TWO WEEKS OUT from the longest government shutdown in United States history—and with the possibility of another still looming—government employees are still scrambling to mitigate impacts on federal cybersecurity defenses. And the stakes are high.
Furloughed cybersecurity employees returned to expired software licenses and web encryption certificates, colleagues burned out from working on skeleton crews, and weeks-worth of unanalyzed network activity logs. The job was already hard enough without having to play catch-up.
“There’s tension in the air,” says Chris Kennedy, chief information security officer at the network security firm RiskIQ who spent more than 10 years as a federal security contractor for agencies like the Treasury, Department of Commerce and US Marines Corps. “As an incident responder, you just found activity that took place three weeks ago, and now you have to quarantine and clean up and fix it when three weeks of damage has already been done. The work is harder and more chaotic and maybe your toolset doesn’t work because a license is expired plus maybe people’s security clearances have expired. All of those things are adding together.”
Even before the shutdown, the federal government was not known for a robust, consistent security posture. In a May report, the White House’s Office of Management and Budget found that 74 percent of federal agencies are in urgent need of digital defense improvements. More than half don’t have the ability to catalog the software that runs on their systems, and only about 25 percent of agencies confirmed to OMB that they are prepared to identify and thoroughly assess signs of data breaches.
The effects of the shutdown extend even to agencies that were funded throughout, like the military and intelligence community, thanks to interdependencies and network connections between agencies.
One of the few public-facing impacts of the shutdown was that web encryption certificates for numerous federal websites expired during the weeks of pause. This meant that people trying to access the sites, like NASA’s rocket testing portal, may have gotten warnings from their browsers that the pages were unsafe. Other sites became completely inaccessible.
A bigger concern, though, is that the shutdown’s true impact will take time to reckon with fully. Last week, Minnesota senator Amy Klobuchar and five of her colleagues sent a letter to the Department of Homeland Security and the NSA with questions about how federal cybersecurity posture fared during the shutdown. “Experts have warned that our reduced capacity for cybersecurity during shutdowns provides an opportunity for adversaries and cybercriminals,” the senators wrote. “We are concerned that these circumstances have left our government and citizens vulnerable to cyberattacks.” DHS and the NSA have not yet responded to the senators’ questions.
Digital threats, particularly those from nation state hackers, are not just a theoretical concern for the federal government. China, Iran, North Korea, and Russia all have active espionage and offensive hacking capabilities and many were ramping up their activity in the last year anyway, before the federal shutdown potentially created an opportunity for unchecked probing and intrusion. Such a prolonged stretch of reduced oversight would be virtually irresistible to foreign adversaries.
The shutdown also undermined the government’s reputation as a stable and reliable employer—a crucial issue given the general dearth of qualified cybersecurity personnel nationwide and the ongoing difficulty of competing with private sector jobs. Security professionals say that the shutdown was a prime recruiting season for private firms, and that many government employees and contractors left or plan to leave for other positions. New federal employment numbers haven’t been released yet.
“Government employees have been busier than ever,” says Carlos Perez, head of research and development at the IT security firm TrustedSec. “Many are leaving so far.”
RiskIQ’s Kennedy notes that the shutdown could also become a sort of black hole of accountability for cybersecurity incidents that began before, during, or even months after the break—a disturbing idea given ongoing issues with holding agencies to account for cybersecurity lapses.
The only potential silver lining? The risk management firm SecurityScorecard suggests that threats like spearphishing may have been less effective during the shutdown, since furloughed employees literally weren’t in the office to check their email.
Though government employees and contractors who were furloughed have now spent more than two weeks rebuilding from the shutdown, it will be months or even years before the full toll of the incident is understood. And if another shutdown comes next week, count on erasing whatever little progress has been made.