Twenty days in and the government still may be shut down as lawmakers maintain an impasse over funding a wall at the U.S.-Mexican border, but that doesn’t mean hackers are off the clock or that key government systems aren’t vulnerable.
“I do not expect a cyber catastrophe. Operational, mission-critical employees are mostly designated as essential, and so we can expect that network monitoring will continue and cybersecurity incidents will get an appropriate response,” Phil Reitinger, president and CEO of the Global Cyber Alliance (GCA), wrote in a recent blog post.
“Since bad actors do not operate according to Capitol Hill's timetable, they will not stop and might even increase their attempts to penetrate our vulnerable energy grids, financial information, military bases, and telecommunication networks,” said SOSA CEO Uzi Scheffer, who explained that the shutdown “could cause long-lasting damage to the country.”
Noting that “there are immediate and important consequences” to the stalemate, Reitinger pointed out “the most critical parts of the U.S.government civilian cybersecurity are in agencies subject to the shutdown, especially the Cybersecurity and Infrastructure Security Agency and U.S. Secret Service at DHS, the FBI and computer crime prosecutors at DoJ, and Commerce agencies including NIST, NTIA, and the NCCoE.”
While “essential work” will continue in those departments even as some workers toil without pay and others are ordered to stay home, that will result in “reduced effectiveness,” Reitinger told SC Media.
"With the government shutdown, our country's cybersecurity is at risk – both in the short term and the long term. The immediate risk is, of course, a higher vulnerability to attack,” said OpenVPN CEO Francis Dinha.“Without a full support staff, those essential employees still working hard to maintain cybersecurity simply don't have the resources they need. And while they're no doubt incredibly skilled at their jobs – and passionate about their work — they're still human, and expecting them to do the same, or more, work without the support they need is setting us all up for failure.”
The worry over how they will handle financial obligations – like paying the mortgage and other bills – will only add to the stress and the likelihood that mistakes will be made, Reitinger contended.
“The shutdown reduces the number of cybersecurity officers that work nonstop to analyze, detect, and defend against threats,” said Scheffer. “Although a small number of officers are considered essential and still work despite the shutdown, the reduction in available personnel harms the country's ability to protect its most valuable assets.”
Consider, Reitinger said, DHS’s new Cybersecurity and Infrastructure Security Agency (CISA), where 45 percent of employees are on furlough, prompting Rep. Bennie G. Thompson, D-Miss., chairman of House Committee on Homeland Security, to query DHS as to whether CISA is still “able to perform cybersecurity risk and vulnerability assessments for the Federal government, critical infrastructure owners and operators, and state election agencies.”
Expect, too, that the information-sharing pipeline between the private and public sectors will slow to a trickle as will cybersecurity-related probes. Already the FBI has said it’s ratcheting back on investigations as the shutdown stretches out.
“The effect is also international, as these agencies work with their counterparts around the world to protect allies and global businesses,” Reitinger wrote.
All that could amount to delays in identifying threats. “These delays may of course results in increased risk and resulting damage,” said Mukul Kumar, CISO and vice president of cyber practice at Cavirin.
The shutdown, too, could make it “far more difficult than ever to keep an experienced, cybersecurity workforce from seeking a more stable work environment and guaranteed pay,” said Joseph Carson, chief security scientist at Thycotic.
“Cybersecurity roles are going to be the most sought after skills in the coming year and it is vital for governments to attract the best talent in order to protect and secure critical infrastructure and their citizens,” he pointed out.
Already, there are reports of private sector organizations tapping government workers with the lure of not only a paycheck – and a higher one at that - but the promise of benefits and stability.
“The U.S. government will need to do much more to attract experienced cybersecurity professionals given the recent bedlam and instability,” said Carson.
In fact, long-term damage U.S. cybersecurity is likely to be even greater “in terms of its workforce,” said Dinha. “Employees trained in cybersecurity are in incredibly high demand in the private sector; how can the government possibly hope to appeal to the high-level candidates we need if their job security is so deeply at risk?"
Noting the “uphill battle” the federal government is facing in recruitment, “issues like this only serve to make it look like a less stable place to start a career,” said John McCumber, director of cybersecurity advocacy, North America for (ISC)2.
A chorus of public and private sector voices has beseeched lawmakers and the president, in the interest of protecting the country, to break the stalemate and get government back up to full speed with Thompson warning that for every day of the shutdown, “the effective functioning of key homeland security operations are imperiled.”
But even if the president and Congress come to an agreement, there’s still work to be done to undo the damage caused by a lengthy shutdown as well as some rethinking of what should be considered essential going forward.
“It’s also troubling that something as critically important as the National Institute of Standards and Technology (NIST) is considered non-essential during the shutdown,” said McCumber. “It highlights the concern that our priorities, mandates and corresponding actions need better alignment with today’s national security threats and vulnerabilities.”
Indeed,“ when the government reopens, it will be a good opportunity to re-evaluate what we consider mission critical both within the DoD and across other agencies,” said Kumar. “It is very possible that additional cyber resources should be put in this bucket.”