We have heard politicians and other advocates clamoring for Social Security to open up offices again to provide in-person customer support, but there has been no specific plan to do so as the agency has allowed its employees to work from home since March of 2020 due to the COVID-19 pandemic. Things have changed a lot since March 2020. Three effective vaccines have been created to combat COVID-19 and President Joe Biden has mandated that all federal employees soon be vaccinated against COVID-19, which has signaled to many that the Social Security agency may finally be moving in the direction of opening up offices again, but people are still waiting for that announcement.
It has now been about 18 months since Social Security employees have been working from home. We wrote a previous blog about a reduction in work activity for some federal employees since the work from home order came down, but now a report from the Government Accountability Office (GAO) shows that there are significant cybersecurity concerns with employees working from home and that all of these concerns have not been addressed.
The GAO looked at 12 different federal agencies, including the Social Security Administration. The synopsis of the report indicated that federal agencies mostly overcame technology challenges, but that security controls need to be in place that do not currently exist to combat vulnerabilities in their systems that provide remote access, which could be exploited.
Below is a portion of the report that identifies increased cybersecurity risks that comes with allowing remote access and the practice of telework.
The IT systems supporting federal agencies are highly complex and dynamic, technologically diverse, and geographically dispersed. Without proper safeguards, computer systems are vulnerable to individuals and groups with malicious intentions who can intrude into those systems and use their access to obtain sensitive information, commit fraud and identity theft, disrupt operations, or launch attacks against other computer systems and networks. While telework is an important option during the COVID-19 pandemic, the large number of additional remote connections needed to allow agencies to maintain maximum telework capabilities brings more risks to agency networks and systems.
Remote access technologies, including employee telework devices (e.g., laptop computers and other devices), often need additional protection due to higher exposure to external threats compared to technologies located inside an agency’s network boundary. In its memo directing agencies to use technology to support mission continuity during the pandemic, OMB also provided a list of areas of increased focus concerning cybersecurity and privacy.
In April 2020, the Congressional Research Service reported that the increase in telework in response to the COVID-19 pandemic had increased cybersecurity risks for agencies.21 Specifically, it reported that adversaries were, for example, using phishing attempts to try and take advantage of the pandemic to entice and trick users into downloading malicious software onto their devices.22 Further, the increase in remote users brings additional risks, as remote users are no longer accessing agency computing resources from inside agency facilities.
