The repercussions of the government shutdown are being analyzed by many through a political lens – this very important discussion has been focused on what a shutdown will mean for partisans, what jobs are being lost, and how this will affect healthcare. I’d like to offer another discussion point – national security, or more specifically, cybersecurity.
Our federal government may have shut down, but the bad actors that target us have not. For them, the reduction in IT staffing, even temporarily, is a rare opportunity to probe for unmonitored weak spots, and possibly penetrate our systems. The longer the shutdown lasted, the more opportunity they would have. With workers and civilian contractors furloughed, those remaining employees were stretched to the limit and were forced to concentrate on the most mission critical IT demands. Pick almost any federal agency’s website, like the U.S. Department of Agriculture, where visitors were greeted by the terse statement, “Due to the lapse in federal government funding, this website is not available.” If you needed support, even basic information, you were out of luck. Same for contractors who follow security bulletins from government agencies that point out active threats. If information sharing is not happening, there is no way to know what sort of malware might be lurking.
One recent news report included comments from a furloughed NASA cybersecurity specialist who noted that he’s normally fighting cybercriminals online every day, but when he sits at home while out of work, cyber-terrorists could be “looking to poke holes in [our] defenses.” In the news clip, the NASA cybersecurity specialist also said he’s been contacted by five Silicon Valley companies with possible job offers. At a time when cybersecurity expertise is at a premium, a prolonged government shutdown could force some of the government’s top cybersecurity talent to leave for private sector jobs, or seek opportunities with those attempting to illegally penetrate the US’s cyber defenses, even more troubling byproducts of the current shutdown.
Of course, the continual threat of massive cyber-attacks predates the government shutdown. Just within the last couple of months alone, politicians and other officials have warned that the U.S. would be a big cyber target if it attacked Syria.
The ultimate irony of this whole situation is that October is National Cybersecurity Awareness Month. In fact, last week’s (Oct. 15-18) focus was supposed to be on the cyber workforce and next generation of cyber leaders.
That’s not to say that the doors are unlocked, but even the perception that they are can be dangerous. Neither the Office of Personnel Management nor the Office of Management and Budget offered guidance on how IT personnel would be deployed in the event of a shutdown according to media reports. There are simply too many places for a mistake to be made without adequate manpower or a plan for deploying limited staff. The federal government and the private sector’s reliance on IT and knowledgeable staff is one stark difference between this shutdown and the 1995 shutdown. It’s very possible that cyber-attackers view the shutdown as a sign of weakness and become more aggressive in their attacks.
It isn’t just IT staff on the front lines that are being affected – the big picture is being lost as well. Critical projects underway at the National Institute of Standards and Technology (NIST) were also being delayed. NIST has been working on President Obama’s Cyber Security Framework, a blueprint of IT security best practices for privately-owned critical infrastructure operators. The White House missed its Oct. 10 deadline for the first draft of the framework.
Delays in the framework will mean delays in any potential cyber security legislation. Pundits are speculating that Congress will not act on any cyber security legislation until 2014 – but just as with the shutdown, the cyber attackers are not waiting. Cyber security needs to be taken seriously before a major attack is in the headlines, and when we delay preparations and deem staff non-essential, we make ourselves a target.