The U.S. Department of Housing and Urban Development’s IT infrastructure stumbled under pandemic telework, leaving nearly two-thirds of employees’ computers without security checkups for more than 200 days, an internal watchdog found.
Significant delays in computer security updates, months of network issues and lack of enforcement of password expiration policy collectively made the agency more prone to cyber attacks and beleaguered its tech help desk, HUD’s inspector general said.
“Although HUD experienced challenges during mandatory telework, HUD continued its operations; increased network capacity; and plans to make additional network improvements ... and potentially replace its help desk system,” the IG said in a report. “HUD encourages and supports the use of telework to enhance its work and the work and life of its employees.
The agency joined others in deploying mandatory telework for its employees in March 2020 following the White House’s declaration of a national emergency in response to rising cases of the coronavirus. To aid with the sudden transition, Congress passed the CARES Act, which provided $35 million to HUD in support of IT and telework needs, among others.
Prior to the transition catalyzed by the pandemic, the agency reported 20% of its employees regularly teleworked three or more days per week and 26% teleworked one to two days. But once the 7,000-large agency moved to a near full-time telework schedule, more employees than before needed simultaneous remote access to HUD’s network, “which presented unique risks and security requirements,” the OIG report said.
One of the challenges was that the agency’s virtual private network bandwidth was not able to accommodate the increase, leading to employees having difficulty maintaining connections, sending emails, accessing systems and taking on daily tasks.
RELATED
“Network performance issues could affect HUD’s ability to accomplish its mission,” the report said. “For example, even relatively minor interruptions to processing electronically maintained information can result in inaccurate and incomplete data or have financial impacts, such as transactions’ not fully processing. These performance issues occurred at a time when HUD was managing billions of dollars in grants because of COVID-19.”
Between March and June 2020 there were 5,949 help desk tickets related to VPN issues. The agency has a national help desk that provides employees with technical support 24 hours a day, seven days a week.
The overloaded VPN also created made it difficult for employees to run timely security updates on their computers that close loopholes for cyber criminals. Roughly 5,100 HUD computers did not receive security check-ups for more than 200 days, the report found.
That raised red flags about weakened protections against threats, which had an outsized impact during the pandemic as cybercrime shifted from targeting individuals and small businesses to major corporations, governments and critical infrastructure during the pandemic, according to Interpol.
Vulnerability at HUD was compounded by the fact the agency also did not enforce its password policy because the VPN couldn’t handle it.
RELATED
“While under mandatory telework during the COVID-19 pandemic, HUD made a risk based decision to not enforce its password policy,” the report said. “However, after mandatory telework was lifted, HUD was still not enforcing the policy more than two years later.”
HUD responded that it has increased the network capacity of its data centers in July 2020, boosted the number of VPN licenses for each data center and split users between its primary and backup data centers to reduce the load on its VPN.
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.