How government bodies can avoid the cybersecurity pitfalls of video conferencing
For nearly two years we’ve heard countless stories about public safety officials and city council members having their virtual meetings hijacked by bad actors. As these incidents have continued to mount, prioritizing video conferencing along tiers of required privacy should be a top government concern as the current administration increases its focus on cybersecurity. However, it’s puzzling that regulations have not been enforced with regard to collaborative communications, which is especially alarming given the remote work trend is expected to continue for the long haul.
Since the start of the pandemic, organizations have relied on platforms like Zoom, Microsoft Teams and other video conferencing tools for keeping their businesses moving forward. Unfortunately, there have been some devastating consequences like when the U.S. House Oversight Committee Meeting became the victim of a “Zoom Bombing” in April of 2020. While this particular attack hit at the government level, there have generally been too many reports of sudden, inappropriate meeting interruptions leading to politicians having to proactively address these types of issues.
When the Biden administration issued its executive order to bolster cyber defense in 2021, it highlighted how the U.S. is making cybersecurity a top national concern. However, there has been little mention of collaborative communications with that initiative, something that state and local governments rely on to conduct meetings on critical issues like: statewide natural disasters, state and local budgets, election politics on the government level, crisis communications of a proprietary nature, cyber attacks that need to be internally discussed, as well as other top-secret matters.
A New Approach to Secure Video Collaboration
It is imperative to reevaluate how vulnerable these widely used platforms are to breaches. We should look to triage meetings according to levels of proprietary data and then apply the appropriate and necessary cybersecurity measures for each type of videoconference. An informal social meeting between government employees would be a “Level 1” meeting and would not require the highly specialized controls that a “Level 4 meeting” would necessitate. A discussion about a government attack or handling of a national disaster would meet Level 4 criteria and require controls such as a lobby room with a special password, biometric login, end to end encryption, secure desktop features and more.
When it comes to collaborative communication tools, organizations are susceptible to the security flaws of the many widely used platforms. Now is the time to set the guidelines for those types of communications, specifically virtual meetings, and to bring this to national attention and to the focus of U.S. regulatory agencies. Classifying meetings along four tiers and applying standards for each of those tiers would help meeting hosts get a better grasp on how they should be conducting sensitive discussions.
With a global cultural shift towards remote and hybrid work, governments must continue to adapt to these new realities in 2022. Agencies and public officials must be able to have extreme confidence in the security of the virtual meeting platforms they’re using to ensure critical information isn’t breached in any way.
Early Recommendations, Guidelines and Where We Go From Here
Early on in 2020, a string of incidents (i.e. “Zoom Bombings”) led to the Department of Homeland Security issuing an initial set of best practices to help users understand the threat of cyber attacks and prevent hackers from getting into a meeting.
However, these early guidelines were just the seed of the idea that can now be expanded upon. Every video conferencing organizer should be able to classify the type of meeting to determine who to invite and control information access. This will allow government organizations to grant acceptable privileges to teams so they run meetings that protect proprietary data. It is now practical to secure video conferencing and protect all parties involved, even if malware or spyware has crept onto an individual’s computer or an organization’s network. With breaches and virtual meeting interruptions becoming more common, there is no excuse for government agencies to be at all lax about this critical area of cybersecurity.
What Needs to Happen Now
Even on state and local government levels, the types of platforms that are being used for videoconferencing are prone to attacks. That is an alarming fact and there is a big oversight when it comes to cybersecurity and virtual meetings. Users should always be cautious about sharing passwords, ID numbers, IP addresses, company data, trade secrets and other proprietary data with these services until there are major improvements.
The U.S. must continue to push collaborative technology compliance best practices while offering guidance on new tools and solutions that can shut down threat vectors. At the very least, these platforms should look to implement out-of-band authentication tools, keystroke protection for proprietary meeting authorization, as well as complicated password systems.
Hackers have become more adept and sophisticated at infiltrating these platforms. Therefore, it is imperative that state and local government organizations proactively secure alternatives, keeping in mind that they must ensure reliability, performance excellence and an easy to use system.
Mitigating Cyber Threats and Security Risks in the Future
It is crucial for government organizations to build off of the early guidelines for virtual meeting security, and then take a closer look at their conferencing tools to ensure complete organizational safety.
The new realities of communicating in the remote work environment have led to a whole new set of challenges. Ransomware and critical infrastructure attacks have grabbed all the headlines, but the safety of digital communication technologies is still being overlooked and meeting breaches will continue to occur until it gets resolved. Cybersecurity initiatives related to virtual meeting technologies should be prioritized, and classifying meetings according to tiers of importance is a practice that should be enforced by the state government to protect all government-related matters.
About the Author:
An entrepreneur and technologist with over two decades in the computer industry, George Waller is a co-founder and EVP of StrikeForce Technologies, a 20-year-old U.S. cybersecurity company that has developed cyber security solutions which prevent data security breaches for consumers, corporations, and government agencies.