As the US Government shutdown enters its fifth week, the nation is increasingly feeling the pinch. It was reported over the weekend that 10% of TSA workers, who haven’t been paid in over thirty days, didn’t report to work. That caused increased waiting times at airports and very real concerns over the safety of air travel.
A negative effect of the shutdown that has largely gone unnoticed, however, is the threat it poses to the nation’s cybersecurity. Like any other organization, the government has data systems that need constant monitoring and protection. The government’s systems, however, differ from private and business systems in their scale, heterogeneity, and concentration of personally identifiable information. These characteristics make government data systems even more difficult to monitor and protect, and they make lapses in their cybersecurity even more consequential. While cybersecurity is enough of a priority to spare some of the personnel from the shutdown, the size and importance of the responsibility suggests that it shouldn’t be handled by a skeleton staff for very long.
A number of serious cybersecurity issues stem from this prolonged shutdown, some of which are described here. These include the backlog of incidents that will have to be investigated once the cyber teams return to full force, the likely need to reset passwords en masse for returning employees who forget them after the long absence, and the potentially negative impact on recruiting for positions that are already difficult to fill.
Surely, the shutdown also affects a wide range of businesses and organizations, including those who operate critical infrastructures. These organizations look to the US Government for guidance and compliance auditing as they protect their systems according to nationally published frameworks like NIST and CIP. Without the guidance and oversight the federal government provides, these organizations must temporarily operate as if these important controls and rules of the road didn’t exist. While performing their duties per the status quo for a while will likely suffice, this situation cannot continue indefinitely. The systems constantly change, the people who maintain them come and go, and the attacks against them never stop.
Not that there ever is a good time for a work stoppage, but this shutdown is occurring at a very inopportune time for our government’s cyber defenses. A study last year by the White House and the Department of Homeland Security revealed that 71 of 96 federal agencies had cybersecurity systems that were described as at risk or at high risk. This woeful condition persists despite the occurrence of several high-profile and especially damaging hacks against government data systems, including, perhaps notably, the attack against the Office of Personnel Management (OPM) in 2015.
Certainly, there is no reason to expect hackers to take it easy on us while the government is shutdown. Quite to the contrary, this is an ideal time for them to ramp up their efforts. Our nation’s systems are constantly under attack. The interactive Norse Map, which has since ceased operation but used to provide a reliable real-time map of attacks, always displayed a fascinating but frightening picture of just how besieged the United States is as a cyber target. When you attach numbers to those visuals, including, for example, the fact that the Pentagon thwarts 36 million attacks against email every day, you can’t help but become alarmed.
With systems so in need of attention and improvement, with so much personal information at stake, and with so many critical operations depending on government guidance and oversight, the US Government’s cybersecurity force cannot afford a reduction in staff, and especially an historically lengthy one like the present. While this shutdown presumably centers on funding for a physical wall, the virtual wall of our cyber defenses clearly is at risk of crumbling.