How Washington state manages cybersecurity in a pandemic
For the past six weeks, Vinod Brahmapuram, the statewide chief information security officer for the State of Washington, has started his workdays by meeting with the CISOs who work within the state’s many agencies. The difference between these meetings and the ones he convened before, of course, is that they’re all taking place virtually as the bulk of state employees work from home during the COVID-19 pandemic.
Brahmapuram, speaking Thursday on a webinar hosted by the City University of Seattle, said the state government was well-prepared for the stay-at-home order Gov. Jay Inslee implemented March 23. Washington was the site of the first known U.S. infection of the novel coronavirus, which was reported Jan. 21, and as a wider outbreak appeared more likely, Brahmapuram said Washington Technology Solutions, or WaTech, started planning its response in February.
“What went very well for Washington is that the moment we had indicators of COVID-19 … we started pulling things together to talk about what it would look like remote,” he said. “[State Chief Information Officer] Jim Weaver did a fantastic job pulling together all the CIOs, and I was able to pull together CISOs across all agencies.”
Brahmapuram also said his office has been leaning on the state’s cybersecurity vendors and other governmental partners like the U.S. Cybersecurity and Infrastructure Security Agency, which has released multiple advisories on how to manage enterprise IT security during the health crisis.
Nowadays, the members of Washington’s 65,200 statewide workforce who are working from home are required to access the government’s networks through a virtual private network. WaTech is also placing a greater emphasis on its implementation of multi-factor authentication, and Brahmapuram’s office is putting out its own guidance for state workers to be more vigilant about online threats.
A rapid and widespread shift to telework was expected to create new challenges for states’ cybersecurity polices and IT supply chains. But Brahmapuram said government employees in Washington may have been quicker to adapt than elsewhere, thanks to a liberal telework policy Inslee signed in 2018. He said that on weekly conference calls held by the National Association of State Chief Information Officers, he’s heard other states’ workforces are struggling with the transition.
And threats against state networks aren’t taking a holiday with government offices emptied out. Tom Burt, Microsoft’s vice president for customer security and trust, said on the webinar that his team is seeing a steady volume of attempted phishing, spoofing and distributed-denial-of-service attacks against the company’s users. The wrinkle, though, is that many of the threat actors are shifting their tactics to lure victims with messages about the pandemic.
“What we’re seeing is the same total volume of phishing, but a big percentage have shifted toward using COVID-19 claiming they know the cure or they have inside information,” Burt said.
Brahmapuram said WaTech’s cybersecurity office has a variety of tools that help it mitigate threats against the state’s networks, even as the vast majority of end-users are logging in from their kitchens and living rooms. Without naming specific brands, he said the state is using a threat intelligence platform, a security event management tool and “a suite of other appliances we use for various purposes.”
“This is a complex problem,” he said. “How you defend against it has to be very thoughtful and layered. You do not have one box that solves every platform.”