Don't Be a Character in an Espionage Thriller
Cyber security for the modern, connected public servant is about so much more than ensuring the right settings on a device, or even having secure online practices. With the rise of remote work and the broad range of tools that now connect to the Internet, our offline behaviour can also have consequences for information security.
Stepping into a fast-changing, complex digital landscape
The past few years have seen accelerated breakthroughs in the development and use of digital technologies that have enhanced our professional and private lives. But this has not come without risk.
The change has been precipitous in the last few years of the pandemic and has occurred in parallel with emerging geopolitical and social strife, the kind of strife that provides reason and opportunity for nefarious actors to intensify their illicit activities.
As public servants, we are living in interesting times, benefiting from technologies that allow us to work away from the traditional office environment, albeit under an increased burden with regards to personal and cyber security.
Surveys on behaviours and attitudes towards cyber security paint a worrisome picture, with a surprisingly high proportion of people who feel they are least responsible for protecting workplace information, believing that "their organization," or their organization's IT or security departments to be most responsible. Many simply don't see themselves as responsible for looking after their organization's sensitive information.
I trust that Canadian public servants harbour a more conscientious attitude when it comes to workplace information.
As an employee of the Government of Canada (GC) in today's connected world, more than ever you play a role in safeguarding Canadian data and assets, which means you contribute to protecting Canada's national security even if you are not a functional security specialist.
Being a responsible steward of sensitive data can have national security implications because some of the aforementioned nefarious actors want to gain access to it and are dedicating effort and resources to the endeavour.
This creates a situation where any public servant could, if they were not careful, rapidly become a character (not to say victim) in their own geopolitical spy thriller. And this is probably not as exciting as it might sound.
Digitally connected, but physically isolated
I'm coining the term hard office to mean the traditional space in which most Canadian public servants used to work: often a Crown-owned building with offices or cubicles, metal desks, landline telephones, wired local area networks, and an endless supply of Post-it notes, you know, the old office.
The soft office is everywhere else that's not the traditional office, including your home or that little coffee shop that serves the best lattés in town. Really, with your smartphone's hotspot or tethering function on, you can work from anywhere there is cellular coverage. Soon, your cell phone may even connect directly to satellites, extending the range even further. The distributed future is coming at us, fast.
The hard office offered a significant measure of added protection. Not only did you have on-site IT experts at the ready to help you with any hardware or software issues, you also had a stationary desktop PC, a file cabinet or desk drawers with a lock to store sensitive hard copy documents, office colleagues who looked out for you, facilities management staff that would ensure your space was clean and safe, and security guards (cheers to our kindly-but-vigilant Commissionaires!) to keep the interlopers at bay.
If today you're working from a soft office, most of this support is gone or is several steps, or kilometres, removed. You are digitally connected, but physically isolated.
Your wireless devices can be with you everywhere: they're in your home, with you on the street, on the car/bus/train/bicycle, and sometimes in restaurants, the gym, wherever you might go. You're responsible not to misplace them because not only do they belong to the GC, but they may contain sensitive information or give access to it.
How you protect these devices and their data is only as good as the industry-standard cyber security measures your IT section puts in place, and your mindful security-oriented behaviour.
There is an industry principle that goes something like, "there is no cyber security without physical security." And while this doesn't mean that working in a soft office is necessarily non-secure (physical security even in the hardest of offices is never 100% perfect), it does mean that there are additional risks to consider, and mitigation measures you must take.
And consider that we are witnessing the start of a generation of new public servants who have never known the hard office space and may never! For them, being digitally connected, but physically isolated, is just the regular way of doing business.
The modern public servant as a point of access
I'd like to give you additional perspective on how to consider this reality, not to dismiss remote work (it's here to stay, even in its hybrid form), but to highlight some of the general risks, and to help you consider how to deal with them.
Consider that, as a public servant in this highly digital, interconnected age who uses a mobile device to access work-related content on your departmental cloud, you could be a) placing Canadians' privacy at risk through inadvertent disclosures or breaches, or b) a conduit for a cyber attack. And of course, "b" often leads to "a."
The government has placed increased trust and responsibility on its employees by making it easier than ever to work from home or away on travel, in Canada or abroad. Even just a decade ago, if you had to travel for work, you carried a limited amount of paperwork, maybe a USB stick to exchange files, and a cell phone to stay in touch.
The devices you're provided with today, while more technologically secure than ever, are also all possible points of compromise if they are not locked down properly, left unattended, or used to access malicious links.
Using a financial lens to measure the impact of data breaches,. For Canada, the cost was estimated at over CAD 7 million (USD 5.64 million), including the cost of public sector data breaches.
Even if the information you work with is not classified or proprietary, it can still be sensitive, and therefore of value to nefarious actors. For example, private identity information is sensitive and, while not classified in most cases, should be secured. A good general rule is to consider all information exchanged on government networks as "sensitive" at the very least, and to act accordingly. Although your work IT systems are designed to protect the level of data you work with, your behaviour—which is under your control—should always support good data stewardship.
Working for the government makes you of particular interest to criminal actors, who tend to be opportunistic, or worse, to powerful hostile state actors (HSAs) who expend considerable effort to target you because they're interested in the access you can provide. It's one thing to fall for a random criminal cyber attack; it's another to be stalked and targeted as a potential entry point to government networks (computer and human networks),
These HSAs aren't just interested in foreign or military affairs. Innocuous-looking information on trade positions, strategic-level deliberations on budgets or policy matters, personnel movements, all of these and more are data that can be pieced together to create information (or intelligence) of interest. Leaked or stolen information can also be used by HSAs to repress marginalized communities within their own borders. And this is information we work with in our everyday activities.
It happens in the blink of an eye
Being perpetually connected to government networks through smart devices offers nefarious actors more access points to potentially compromise. The risk increases when you travel abroad and connect to foreign telecommunication infrastructures, whether it's the local cellular service provider, or Wi-Fi at the airport, hotel or coffee shop.
Don't just count on your activities at the keyboard being important. Are you using a device in a public place? Who's sitting next to you? Do you leave your laptop, phone, or tablet unlocked and unattended? What's your plan if you misplace any of these devices or if they get stolen?
Connected-but-isolated public servants are of particular importance to incredibly well-resourced state actors looking for points of access into Canadian government networks.
Trust me, these state actors are nothing to laugh at and are the most advanced, persistent threats out there. In fact, their tactics and techniques are designated as "APTs," advanced persistent threats. They are as pernicious and serious as anything gets.
Your work as a public servant, or at least the access you risk providing if you're not situationally aware, exhibiting non-secure real-world behaviour, or have poor cyber security practices, can inadvertently thrust you into the middle of a national security breach.
Scary? I've seen it happen. But you lessen the risk if you dutifully follow policy, procedures, and best practices.
Events transpire quickly in cyber space—almost instantly, in fact—giving you little to no time to react. It happens in the blink of an eye and it's invisible. To detect and mitigate a compromise or breach, cyber security analysts rely on complicated technical tools and unique skills. That is if the breach is ever flagged to them. So best to diligently practise preventive behaviours that minimize the risk.
How the story ends is up to you
While public servants may be increasingly physically isolated, the Government of Canada offers significant support to its remote workforce in terms of secure networks, equipment, and training. But, more than ever, this is a shared responsibility, and, in this modern era, the balance of the burden has tilted towards the employee. Think of it like a baby bird that's left the nest.
Technology-based defenses have gotten so good that attackers are being pushed to hack humans rather than spending weeks, months, or years researching and developing effective attacks to defeat technology-based defenses
This means that strengthening the "human layer of security" is paramount. I can't think of a more important message for today's connected-but-isolated, federal public servants.
When it comes to cyber security, your real world behaviour (and attitude!) are a key layer in protecting government data and assets. At the pace technology is evolving today, and with the increase in our dependence on it, it's good practice to be aware of the latest threat trends and vulnerabilities.
Your IT team can only do so much. The rest is up to you.
Things to take back to your team
- Have you read the Treasury Board Secretariat Policy on Government Security? What about your own department's or agency's security policy or plan? Do these documents have provisions for cyber security?
- If you work remotely, would you know how to contact your departmental security team if you lost a work device or realized (or suspected) you may be a victim of a cyber security incident?
- What measures have you put in place to support you when working remotely, security-wise (to replace those features from the "hard office")?
Resources