In the Shutdown, the US Government Is Flirting with Cybersecurity Disaster
The record-setting partial government shutdown that enters its 24th day today is having a damaging effect on the nation's cybersecurity, both now and in the future.
Many agencies’ cybersecurity teams are down to skeleton staffs. Critical services related to cybersecurity are not being provided to the public. In addition, experts say, the shutdown is encouraging the most talented employees to leave for jobs in the private sector and will make it difficult to recruit in the future.
The Department of Homeland Security has furloughed nearly half of the staff at its Cybersecurity and Infrastructure Security Agency, as well as on the analysis and operations team that provides intelligence to public and private sector partners.
Many government websites are already down as a result, said Pravin Kothari, CEO at CipherCloud, a San Jose-based cybersecurity company.
"The implications of the shutdown for the many hundreds of US government data centers and cloud deployments are perhaps more frightening," he added.
While some security responses are automated, many threats require review and action by security operations center analysts, he said. "With these people on leave, the probability of a successful undetected network penetration goes up."
Security professionals in charge of protecting government agencies and services are fighting a never-ending battle against new threats and newly discovered vulnerabilities.
"Recovering from a backlog like this can literally take months," he said. "It's very difficult to get back on your feet."
And then there's the immediate threat.
"This is a perfect time for bad guys to attack," Wernick said. "My guess is, a few months from now, we'll find out that this period was a really scary time."
Social engineering (when a hacker impersonates someone else to gain access to a secure network) and similar attacks become a lot easier when almost everyone is out and nobody knows what's going on.
"If you're a bad guy, this is a good time to spoof an account," said Wernick.
DHS’s Cybersecurity and Infrastructure Security Agency, nearly half of whose staff has been sent home, the rest working without pay, works on new initiatives like the National Risk Management Center and the Supply Chain Security Task Force.
Other DHS cybersecurity programs adversely affected by the shutdown include Automated Indicator Sharing, which shares cyber threat indicators with the private sector.
Meanwhile, at the National Institute of Standards and Technology, nearly 85 percent of the staff are out on furlough. This is the agency working on security standards and guidelines, such as the recommended security controls for federal information systems and organizations. The partial shutdown could delay some of these critical projects.
And some NIST functions are down altogether. The national vulnerability database is still being updated, but the Computer Security Resource Center website is down, and all online activities are unavailable "until further notice."
NIST doesn’t just serve the public sector – private enterprise security professionals use its guidelines and databases extensively.
Another government cybersecurity function not being taken care of is maintenance of website security certificates. According to Netcraft, more than 80 TLS certificates have already expired, including some at NASA, the Department of Justice, and the US Court of Appeals.
Depending on how the sites are set up, some become completely inaccessible to the public, while others just show a warning and then leave visitors vulnerable to man-in-the-middle attacks.
Personnel Issues May Not End after Shutdown
There's a big talent deficit in the cybersecurity field around the world. The problem is especially acute in government.
The shutdown will make government cybersecurity jobs even less attractive, according to Congresswoman Robin Kelly, chairwoman of the House Oversight and Reform Committee’s IT subcommittee.
"How can we ever hope to recruit or maintain IT talent when hardworking government workers are told: ‘sorry, you aren’t getting paid, but you still need to come to work’ or ‘sorry, but no paycheck this week because of politics?’" she said in a statement last week.
The government already has a hard time competing on salaries when it comes to recruiting talent, she said. "Instead, we hope that IT workers will see government service as service to their nation and fellow Americans."
"In many cases, agencies are simply incapable of competing against private industry on salary alone," Dave Mihelcic, federal chief technology and strategy officer at Juniper Networks, said. Mihelcic is a former CTO of the US government’s Defense Information Systems Agency.
Once hired, it can take up to 18 months for new recruits to go through the hiring process and get their security clearances, he added.
"The shutdown could be the tipping point for soon-to-be graduates who are pursuing careers in IT and cyber to join the private sector rather than the federal government," he said. "After I graduated from college, I interviewed for several jobs with the federal government, but due to the hiring process, which was incredibly slow, it resulted in a discouraging experience."
"I know a lot of folks who are asking themselves, should I just look for a private sector job?" Insight Engines' Wernick said. "When you have big companies offering you a lot more money, and when things like this happen, you start questioning. You've got to move forward to feed your family."
When the shutdown ends, government agencies will find themselves with fewer cybersecurity workers than they have now. The best people will leave first, Wernick added.
"The people with the most knowledge, the best understanding of your data centers, aren't going to come back from this," he said. "So, you're going from a skeleton crew to a lowest-tier crew. It's going to be a very hard time."
Filling the gaps with outside contractors and services providers may also become more difficult, since they are going to take the biggest financial hit as a result of the partial shutdown. Federal employees eventually got paid for the work time they missed in previous shutdowns, but not government contractors.
"There a lot of contractors who are never going to be reimbursed for this," Wernick said.
According to David Berteau, president and CEO of the Professional Services Council, there are hundreds of thousands of contractors who work for the government, including on maintaining and modernizing information and data systems.
"Unlike federal civilian employees, no one provides these contractor employees with back pay to cover their lost work," he wrote in a letter to President Trump last week.
The total losses to federal contractors could be more than $200 million a day, based on recent history, according to Bloomberg.
Contractors working for the DHS are hit the hardest, with $19 billion in contracts awarded in 2018.
Leaders Need to Be Educated About Cybersecurity
Cybersecurity needs to be considered a critical function, Wernick said, exempt from future furloughs.
"When it comes to the political leaders, they may not understand cybersecurity enough," he said. "They may not understand the implications that a shutdown like this would have, because they don't understand how fast bad things can happen. If they were more educated about this, they would have made more people exempt from the furlough."