Government Shutdown: Are We Cybersecure?
Government Shutdown: Are We Cybersecure?
It’s Day 25. Do you know whether the government is cyber secure?
The government has now been shut down for 25 days. There are 420,000 Federal employees working without getting a paycheck and another 380,000 furloughed. Countless others are affected through government contracts and agency services are limited or unavailable. For instance, we’ve started to hear a lot about airline and airport security. The Transportation Security Administration, TSA , is on the “working but not getting paid” list with a growing number of agents calling out sick. Checkpoints are being closed and wait times are increasing. There are questions about the number of Federal Aviation Administration (FAA) inspectors working and the FAA is recalling inspectors. What does this mean for security? As the country is reeling with questions about airline and airport security, is our country cyber secure?
Who’s watching the shop?
Nearly half of the Cybersecurity and Infrastructure Security Agency (CISA) which was recently created to lead the protection of federal systems, is furloughed. And while the remaining skeleton crew is prioritizing the highest level of security concerns, hiring and other functions critical to fulfilling the agency’s mission roadmap are completely stalled. And let’s not forget that 85% of the The National Protection and Programs Directorate (NPPD), which handles a range of functions like the US – Computer Emergency Readiness Team (US-CERT) and a number of other major functions are also furloughed and officially on the sidelines.
So who is working and what are they doing? If you’re doing math per the above, a little over half of CISA and the Office of Intelligence & Analysis are in the office; and a skimpy 15% are staffing the NPPD.
Some US government websites have certificates that have expired in the last three weeks, meaning they’re insecure. It’s been reported that more than 80 security certificates used by .gov websites have expired and will not be renewed during the shutdown. And while that may not seem like the biggest priority in the world relative to potential nation-state threat actors, it does beg the question: if those things can slip through the cracks how can we be confident the remaining security pros protecting federal infrastructure have got the other stuff covered?
What does it mean?
We should assume that the staff remaining are steadfastly doing their duty to be on standby for a major cyber incident, although we do need to consider they’ve got more on their plates than usual. After all, Congress did pass a bill guaranteeing federal workers back pay. But what about the bad guys? In our CEH Training Program, we teach our students to think like a hacker. So, if the US Government is shut down and you’re a foreign adversary, what would you be thinking?
For starters, we’ve got a well-staffed, sophisticated, and capable workforce. We may have access to military-grade personnel as well as a network of state-sponsored hackers. Plus we’ve got the added bonus of having significant resources and work certainly doesn’t stop for us because Washington, D.C. is mired in a shutdown. In fact, this is the perfect time for us to take advantage of the situation and burrow in and wait: gain access to federal networks and infrastructure, clean up our tracks, and traverse laterally through their networks to find the really useful information and data.
When the Chinese infiltrated OPM’s networks in March 2014 it took around four months to discover (and the Chinese are some of the nosier state actors). This time between initial infiltration and discovery is known as “dwell time”…and a partially staffed security apparatus gives adversaries a pretty good shot at a longer dwell time.
Recruiting and retaining talent
In addition to the immediate risk to our nation’s information security and infrastructure, there is also a talent risk. Some of the most affected activities during a shutdown are in hiring and contract support. And anyone that’s been around the government long enough knows that the US is extremely reliant on contracted expertise. It’s incredibly difficult to sustain hiring functions and contract support over this time. Anyone not working is likely reevaluating how valued they really are in their profession (and wondering whether it’s worth checking out the private sector that pays significantly more). And, for those who are working without a paycheck, that has to make one wonder about the greener pastures in industry.
In short, furloughing any percentage of cyber staff leads to both short-term and long-term vulnerabilities. The bottom line is there isn’t any good news for our nation’s cybersecurity as we move past day 25 of the shutdown.