Mediaboss Marketing

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drives daily audio interviews onApple PodcastsorPodcastOne.

Tom Temin: Mr. Ziring, good to have you on.

Neal Ziring:Thanks, Tom, its good to be here.

Tom Temin: Is it correct to say that even the NSA does have people teleworking? I know a lot of people need to be in the SCIFs and so forth in the intelligence community, but you do have some teleworking going on also?

Neal Ziring:Well, I cant go into detail on that, Tom. But you know, were having to react to this crisis like everyone else, and both ourselves and everyone across the national security community that we serve is trying their best to keep their workforce safe while continuing to do their vital national security missions. And collaboration is always a part of that.

Tom Temin: Sure. So lots of federal agencies from the least secure to the most secure are using all kinds of collaboration tools. Give us what are the big security requirements and considerations for these types of tools?

Neal Ziring:Sure, you know, we were watching this, we were supporting all sorts of DoD workforce efforts. And we noticed there was a vacuum in terms of guidance to help people use collaboration services securely. So, you know, we have a great deal of deep expertise here in our workforce on this. So we put together what we thought were core requirements that individuals who maybe were suddenly trying to work from home or from some remote location could pick up and use to choose a collaboration service that would meet their own security needs. For example, does it use good encryption? Does it have ability to use multi factor authentication, can the user see and control who connects? These are all very important requirements for selecting a service that youre going to use for government work.

Tom Temin: Because you have a list of about seven cybersecurity aspects of these encryption, two different levels of encryption and so on, and theres a yes or no according to each one are there any particular characteristics that if they get a no at, that product would be just simply ruled out all together?

Neal Ziring:Well, we didnt want to go there. We didnt want to be prescriptive because the needs of different agencies vary widely. We wanted to inform folks across the national security spectrum of which requirements they should consider. I dont think any of them are sort of showstoppers in that sense. Theyre all reasonably important, and theyre going to vary between different folks. For example, there are some folks in DoD I know where the authentication is a very important concern for them. So for them, criterion number three use a multi-factor authentication will be vital. And we just wanted to inform them and have a representative list of products its not a comprehensive list showing what they should consider and what they should ask of the products that they start to use.

Tom Temin: Basically, it looks like the only thing that doesnt encrypt or use multi factor authentication or do anything is plain old SMS text, which is not really a brand, but thats what everybodys got on their phones.

Neal Ziring:Yeah, we threw that in as a comparison. Were really hoping people will choose to use more secure means than their SMS.

Tom Temin: And then coming up with the list and the different ratings for the different yes or no answers on the different aspects of security on these products, did you just get that from the product literature? Or did you test them?

Neal Ziring:For the most part, we got it from the product literature, because we noticed this vacuum. We had received multiple sort of time sensitive requests from customers across Dod and other national security establishments saying, Hey, we need some help here. So we got together a team of folks. We did some testing and a whole lot of reading of product literature under conditions emulating what a teleworking user would face. And then we put these together and we invite the folks who maintain these systems, if they spot an inaccuracy in what weve published then they can write to us, and we will correct it. Weve already gone through one round of revision.

Tom Temin: Got it. Were speaking with Neal Ziring, the technical director of the Cybersecurity Directorate at the National Security Agency. And have you heard from any agencies that said, Hey, this happened to us with this particular product, you better be aware of that potential?

Neal Ziring:No, we havent received reports of actual incidents. We have had several national security organizations write to us and say the guidance is helpful and asking additional technical questions. Thats pretty standard for us.

Tom Temin: Sure. And I have a question about these products, too. Suppose someone in a national security situation is teleworking and collaborating over these and lets postulate that no data is being exchanged. Say no documents or something would be exchanged back and forth in that manner. Because it may be against the rules, and depending on the sensitivity of the data, but people are talking. If they were to be talking about something that could be classified or make a reference is one of the issues that voice could be somehow obtained by a third party thats not authorized?

Neal Ziring:Yeah, thats certainly a concern for this category of product, right. Now, we do caution folks to think about what theyre saying over these systems. These are unclassified systems. And so they shouldnt be talking classified over them in any case. But yeah, thats why criterion number one is important, for example, right? Is this something that employs encryption, so that if theres somebody who can see that traffic, then theyre not going to see anything but ciphertext. Thats a very important part of selecting a secure collaboration service.

Tom Temin: Let me ask you this. If you could design a ideal product in terms of cybersecurity for collaboration, what would it look like?

Neal Ziring:Oh, I think it would, it would look a lot Like some of the commercial products that are out there, now, theres some really good ones. It should implement strong encryption, and that encryption should meet published encryption standards. It should support multi-factor authentication. A really important aspect is transparency, the service should let you see who is connected, see where its connecting through. Allow you to see what data you have stored in the service and delete it. And also whether the service provider is going to be sharing data about you or your usage with any third parties. Thats a concern as well.

Tom Temin: And one of the criteria is whether the source code is shared, the public source code is shared. What is the consideration there? Why is that important?

Neal Ziring:Yeah, that is that is criterion number seven. And thats an aspect of transparency, right that lets reviewers or potentially someone like NSA, examine how the product is implementing its security and see that that is being done correctly.

Tom Temin: Theres probably some good guidance for the vendors. Theres one here called Signal which Im not familiar with, but it gets yess on all of the criteria, except FedRAMP. It seems like that company ought to go for its FedRAMP certification.

Neal Ziring:Well, I would encourage any companies that want to provide service of this kind to the federal government to consider FedRAMP. I was there when they started FedRAMP. I think its a great program. FedRAMP is important because in gaining a FedRAMP certification, a company needs to thoroughly document how their security works and how its provided. And then the federal government can have more faith or more assurance when theyre utilizing that service.

Tom Temin: With respect to video, does video add cybersecurity risk in general to the use of these products?

Neal Ziring:I dont think it adds risks in and of itself. For some of the products, using video may affect whether you get to use encryption or not. So thats an important consideration but no, otherwise, go ahead and do the video. Its fine.

Tom Temin: All right. Neal Ziring is technical director of the Cybersecurity Directorate at the National Security Agency. Thanks so much for joining me.

Neal Ziring:Thank you, Tom.

Continue reading here:
Choosing a safe conferencing tool in the era of mass telework - Federal News Network