The shutdown of the U.S. federal government on October 1, 2013 has resulted in the sudden rollback of IT services across many of its departments. As agencies furlough employees and make due with severely limited resources, cyber security diligence has perhaps understandably taken a back seat to budgetary considerations, and it may remain in a holding pattern until Congress restores discretionary spending levels to pre-October levels. However, during that time, the government’s highly interwoven IT infrastructure could become much more vulnerable to opportunistic attacks.
Shutdown leaves behind only IT skeleton crews
Despite warnings from prominent security officials like U.S. federal government CIO Steven VanRoekel, most of Washington’s cybersecurity assets during the shutdown are being managed by skeleton crews, which may be ill-equipped to deal with the largevolume of attacks on the public sector. While the Department of Homeland Security has been able to retain staff trained in cyberattack response, other outfits must wrestle with the prospects of unpredictable agency-by-agency rollbacks.
“I worry about cybersecurity in the midst of a shutdown,” VanRoekel told The Wall Street Journal. “If I was a wrongdoer looking for an opportunity, I would contemplate poking at infrastructure when there are fewer people looking at it.”
Given the importance of information sharing to attack detection and response, the shutdown has severed vital connections between security professionals, making it more difficult to contain advanced attacks. Speaking to Nextgov, Tripwire’s Lamar Bailey argued that the shutdown would make it difficult for the government to respond to zero-day threats or state-sponsored attacks. In light of recent incidents like the Internet Explorer zero-day exploits and the Syrian Electronic Army’s attacks on domain registrars, such prospects are anything but remote.
If there is any silver lining to the shutdown, it may be that it serves as a catalyst for Washington to begin formulating better contingency plans, both for future shutdowns and similarly damaging outages. The government and its counterparts in the private sector should work together to ensure that the cybersecurity apparatus is centrally managed and coherent, yet resilient in the face events that bring down one or more of its components.
Reliance on virtualization, cloud computing heightens shutdown impact
Writing for InformationWeek, Patience Wait laid out the consequences of the shutdown. More than 800,000 federal employees are being furloughed due to Congress’ inability to pass a budget. At the Federal Emergency Management Agency alone, more than 1,800 IT managers are on temporary leave, with only about 150 remaining to oversee the organization’s sophisticated IT operations.
Large outfits like the Internal Revenue Service and the Social Security Administration typically handle complex customer databases with the help of external contractors. The shutdown has hit these agencies especially hard because it has left them with inadequate resources to manage increasingly complicated infrastructure.
The last time the government closed down, in 1995, technologies like cloud computing, server and storage virtualization and even email had not entered the mainstream. Moreover, past shutdowns did not invite the prospect of cyberattack simply because government IT was still in its nascence.
“It used to be easier, in previous situations, to figure out who in IT – employees and contractors – gets to stay on the job, because everything was siloed,” former Office of Management and Budget IT manager Mark Forman told InformationWeek. “As agencies have leveraged virtualized networks, storage and production environments, the lines have blurred. Now a greater portion of the IT workforce will need to stay on the job.”
The OMB has provided minimal guidance for how government IT should respond to lapsed funding. Departments like the Federal Aviation Administration, DHS and the Department of Defense have continued to provide services, albeit with fewer staff. Most IT procurements are on hold until new appropriations are available, forestalling upgrades that could better secure data and assets.
Cybersecurity initiatives already stalled by governmental gridlock
Another temporary casualty of the government shutdown is the comprehensive cybersecurity legislation proposed by Senator Kirsten Gillibrand of New York. Bank Systems and Technology associate editor Jonathan Camhi highlighted her efforts, which consist of three bills.
One provides a tax break, equivalent to 30 percent of investment, to companies that invest in their own cybersecurity. Another creates a cybersecurity contingent in each state’s National Guard, and the final one requires more diligent government reporting on cyberattacks around the world.
“If we are going to keep America safe we have to invest in cybersecurity, in the best solutions and best practices,” stated Gillibrand.
However, the shutdown, paired with the impending debt ceiling crisis in mid-October 2013, means that Congress will not be able to upgrade U.S. cybersecurity infrastructure and practices for some time. Prior to the current political strife, Congress failed to pass legislation that would have enhanced information-sharing, indicating the tough landscape that cybersecurity efforts face even in the context of a dangerous threat environment.
Implications for national security and the way forward
Beyond potentially increased exposure to malware and distributed attacks, the shutdown may lead to communication issues that hamper national security and put civilian and military personnel at risk.
“[W]ith the exception of a few intelligence agencies that have a significant number of military personnel, the lights are being turned off and the majority of the people who produce our intelligence, analyze that intelligence and provide warning of terrorist attacks or advise policymakers of major national security events will be prevented from doing their jobs,” stated Senator Dianne Feinstein of California, according to The Washington Post. “We have ambassadors in threatened capitals [who] rely on their intelligence briefers and the tactical intelligence support to their security teams as much as they rely on the Marines who guard front gates. What we are doing now puts American lives at risk.”
As Feinstein pointed out, the shutdown has broad implications that go beyond the scope of IT. At the same time, the cybersecurity community should do its part and continue to work with Congress to create an information-sharing and response framework suited to the current threat environment. While security professionals may not be able to change the political climate, they could harness public disappointment with the shutdown to demonstrate flaws in the current arrangements and push for change.