With coronavirus forcing federal workers to conduct meetings via videoconferencing tools, the National Security Agency compiled a guide on security advantages and deficits of popular online meeting platforms.
NSA detailed whether the video tools, including Zoom and Skype, offered security features such as multi-factor authentication, transparency on which users are joining sessions, and end-to-end encryption.
“With limited access to government furnished equipment (GFE) such as laptops and secure smartphones, the use of (not typically approved) commercial collaboration services on personal devices for limited government official use becomes necessary and unavoidable” due to COVID-19, notes the guidance.
NSA coordinated with the Department of Homeland Security, which will be issuing its own guide, “Cybersecurity Recommendations for Federal Agencies When Using Video Conferencing Solutions.” It’s intended to be “responsive to a growing demand amongst the federal government to allow its workforce to operate remotely using personal devices when deemed to be in the best interests of the health and welfare of its workforce and the nation,” and the recommendations are subject to change as web tools and vulnerabilities evolve.
NSA did not include in its guidance government online meeting services intended for secure communications such as Defense Collaboration Services or Intelink Services. The agency also “strongly recommends” using a secure government service before any of the commercial collaboration services. The NSA guidance also does not override specific telework guidance agency by agency.
The criteria was drafted to align with U.S. government guidance including NIST SP 800-171r2 – Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations (Feb 2020) and NIST SP 800-46r2 Guide to Enterprise Telework, Remote Access and BYOD Security (Apr 2016).
Evaluating an online collaboration service includes asking:
1. Does the service implement end-to-end encryption?: “Some services such as large-scale group video chat are not designed with end-to-end encryption for performance reasons.”
2. Are strong, well-known, testable encryption standards used?: “Use of published protocol standards, such as TLS and DTLSSRTP, is preferred. If the product vendor has created its own encryption scheme or protocol, it should undergo an independent evaluation by an accredited lab.”
3. Is multi-factor authentication (MFA) used to validate users’ identities?: “Without MFA, weak or stolen passwords can be used to access legitimate users’ accounts and possibly impersonate them during use of the collaboration service.”
4. Can users see and control who connects to collaboration sessions?: “Users should also be able to see when participants join through unencrypted/unauthenticated means such as telephone calls.”
6. Do users have the ability to securely delete data from the service and its repositories as needed?: “Users should be given the opportunity to delete content (e.g. shared files, chat sessions, saved video sessions) and permanently remove accounts that are no longer used.”
7. Has the collaboration service’s source code been shared publicly (e.g. open source)?: “Open source development can provide accountability that code is written to secure programming best practices and isn’t likely to introduce vulnerabilities or weaknesses that could put users and data at risk.”
8. Has the service and/or app been reviewed or certified for use by a security-focused nationally recognized or government body?: “NSA recommends that cloud services (which collaboration apps rely on) be evaluated under the Office of Management and Budget (OMB) FEDRAMP program. NSA also recommends that collaboration apps be evaluated by independent testing labs under the National Information Assurance Partnership (NIAP) against the Application Software Protection Profile (PP).”
9. Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize USG official use?: “Users should be aware that the country of origin where products were developed is not always public knowledge.”
NSA stressed that collaboration software should only be downloaded directly from an official app store and that those using browser-based services should check that HTTPS is enabled.
Meeting invites should also be sent through encrypted and authenticated means instead of posted in public forums, if possible. One person should be in charge of monitoring participants joining the videoconference, keeping an eye out for unverified intruders.
“Be aware of screen-sharing features so that you only share your screen to display content salient to the collaboration session. If content is sensitive, ensure that it is appropriate to share with all participants. Be mindful of the affiliations of those with whom you connect,” the NSA guidance added. “Be aware of your surroundings including any other communications going on (e.g. family members on phone calls or video chats, location hints if working from a sensitive location). Disable unnecessary app permissions (e.g. location services). Ensure there is no other software on your device that is actively sharing microphone data back to a remote server. Note that less-trusted devices, to include Internet of Things (IoT), often have microphones or cameras, so it may be wise to leave personal cell phones or computers in a different room if they are not being used for work.”