How Has The Government Shutdown Weakened Our Cybersecurity?
Ironically, while trying to shore up gaps in our southern border, we’re opening gaps in our cybersecurity. Because the partial shutdown has cut off payments to government employees, contractors and organizations, we don’t have a fully operational workforce ensuring our cybersecurity.
The longer the shutdown continues, the more we should be concerned. And, because the scope of our nation’s cybersecurity policies and procedures have grown significantly over the past six years, this shutdown is causing an even more significant impact than it did in previous ones.
What’s Not Being Protected?
Federal networks are still being monitored for malicious activity by the technical tools that are already in place. And some workers are still on hand to handle incident response if required.
When the government is fully operational, they assess vulnerabilities in critical infrastructures like the electric grid. But during a government shutdown, if there’s no imminent threat to infrastructure, this isn’t considered an exempt duty, meaning that funds for these things can be cut.
The New CISA Isn’t Getting Off The Ground
Congress recently established the new Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS). And it will take a lot of work to get this up and running.
So, the timing of the shutdown couldn’t be worse. Many deadlines are looming from recently passed cybersecurity legislation. According to the DHS, nearly 40 percent of the CISA’s staff is being furloughed.
NIST Isn’t Fully Operational
NIST is the agency responsible for setting standards, and many corporate teams rely on these to establish baselines for their cybersecurity programs. And, with many of its staff on furlough, NIST will probably miss deadlines for updating these standards.
80% of the staff at the National Institute of Standards and Technology have been furloughed. Fewer than 500 of 3,378 employees are working through the shutdown.
Programs and services that monitor and test for vulnerabilities are suspended or operating at reduced capacity. New standards and security programs are on indefinite hold. If you go to the NIST website and click on these links, you’ll find that they aren’t available:
- The risk management framework.
- Changes to the federal government’s guidelines on security controls.
- Requirements to access controlled unclassified information.
Here’s what you’ll see when you visit the NIST website.
CERT Programs Have Been Affected
85% of the workforce for The National Protection and Programs Directorate has been furloughed. They handle a range of functions like the US-CERT (US – Computer Emergency Readiness Team) Continuous Diagnostics (CDM) and Automated Indicator Sharing (AIS) programs.
DHS Deadlines Are Being Missed
On December 21, 2018, President Trump signed the SECURE Technology Act, which has important cybersecurity provisions expanding the DHS vulnerability remediation program. DHS must accomplish tasks in this new law to strengthen cybersecurity. However, due to the partial shutdown, these deadlines will be missed, and the implementation of important IT security protections will be delayed.
Skilled Cybersecurity Workers May Leave For Private Sector Jobs
There are also worries about recruitment and retention of experienced cybersecurity specialists. After the 2013 shutdown, valuable IT security talent left for the private sector. The best and the brightest in cybersecurity left to seek stability (and often higher paying jobs). Also, experienced candidates were hesitant to accept government jobs.
And, for those whose jobs are exempt, they have to work without the teams they rely on. This makes their jobs must harder to do. According to Andrew Grotto, a former White House cybersecurity adviser for Presidents Obama and Trump and a current employee of Stanford’s Hoover Institution:
“Defending federal networks is already an act of triage, due to personnel shortages, legacy IT overhang, uneven risk management practices and a hostile threat environment. Furloughs make a hard job even harder… What that means as a practical matter is that these people have to do even more than usual.”
Contractors Don’t Have The Supervision They Need
Many contractors who work in cybersecurity aren’t allowed to work without a federal employee to supervise their job. Tasks, like monitoring systems and responding to significant incidents can continue, but jobs, like identifying vulnerabilities and securing IT assets for various departments and agencies (like election security), aren’t exempt and are not being performed.
DHS was going to kick off their annual Cybersecurity and Innovation Showcase, a significant event for helping the government explore research and development of critical next-generation cybersecurity technologies. The event has now been put off indefinitely.
The Danger To Our Cybersecurity Grows With Each Passing Day
Unfortunately, cyber threats don’t operate on Washington’s political timetable. And ensuring cybersecurity is challenging to do even with a full force at work. As you can imagine bad actors and nation states see this as an opportunity.
The negative impact on our IT security is growing with each passing day. Cybersecurity is hard enough with a full team. It’s an uphill battle on a daily basis to keep up with hackers and cybercriminal, never mind staying ahead of them.
Because we’re operating with less than 50% of our cyber workforce, we’re quickly losing ground in the battle against nefarious actors. There are still a lot of federal cybersecurity experts working on “essential” operations (like defending government networks from attacks and keeping confidential documents from being compromised). However, experts believe that trying to thwart bad actors without the necessary workforce puts our data at risk.
The Damage Inflicted From The Shutdown Will Last For Some Time
There are still a lot of federal cybersecurity workers at their posts carrying out what has been deemed “essential” operations, like defending government networks from attacks and keeping confidential documents from being compromised. But in the long run, the damage the shutdown is causing could last a long time.
The shutdown is doing serious damage to our U.S. cybersecurity apparatus, and it will take some time for workers to get it back to running reliably. Even during normal times, the U.S . Cyber defense apparatus is being pushed to the brink by state-sponsored hackers and cyber cells. And now with it weakening, it puts the whole country at higher risk.
Per the Office of Management and Budget in a January 2018 memo offering guidance on a previous government shutdown: “At a minimum, agencies must avoid any threat to the security, confidentiality and integrity of the agency information and information systems maintained by or on behalf of the government… Agencies should maintain appropriate cybersecurity functions across all agency information technology systems, including patch management and security operations center (SOC) and incident response capabilities.”
Even though this sounds good, remember that between 345,000 and 400,000 workers have been furloughed and may not be able to meet these responsibilities. And depending on how long this shutdown continues, we could see a lot of these agencies run out of money and be forced to close down even more of their operations.
Without a doubt, the partial government shutdown is weakening cybersecurity in the U.S. You can blame the Democratic or Republican Party, but what’s for sure is that this is an American problem.
What Should You Do?
You must be extra vigilant with your cybersecurity. Without the federal government cybersecurity operations in full force, this puts your organization at higher risk. Contact your IT provider to conduct risk assessments and to shore up your cyber defenses.
You should do this anyway, even when the government is back in full force. You can’t depend on “Uncle Sam” to take care of your IT assets or protect your data. You’re on your own where cybersecurity is concerned.
For more information or help with your business’s cybersecurity, contact the IT Security Team at Network Heroes. We provide expert computer services and IT network support for organizations in Las Vegas, Summerlin and Henderson, Nevada.
In the meantime, if you liked this article, we have others you’ll find helpful. Check out our Tech Articles. Here are some examples of what you’ll see: