Smelling blood, American adversaries began circling like sharks during the 35-day partial government shutdown, and they’re still probing federal systems for vulnerabilities while agencies slowly recover. Much depends on how our leaders respond during the critical weeks ahead. A slow, haphazard, or disorganized recovery could be disastrous.
Our nation’s new federal cybersecurity agency (CISA), created only last November, was one of the agencies defunded during the shutdown. Workers considered essential kept basic operations going (without pay) but activities deemed non-essential ceased, even though most help prevent or detect cyber-attacks. The 45% of CISA workers furloughed during the shutdown are now back on the job, working through a backlog of incidents and missed maintenance events.
The FBI was affected as well. Many FBI cybercrime investigations were slowed or suspended during the shutdown. After a shorter government shutdown in 2014, it took the FBI cyber division months to resume processing cases at normal speed. 2019 is expected to be worse.
Nation states including Russia, China, Iran, and others are seemingly taking advantage of the situation. One federal agency manager told the Washington Post that during the shutdown there was “an uptick in attacks on his agency -- including phishing emails containing malware, attempts to reset employee passwords and attempts to trick users into downloading malicious software cloaked as a legitimate update.” The Post article went on to say “it will take them days or weeks to pore through security logs to assess how much damage the shutdown did to the security of government computer networks and the sensitive data they hold.”
Compounding the problem, HTTPS digital certificates on scores of federal web sites, including DOJ and NASA, expired and couldn’t be replaced due to the shutdown, making sites insecure or inaccessible to most browsers, and creating opportunities for phishers to direct users to fake web sites.
Beyond these immediate threats, the shutdown may also trigger an exodus of critical cybersecurity staff. A senior FBI agent warned that “the talent drain after [the shutdown] will cost us five years. Literally everyone I know who is able to retire or can find work in the private sector is actively looking, and the smart private companies are aware and actively recruiting.”
Grant Wernick, CEO of security firm Insight Engines, predicted that "the people with the most knowledge, the best understanding of your data centers, aren't going to come back from this. So, you're going from a skeleton crew to a lowest-tier crew.”
Recruiting new cybersecurity talent will get harder too. It was already a critical problem before the shutdown, as documented in a recent GAO report “Cybersecurity Workforce: Urgent Need for DHS to Take Action”. Knowing more shutdowns may occur in future, workers are hesitant to take government jobs, especially in cybersecurity where hiring competition is fierce and private companies pay more.
The most immediate threat may be unpatched systems. IT staff who patch and maintain federal systems were furloughed at most agencies during the shutdown. As they return, they face a daunting backlog. Meanwhile every unpatched server, desktop, or router is potentially vulnerable to attack. Attacks that occurred during the shutdown may not be detected until after the fact, if ever.
“During a government shutdown, infrastructure is sitting unpatched and alerts are going uninvestigated,” security threat analyst Andy Norton pointed out. “Government shutdowns tend to affect support activities disproportionately,” agreed Obama cybersecurity adviser Michael Daniel.
President Trump eliminated the White House cybersecurity adviser position, so someone else must step up now to lead the post-shutdown recovery, setting priorities so overwhelmed staff can triage backlogged incidents and schedule overdue maintenance, while also moving swiftly to retain talent before more people leave for steadier private sector work. Google doesn’t have shutdowns.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.