The partial government shutdown may be making some key federal departments and agencies running with skeletal staffs more vulnerable to cybersecurity breaches, experts said.
Meanwhile, the House Homeland Security Committee, which oversees the Department of Homeland Security, said it remains in the dark about how the shutdown has affected the department’s mission to safeguard critical infrastructure from cyberattacks.
“With so many cyber activities reliant on highly skilled contractors required to augment government personnel, government shutdowns significantly degrade the ability of the government function to meet all of their cyber mission requirements,” said Greg Touhill, president of Cyxtera Federal, a company that provides cybersecurity services to the federal government.
He cited security operations, software patching and penetration testing as “essential functions” deferred because of the shutdown.
Even when federal departments designate security operations centers as critical during a shutdown, “they still have gaps covering mission-essential tasks, and many of the smaller agencies affected by the shutdown are unable to maintain the full 24×7 watch coverage,” said Touhill, a retired U.S. Air Force officer who served as the first U.S. federal chief information security officer in 2016.
Departments and agencies affected by the shutdown include the departments of State, Homeland Security, Agriculture, Commerce, and Housing and Urban Development, as well as the Environmental Protection Agency, the Internal Revenue Service, the National Institute of Standards and Technology, and the National Park Service.
Many of those are on the “hit-list for hackers, organizations that specialize in high-end security intrusions, and nation-state actors,” said Tom Gann, chief of public policy at security research firm McAfee.
Cybersecurity at these agencies and departments could be degraded because lower-level government employees who bear the brunt of the shutdown often are on the front lines of basic computer security monitoring work, Gann said. A significant part of cybersecurity work at agencies is performed by contractor employees who are also off because they are not getting paid while the government is shut down, Gann said.
Absent employees could mean that agency computers go without needed security updates and lack the ability to detect network intrusions in a timely manner. “The first 24 hours between a hack and detection is vital,” Gann said. The sooner a hack is discovered, the easier it is to prevent damage from spreading, whereas “the longer a hack persists, the deeper it can infect,” he said.
Cyxtera’s Touhill said that during the closure, “skilled people qualified to respond to the alerts/alarms may not be in place or even available due to the shutdown.”
Nation-state hackers could also gain insight into which U.S. computer networks are considered vital and therefore functioning during the shutdown by comparing that picture with all the networks that are seen to be working during normal times, Gann said. “A foreign intelligence organization can deduce from that who matters and who doesn’t,” he said.
The House Homeland Security Committee, led by Democratic Rep. Bennie Thompson of Mississippi, said the panel is concerned about the Cybersecurity and Infrastructure Security Agency of the DHS running with significantly fewer staff. DHS has said the shutdown meant that only 57 percent of the agency’s staff would be working.
The agency “is charged with performing risk and vulnerability assessments for the federal government and critical infrastructure owners and operators, including state and local election agencies,” a committee aide said. “We don’t know if those activities have been suspended or delayed.”
Operators of critical infrastructure sectors including financial systems, the power grid, water systems, health care systems and transportation networks rely on information from the DHS agency to protect their computer networks, and “we don’t know if these activities have been suspended or slowed because of the shutdown,” the aide said.
But the U.S. Computer Emergency Response Team, or CERT, which operates under DHS and sends out cybersecurity warnings to critical infrastructure sectors, appeared to be functioning and was sending out security alerts Tuesday.
Emails to DHS officials seeking comment bounced back with automated responses saying they were not working because of the shutdown.
The skeletal cadre of government employees across different agencies who are working jobs considered critical for cybersecurity efforts may be exhausted by the additional work burden, reducing their effectiveness, said Ron Bushar, vice president at FireEye, a threat intelligence research company.
But cybersecurity professionals watching for threats in operation centers, counterintuitively, could be operating in a quieter environment with fewer federal employees using their computers in their networks, said Bushar, who previously served as an assistant director for cybersecurity at the Justice Department.
With fewer federal workers, the signal-to-noise ratio is lower, whereas with a full complement of employees, “there’s more noise and a bigger attack surface” for hackers looking to exploit networks by targeting individuals, Bushar said.
A prolonged government closure could disrupt broader cybersecurity policy efforts, said Ari Schwartz, managing director of cybersecurity services at the law firm Venable LLP.
The public-private partnership between government entities such as NIST, which formulates cyber standards, and private companies is essential to securing computer networks around the country and could be hurt as the shutdown drags on, Schwartz said. He also leads the Coalition for Cybersecurity Policy and Law, a group of companies that educates policy makers on cybersecurity matters.
Delays to long-term policy efforts could be recovered if the shutdown lasted only a couple of weeks, but longer closures could “overwhelm the system and set back public-private partnerships by quite a long time,” Schwartz said. “Each month of closure is probably magnified by two months” of delays and setbacks, he said.