WASHINGTON: On a fine spring day in the nation’s capital, I’m not the only one to succumb to the temptation to work from home instead of heading into an airless office building. But cybersecurity experts warn that when I log into the AOL server to upload this article, I’m also opening a door for malware and hackers.
With more and more federal workers working from home or on the road all the time, including in the Department of Defense, even as cyberattacks from foreign powers are on the rise, telecommuting has become a national security issue. The solution? Smarter people – using stupider computers.
Today’s tech-savvy workers on the go may pride themselves on their smartphones, smartpads, and other “smart” gadgets, but from a security standpoint, “stupid” technology may be the safer bet. “Dumb terminals and thin clients,” advocated Chuck Wilsker, president of the non-profit Telework Coalition, in an interview with Breaking Defense. The idea is that the remote worker, whether at home or on the road, should use lobotomized hardware that merely transmits encrypted keystrokes and mouse clicks to a central, secure server, which sends back only an encrypted image for the remote device’s screen to display. This way, even if there’s spyware smuggled onto the remote device – which is unlikely with “thin clients” because they’re simply too low-powered to run much software, benign or otherwise – it’s never getting actual access to the secure database, only to one screenshot at a time; and if the remote device is stolen, there’s no secure data actually on it. “Nothing is being downloaded to your computer,” said Wilsker. “You don’t want to lose it,” he said, “but if that happens… you’re losing a piece of electronic equipment, you’re not losing the information.”
In many ways, this security solution is going back to the future, recreating the era when computer power was scarce and centralized. “Back in the mid-seventies, we had mainframe environments with a bunch of dumb terminals. It’s the same type of architecture,” said Tony Busseri, CEO of a Toronto-based cybersecurity company called Route 1, which sells telework software to the Navy, Customs and Border Protection, and several other government agencies. Instead of dumb terminals physically wired into the mainframe, now it’s mobile devices connected wirelessly to a central server.
“It’s a virtual long cord,” Busseri told Breaking Defense. “Just because you’re remote or outside that operations center, it doesn’t mean the information needs to follow you [outside],” he said. “It means you need to have the tools to access that information…but that information stays behind secure firewalls.”
Busseri’s software is supposed to let federal workers telecommute securely using ordinary computers and mobile devices, not just specially lobotomized ones. That approach makes another cybersecurity expert nervous. “The most important thing is you don’t have mixed devices” used for both work and personal purposes, said Eric Friedberg, a former assistant US attorney specializing in cybercrime who now heads up a security consulting firm, Stroz-Friedberg. “People start browsing to the wrong things and infecting the machine with malware,” he said. “When you dial into the corporate system, the bad guys piggyback on that connection.”
Far more secure is to issue each remote worker, whether telecommuter or travelling executive, a dedicated device, preferably a dumb one that can’t do anything but receive screenshots from the secure server. That way, said Friedberg, “their kids aren’t on it, their spouse isn’t on it, nobody’s downloading games, their 15-year old isn’t downloading pornography.”
That’s certainly ideal, agreed Busseri. For clients that deal with military operational information, he said, “we’re probably giving each of our warfighter some kind of tablet or thin client.” But not every federal agency can afford the issue dedicated devices. Route One’s software is designed to square this circle by setting up a kind of quarantine zone on the remote user’s computer to prevent any malware on it from affecting the secure session.
Ultimately, though, as is often the case in computing and security more generally, the biggest problem is not the technology but the people using it. When you read stories that “someone had left their damn laptop on the train, sorry, that’s not a shortcoming of the system, that’s a shortcoming of the person,” Wilsker said. “These people are not adequately trained,” he went on. “The fear of God has to be put into people.”
Edited at 9:05 am on Monday, 14 May to clarify the security features of Route One software.