Earlier this month, Gov. Glenn Youngkin announced a new policy aimed at propelling the return of state employees to in-person work.
On May 5, the governor’s office outlined the timetable for a two-month transition period, beginning with an updated Standard Telework Agreement from the Virginia Department of Human Resource Management. Employees had two weeks to review the document, with a recommended May 20 deadline for submitting any remote requests.
Applications then were to enter layers of review, ranging from agency heads for one-day agreements, all the way up to the governor’s chief of staff for any arrangement of more than two days. By June 3, all accommodations would be considered, leading to a July 5 target date for returning to the office.
People are also reading…
For employees who saw reason to maintain full workplace flexibility, Youngkin’s announcement produced some natural anxiety. And while the focus is on where state employees will accomplish their work, another factor is not receiving enough attention. As state telework policy evolves, security matters more than setting.
One of the core components of the revised Standard Telework Agreement is “Confidentiality and Information Security,” with two listed responsibilities for employees. They will:
- “apply approved safeguards, in accordance with agency policy, to protect agency or state records from unauthorized disclosure or damage, and will comply with all records and data privacy requirements set forth in state law, agency specific policies, and state policies”; and
- “conduct work at the alternate work location in compliance with all information security standards.”
What will the governor and state lawmakers do to keep pace with evolving threats? Think back to December 2021, when Virginia’s legislative branch was hit with a ransomware attack.
Per a March 2022 Times-Dispatch report, the “extremely sophisticated malware” brought trouble for the General Assembly’s bill drafting system, file services, regulatory and budget systems, and voicemail. The Virginia Capitol Police website also went down, but operations otherwise continued, The Washington Post reported.
The scope of such threats rarely meets the public eye, but it is a persistent reality for the Virginia Information Technologies Agency. This division of state government handles IT support for 65 executive branch agencies and 55,000-plus employees — the same population Youngkin’s return-to-work transition timetable applies to.
In 2021 alone, VITA said Virginia faced more than 66 million attempted cyberattacks and fended off 50,000-plus pieces of malware. Amid those dangers, the Joint Legislative Audit & Review Commission also completed a September 2021 review of VITA’s “organizational structure and staffing,” finding some areas of need.
A JLARC presentation noted that while VITA staff members “are satisfied with the agency, and turnover is low,” its Commonwealth Security and Risk Management unit “lacks enough security staff to keep up with IT changes and monitor all IT equipment.”
“The lack of sufficient staffing in CSRM increases the risk of a cybersecurity breach of a state IT system,” the full JLARC report said. While there are 4,000 to 5,000 pieces of equipment in state government hands, CSRM only had enough employees to “focus on approximately 600 priority pieces,” the report added.
Adequate funding for cyber technologies is another element of the commonwealth’s budget impasse that cannot go unaddressed. The governor and state lawmakers have to work together to plan and execute clear investments in government operations that create more stable IT environments, in all settings.
“We know that creative, innovative, and effective solutions for all Virginians occur with regular, in-person interaction by our incredible workforce here in the commonwealth,” Youngkin said in a statement. He also said remote work “still has a place, and I think we can actually find a great, great kind of ... new work environment that really is focused around the office, but also acknowledges that there are needs and benefits from having telework,” the RTD reported.
In the years to come, public- and private-sector jobs will require a balance between in-person and virtual environments. In a 21st-century workforce of any kind, security matters more than setting. Without resilient computer systems, Virginia’s march toward normalcy and its commitment to being “open for business” are at risk.
— Chris Gentilviso
Chris Gentilviso is Opinions editor. Contact him at: firstname.lastname@example.org