Cybersecurity feels shutdown pinch

The Department of Homeland Security was among the agencies affected by the funding lapse that began at the end of 2018 and is now extending into 2019, resulting in almost 400,000 government worker furloughs and approximately the same number working without pay.

The Department of Commerce — another department with a large cyber portfolio — has had to send most of its employees home. Agencies with cyber oversight and consumer protection responsibilities, such as the Federal Trade Commission, have largely ceased functioning.

“The shutdown is a major distraction for the entire cybersecurity ecosystem,” Howard said.

Michael Daniel, the former White House cybersecurity coordinator who now leads the Cyber Threat Alliance, a group that promotes cyber information sharing and best practices, says the effects of the shutdown have been substantial, especially in the area of personnel.

“Recruiting new cyber employees is always hard for the government, due to the pay differential,” Daniel said.

There are about 350,000 cybersecurity job openings in the United States, according to CyberSeek, a project supported by the government’s National Initiative for Cybersecurity Education. The intense competition for cyber workers has been a long-running concern for federal authorities worried about their ability to attract and keep talent.

“The shutdown certainly deters some people from even considering working for the government,” Daniel said. “Even when it’s done, the specter of the shutdown will linger as a deterrent for people considering whether to take a government cybersecurity position.”

“Shutdowns tend to affect support activities disproportionately, such as hiring or letting contracts,” he said. “Thus, over time, personnel slots will go unfilled and contracts will expire, making it difficult to sustain the workforce or upgrade equipment.”

In the immediate term, Daniel said, “personnel performing vital cybersecurity functions such as defending networks, working with the private sector to investigate intrusions, or projecting power through cyberspace, are usually deemed ‘exempt,’ so that work will continue.”

However, “like so many areas across the government, over time, a shutdown will steadily erode the federal government’s cybersecurity readiness.”

“New policy work is essentially frozen, so needed changes or updates to existing policies will not occur, nor will the government develop policies to address new areas,” Daniel warned. “Agencies will have a harder time keeping up with patching and routine cyber hygiene activities, due to the limited number of exempt employees.”

“The government depends heavily on contract labor for the day-to-day cybersecurity hygiene tasks, such as patching and auditing,” Kudelski’s Howard added. “During a shutdown, these contractors are typically sent home and their critical cybersecurity responsibilities fall to the remaining government employees, who are already overloaded. You can imagine scenarios where hundreds of systems, managed by tens of contractors, are now the responsibility of a handful of government employees.”

Catching up promises to be a long, difficult process.

Jamie Brown, the director of government affairs at security firm Tenable, said that “pain” from the shutdown would be felt in delays to collaborative processes between government and industry, even though “in terms of essential employees, the government is well-prepared to respond to cyber incidents.”

In July of last year, a cybersecurity summit hosted by DHS and keynoted by Vice President Mike Pence — a sign of the administration’s commitment to collaboration with industry on cybersecurity — resulted in important agreements to begin work on supply-chain security and other areas of cyber risk. Much of that work, still in its formative stages, was halted by the shutdown.

“The momentum since the July 31 summit could be lost as the shutdown goes on,” Brown said. “These are areas where we’re trying to be proactive, to prevent attacks. We’re not at a tipping point yet.”

Compared to years past, Brown said, “there’s a much greater understanding in industry that cyber risk management is very important,” meaning the businesses are more likely to have taken steps to secure themselves regardless of whether the government was fully functioning.

However, “guidance from the National Risk Management Center and the Tri-Sector” — a new DHS cybersecurity initiative composed of representatives from the electricity, finance, and communications sectors — “is being delayed. Those are things that help them be better prepared to prevent attacks. Best practices won’t be filtered out as quickly.”

Another problem, Brown said, “is the threat is getting more dangerous, too.”

Howard noted that one of the points of the July DHS summit was that “the government has an important role in highlighting the need for a risk-management approach.” The National Institute of Standards and Technology, or NIST, an agency within the Department of Commerce, released a new cybersecurity framework in April 2018, for example. “There are better tools available now than there were a few years ago … but we need to keep moving forward.”

Another former government official now in the private sector said the shutdown proves the wisdom of warnings he has issued since 2016. Ernest McDuffie, of the cyber consulting firm Global McDuffie Group, is a former NIST computer scientist who led the federal government’s National Initiative for Cybersecurity Education under the Obama administration.

“For the past two years, I have advised my clients to minimize their dependency on federal government resources because of the clear chaos represented by the current administration,” McDuffie said. “From past experience, both inside the intelligence community and private sector operations, I’m more than certain there is negative significant impact on all operations due to the government shutdown.”