Cybersecurity and the Pandemic

TLDR: In the face of a pandemic, we were not ready as a society from a cybersecurity standpoint

March 13, 2020, was my last full day in the office. The coronavirus was threatening to continue spreading like wildfire and, like many governmental organizations in the United States, parts of the federal government began to take action. That Friday, I was sent home with my work laptop in tow and told to get settled to work from home; how long, no one really knew. In the days and weeks that followed, we all began trying to figure out how to operate under this, "new normal."

In organizations that rely on daily interaction to conduct meetings and just generally check on the welfare of their employees, it can be difficult to transition. They must find new ways to navigate through the daily schedule. We found many ways to interact with each other, starting with Zoom, and then finally falling into a Department of Defense-approved system, Commercial Virtual Remote (CVR) Environment. With this new way of operating, there were some struggles.

As we began to utilize Zoom, murmurs began to arise about the security of the platform. Schools were being hijacked by pranksters hopping into rooms and disrupting classes. Additionally, it came to surface that data from Zoom was actually being routed through China; a serious concern for us in the federal government. The Department of Defense quickly put a kibosh on the use of Zoom for "official use" and quickly opened up the CVR platform; essentially, a Microsoft Teams environment. It was a trying time for us and many more organizations, I imagine, went through the same type of scenario. Thus, it begs to ask the question, were we ready?

The Zoom platform is pretty amazing. The videoconferencing capabilities it provides is excellent and allowed us to have everybody in the same virtual room at the same time to conduct our weekly staff meetings. I even utilized it to keep a "virtual office" open for anyone who might need to reach me and wanted to do it as close to a personal interaction as possible. However, it was clear, from all of the news that came out as the pandemic began to perpetuate, that a platform like this was not ready for mainstream usage.

As Zoom use exploded, many people jumped into the water, head first, without a life jacket. There were security features, such as room passwords and waiting rooms, but many people did not use them. This left them vulnerable to the hijackings experienced by the schools. People believed that, without the meeting ID, there was no risk. However, a program called zWarDial was developed by researchers that could guess roughly 100 correct meeting IDs per hour. And, with no passwords to protect them, anyone could join in on the conversation.

The problem with moving to a platform like Zoom in an off-the-cuff, spontaneous manner is that we are just not ready. Too many organizations and individuals have put cybersecurity on the back burner for too long. And, in a time of need, like we saw as the pandemic kicked off, the door is left ajar for malicious actors to enter and wreak havoc. In the case of Zoom, they quickly moved to educate users on the security features; but, this should have been done ahead of time, with planning.

Organizations and individuals need a contingency plan in place. What are you going to do if your daily operations or daily lives are upended? If that contingency plan includes some form of information technology, there needs to be a plan in place on how to use it effectively and securely. The Zoom case is a prime example of why this needs to happen. Furthermore, it is not just the organizations and individuals who need to prepare, but also the developers of the technology.

Concerning is the idea that Zoom was pushing data through China without anyone’s knowledge. They only admitted it after it was identified that encryption keys between the United States and Canada were being routed through China. Granted, Zoom admitted fault in its geo-fencing process to keep data in the regions it was being transmitted, but this still provides evidence that some technology developers just are not ready for mainstream usage within organizations.

We need to do more as a society to increase our knowledge of cyber threats and malicious intents. Not only do organizations have a dire need to secure their systems, but personal devices need to be considered as well. In today’s world of data breaches and espionage, it can only take one small incident to create a much larger problem. We must do more to educate everyone on best practices for securing data and devices.