (CSFC), a program that connects the SecureView laptops with the VDI servers. It is based on technology that was developed six years ago by the NSA and utilizes the functionality of a corporate virtual private network (VPN) to process the classified information.
“The new ‘jump kits’ expedited to facilitate the unexpected working at home programs,” said technology industry analyst Charles King of Pund-IT.
“The underlying technology is a highly secure virtual desktop infrastructure solution,” King told ClearanceJobs. “At this point, vendors are sending laptops and desktops to the USAF which configures and distributes the systems to qualified personnel.”
The fact that the data is still accessed remotely – even if that data can’t be saved on the device – does bring up the question of whether this could still result in breaches.
“Any such decision is a balancing act between the opportunity’s value and the risk’s exposure,” explained Jim Purtilo, associate professor of computer science at the University of Maryland.
“When it is easy to maintain workers on-site, the value of their efforts is undiminished and any security risk is contained,” Purtilo told ClearanceJobs. “With the pandemic, limited on-site access constrains our effort and increases risk, albeit of a different kind than we are used to calculating. Someone thus gets to decide how much risk from working outside the fence they can accept in return for the value of that work – and I don’t envy them that decision one bit.”
It is also possible that such technology will see more “mass” distribution – but unlikely with the same level of security that is offered by deviceONE.
“At some point, I expect vendors will develop solutions specifically designed for these deployments,” added Pund-IT’s King. “Dell, which already has a sizable business with US military programs, seems particularly well-positioned for future sales. At this point, it seems unlikely that these solutions will ever be deployed beyond military and government use cases. However, if scenarios involving future resurgences of COVID-19 are correct, it’s likely that vendors, including Dell and HP, and VDI partners like VMware, will develop virtual desktop solutions supporting highly robust security and privacy features.”
Even if such technology is used in a more “mainstream” manner it is still possible the hackers will find a way to keep up.
“The relevant technologies in that program have been around, and it is easy to guess why they haven’t been authorized for such use before now,” noted Purtilo. “Nobody had to accept a risk of using such tools on the outside when the cost of bringing workers inside was so low. Today the pandemic poses greater risks and costs to bringing in those workers. Obviously someone in the Air Force office judges the necessity of their work to be worth a bit more risk. Here’s hoping they don’t come to regret that decision.”