How Government Shutdown Leaves Cybersecurity Defenses Exposed

Adversaries don’t play by the rules, and when government operations shut down, threat actors don’t follow suit. Instead, they shuffle the deck in their favor and seem to have all the trump cards to themselves.

Cybersecurity is considered essential for many, especially across critical sectors and government entities. The reality is that the federal shutdown will diminish oversight, slow coordination of federally backed cyber response resources, and amplify uncertainty among many.

With the shutdown continually being extended, this uncertainty doesn’t just create gaps for the federal sector for coverage, coordination and funding; it reshuffles the entire deck of playing cards, and every unknown is a wild card being stacked in the attacker’s favor. It’s a prime opportunity to exploit confusion and uncertainty to be more successful in penetrating defenses.

Fewer eyes & longer dwell times

We’re already seeing clear impacts on critical operations that support our national cyber defense strategies. Federal Security Operations Centers (SOCs) and Computer Emergency Response Teams (CERTs) are operating with fewer staff, which will slow incident response and allow adversaries to persist for longer periods without detection.

One of the most concerning issues is the effect on the Cybersecurity and Infrastructure Security Agency (CISA) and its programs that millions of federal, local, state and private sectors rely on for vulnerability exposure and timely threat intelligence. Although furloughs affected about 60% of CISA’s workforce, when compounded with the uncertainties over the last year regarding funding for the Common Vulnerabilities and Exposures (CVE), it will have ripple effects across our nation.

The CVE program is how organizations track, prioritize and patch risks, including CISA, which uses it to send out notifications to critical infrastructure sectors with guidance and requirements to secure their systems from new and emerging threats. It’s a central part of how cybersecurity professionals in all domains work together against a common set of threats. 

These gaps don’t just impact federal systems or entities; they trickle down to state, local and other critical infrastructure sectors. Domains of incredible importance, including energy, healthcare, finance, transportation, manufacturing and utilities, are all directly impacted. When these information sharing services slow or shut down, essential services and industries become softer targets and more vulnerable to opportunistic adversaries. Security professionals are left outnumbered, unarmed with key defense information and alone to solve problems for themselves.

Additionally, the Internal Revenue Service (IRS) has furloughed almost half of its workers. From a cybersecurity perspective, this significantly increases every citizen’s attack surface. With the deadlines for extensions approaching and many not having completed their filings, identity theft and fraudulent tax filings will rise as threat actors take advantage of the anxiety surrounding these ramifications.

This will include phishing campaigns, fraudulent refund notices or fake IRS portals designed to steal personal information. These are ideal conditions for identity theft circumstances.

An attacker’s playbook

Adversaries weaponize fear and use urgency to confuse and distract targets to their advantage. It’s a tried-and-true tradecraft that when uncertainty rises, people will respond emotionally to help them feel stability. Timely events, especially those prolonged like this shutdown, are an adversary's perfect playground. Anxiety is high, communication channels are disrupted or completely broken, and this increases the realism of any attack.

As you might expect, phishing and identity theft campaigns will be the frontrunners in initial access vectors. Threat actors are already using the shutdown to impersonate HR, payroll and benefits systems with message lures akin to “Furlough Confirmation/Updates” or “Action Required to Maintain Federal Benefits.”

These lures will primarily target furloughed workers because they will need to navigate multiple portals and a mix of both official and unofficial communications. To make these even more realistic, threat actors will use lookalike domains, MFA bypass techniques and even coordinated vishing calls to make them more convincing. Tie this realism to emotional anxiety, and it’s a recipe for disaster from a defender’s standpoint.

Federal contractors and third-party vendors are also in scope for threat actors. These targets represent a hidden entry point, as many hold VPN credentials or elevated access to sensitive networks or systems to complete their projects. As this shutdown continues to delay payments for project work or pause work entirely, smaller vendors may be forced to make drastic changes to continue operating; unfortunately, this often starts with a reduction of cybersecurity investments, which can weaken defenses and larger attack surfaces.

History has shown many times that attackers find success targeting smaller entities as stepping-stones into more protected networks, and there is no reason to expect them to change now.

Nation-state threat actors see these shutdowns as a significant opportunity to achieve mission success in multiple ways. They test defenses to gain valuable information for current or future attacks and leverage undetected footholds from previous attacks to compromise networks further.

As uncertainty continues in Washington, these threat actor groups will likely combine shutdown-related themes with ongoing geopolitical tensions to drive disinformation and create targeted propaganda using synthetic audio and video generated with artificial intelligence (AI), and to leverage social media for distribution infrastructure. These synthetic media clips will blend truth and fiction, amplifying distrust and further distracting defenders and citizens from the threats that are happening behind the scenes. 

From an attacker’s perspective, this period isn’t about speed, but rather about calculated moves to set the stage for future and more coordinated attacks.

Controlling the uncontrollable

We can’t control the length of the shutdown, the political conversations surrounding it, or the geopolitical tensions. Our best bet to stay resilient is to control what’s within our sphere of influence. Focus on the fundamentals, the basic “blocking and tackling” during this time of uncertainty.

• Review and practice your incident response plan — Focus your efforts on identifying gaps that might exist due to delays with surge response from federal support.
  
  
• Double down on your identity and access controls — Ensure MFA is enabled for all privileged accounts and focus your detection efforts on login activity and anomalous user behavior.
  
  
• Verify and protect backups — Make sure you have a clean and sound backup, and that you have proper protections in place so they cannot be corrupted in the event of a ransomware attack.
  
  
• Refresh security awareness training — adjust awareness training for phishing and other threats to be more frequent during these times of uncertainty and encourage reporting of anything that looks suspicious.
  
  
• Validate vendor continuity plans — Ask them how they are adapting to this time of uncertainty and what their plans are to stay resilient.

With all the uncertainty the shutdown brings, one thing is clear: cybersecurity can’t pause. Adversaries don’t take time off, and they certainly don’t wait until everyone has a fair chance. Each day of the shutdown only increases exposure. While these political impasses continue, take this time to shore up the basics. These steps won’t remove the risk, but they will reduce your attack surface and improve your chance of detecting problems early.

In a card game where the attackers hold wild cards, your best move is to master the hand you’ve been dealt and never forget that the dealer is not on your team.