The government may shut down, but cybercriminals do not

The repercussions of the government shutdown are being analyzed by many through a political lens – this very important discussion has been focused on what a shutdown will mean for partisans, what jobs are being lost, and how this will affect healthcare. I’d like to offer another discussion point – national security, or more specifically, cybersecurity.

Our federal government may have shut down, but the bad actors that target us have not. For them, the reduction in IT staffing, even temporarily, is a rare opportunity to probe for unmonitored weak spots, and possibly penetrate our systems. The longer the shutdown lasted, the more opportunity they would have. With workers and civilian contractors furloughed, those remaining employees were stretched to the limit and were forced to concentrate on the most mission critical IT demands.  Pick almost any federal agency’s website, like the U.S. Department of Agriculture, where visitors were greeted by the terse statement, “Due to the lapse in federal government funding, this website is not available.” If you needed support, even basic information, you were out of luck. Same for contractors who follow security bulletins from government agencies that point out active threats. If information sharing is not happening, there is no way to know what sort of malware might be lurking.

One recent news report included comments from a furloughed NASA cybersecurity specialist who noted that he’s normally fighting cybercriminals online every day, but when he sits at home while out of work, cyber-terrorists could be “looking to poke holes in [our] defenses.” In the news clip, the NASA cybersecurity specialist also said he’s been contacted by five Silicon Valley companies with possible job offers. At a time when cybersecurity expertise is at a premium, a prolonged government shutdown could force some of the government’s top cybersecurity talent to leave for private sector jobs, or seek opportunities with those attempting to illegally penetrate the US’s cyber defenses, even more troubling byproducts of the current shutdown.

Of course, the continual threat of massive cyber-attacks predates the government shutdown. Just within the last couple of months alone, politicians and other officials have warned that the U.S. would be a big cyber target if it attacked Syria.

The ultimate irony of this whole situation is that October is National Cybersecurity Awareness Month. In fact, last week’s (Oct. 15-18) focus was supposed to be on the cyber workforce and next generation of cyber leaders.

That’s not to say that the doors are unlocked, but even the perception that they are can be dangerous. Neither the Office of Personnel Management nor the Office of Management and Budget offered guidance on how IT personnel would be deployed in the event of a shutdown according to media reports. There are simply too many places for a mistake to be made without adequate manpower or a plan for deploying limited staff. The federal government and the private sector’s reliance on IT and knowledgeable staff is one stark difference between this shutdown and the 1995 shutdown. It’s very possible that cyber-attackers  view the shutdown as a sign of weakness and become more aggressive in their attacks.

It isn’t just IT staff on the front lines that are being affected – the big picture is being lost as well. Critical projects underway at the National Institute of Standards and Technology (NIST) were also being delayed. NIST has been working on President Obama’s Cyber Security Framework, a blueprint of IT security best practices for privately-owned critical infrastructure operators. The White House missed its Oct. 10 deadline for the first draft of the framework.

Delays in the framework will mean delays in any potential cyber security legislation. Pundits are speculating that Congress will not act on any cyber security legislation until 2014 – but just as with the shutdown, the cyber attackers are not waiting. Cyber security needs to be taken seriously before a major attack is in the headlines, and when we delay preparations and deem staff non-essential, we make ourselves a target.

Today’s threat landscape is much different than even a few years ago when malware and viruses were created by college kids looking to play pranks against unsuspecting companies, “cyberpunks”. Those viruses annoyed us, maybe they slowed down our productivity, but they didn’t make us afraid and they didn’t threaten something that was pertinent to us: our business, our customer data, our government-held personal data, our national secrets. Today, cartels of cybercriminals and foreign-backed cyber-espionage agents are looking to steal our intellectual property, secrets and damage our reputation and economic position.

Moreover, if there’s one thing we’ve learned in the cybersecurity world, it’s that these criminals won’t always go the direct route to their target. They’ll try to sneak in the back door, through a vulnerability in the network of a customer, a supplier or a business partner. And it won’t always be a technology vulnerability. Today’s threat artists recognize that the most likely way to enter a network isn’t through a gap in technology, but by leveraging the most unpredictable factor of all: human behavior, as in employees who might open the wrong e-mail, hit the wrong website or attach the wrong USB drive.  This is called “social engineering.”

It would behoove security officers in the private sector to keep a closer eye on their own systems for the time being. Now is a good time to remind employees about security best practices, and encourage them to say something if they see something out of the ordinary.

While the government may not be functioning at 100 percent, we would all be wise to raise our own level of awareness.

About the Author:

Julian Waits serves as president and chief executive officer for ThreatTrack Security, guiding the company’s growth as it traverses the enterprise security market with sophisticated threat analysis, awareness and defense solutions that combat Advanced Persistent Threats (APTs), targeted attacks, zero-day threats and other sophisticated malware. He has more than 20 years of experience at all levels of IT, from network engineer to Sales VP and previous roles as CEO, when he led Brabeion Software Corporation, maker of IT governance, risk, and compliance software, and Way2Market360 LLC., a startup accelerator.