Possible Government Shutdown Has Cybersecurity Experts Worried
Vulnerabilities may persist or go unaddressed during a shutdown.
![Government shutdown worries security experts Government shutdown worries security experts](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt4603ae3d71c6eda3/6537c69379667e638ea1f957/Government-Shutdown.jpg?width=700&auto=webp&quality=80&disable=upscale)
Paul Brady Photography/Shutterstock
Dave Gerry, CEO at Bugcrowd, said CISA is a “critical resource in our nation’s proactive defense against cybercriminals and attackers.”
“Any disruption to that team as a result of a government shutdown increases the cyber risk we face, and, given the rate at which we see nation-state adversaries ramping up attacks, unnecessarily slows down the great progress the agency has made and makes us more vulnerable to attacks as a result,” he said.
Justin Williams, managing partner at Optiv, said any furlough of CISA staff “degrades our national security operational readiness — impacting the security of our national supply chain.”
“CISA provides critical linkages by and between our commercial organizations and government,” he said. “This linkage includes support for organizations who are under duress or otherwise dealing with a cyber event or incident, putting commercial organizations and industry sectors at risk when indicators of compromise (IOC) are not shared among the proper groups to slow or stop the movement of adversaries throughout our commercial organizations. Our nation’s supply chain includes critical infrastructure, health care, transportation, energy, among others. Degraded readiness is a national security matter.”
Landen Brown, federal CTO at Symmetry Systems, said gone are the days when looming government shutdowns only impact government workers’ pay.
“With top cybersecurity leaders and our presidential cabinet aggressively pursuing the 2023 cyber strategy plan, government shutdowns now impact our ability to maintain cyberspace capability and defense,” he said. “Many cyberspace operators will be absent from critical operations, and those remaining tier 1 personnel will be tasked with doing the mountainous job of many, often without pay. Today, our adversaries recognize this. It is of the highest importance that our political leaders come together at this time to avoid granting our adversaries the ability to operate in relative freedom and hinder our ability to be prepared to fight and win our nation’s wars.”
Tim Helming, security evangelist with DomainTools, said the U.S. government “doesn’t say a lot publicly about the workforce keeping its cyber assets secure, but like any large organization, it’s likely that their blue teams are at maximum capacity most of the time.”
“That means that any reduction in forces may affect their ability to carry out the same level of intelligence gathering and analysis, detection engineering, incident response, threat hunting, etc., that they usually do,” he said. “This doesn’t mean that we’re going to see new, successful incursions, but it may mean that at minimum, the staff remaining available after the shutdown will be stretched thin and overtaxed.”
CISA has been prolific with advisories and other guidance, and it’s likely that the pace of those could slow during the shutdown, Helming said.
“None of this means that the community in general is going to see an uptick in successful attacks, because the effects of the government shutdown on a) threat actors, and b) private sector organizations, may be limited, especially if the shutdown does not continue for an extended amount of time,” he said. “As always, we need to be highly vigilant. There have been several high-profile breaches in the last couple of weeks unrelated to the shutdown, and those certainly warrant a lot of care and tight operations. Given CISA’s track record of enabling better communication and leadership across public and private sectors, this culture shift will continue to keep us secure, even if CISA does slow down during a shutdown.”
Colin Little, security engineer with Centripetal, said a federal government shutdown can “weaken the cybersecurity posture of a nation, leaving it more vulnerable to cyberattacks and potentially harming national security, public trust and international cooperation in the realm of cybersecurity.”
“Maintaining robust cybersecurity practices during a shutdown should be a top priority to mitigate these risks and ensure the continued protection of critical systems and sensitive data,” he said. “Think of it in terms of an active war zone. If the government shut down and 80% of frontline units stopped receiving troop pay, reinforcements and supplies, the result would be disastrous, especially over a protracted period of time.”
A decrease in staffing can hamper the government’s ability to monitor and respond to cyber threats effectively, Little said. It may also lead to delays in implementing security updates and patches, leaving systems vulnerable to known vulnerabilities.
In addition, vulnerabilities may persist or go unaddressed. Cybercriminals often take advantage of such opportunities to launch attacks on government infrastructure, steal sensitive data or disrupt services, he said.
Moreover, a shutdown can hinder the government’s ability to respond swiftly to cybersecurity incidents, Little said. This delay can allow attackers to maintain access to compromised systems for longer periods, potentially causing more damage and increasing the cost of recovery.
“Many federal agencies rely on contractors and vendors for cybersecurity services and products,” he said. “A shutdown can disrupt supply chains, delaying the acquisition and implementation of essential cybersecurity tools and services.”
James McQuiggan, security awareness advocate at KnowBe4, said with the impending government shutdown, there is concern about the lack of cybersecurity resources to protect the nation. However, 15% of the DHS workforce would be retained and working during the shutdown without compensation.
“Reviewing attacks during the last government shutdown in 2019, no major attacks against the U.S. infrastructure occurred, but there were delays in responses to cyber activities with limited resources,” he said. “Private organizations mainly operate electricity, water and transportation systems, so while they may be targeted, the government shutdown will not impact their operations.”
With a limited staff running within DHS and CISA, any maintenance or upgrades could be delayed in the event of an incident, McQuiggan said.
“There will be delays in resolving and hindering the ability of the government to support private organizations with any attacks,” he said. “Such programs as the CISA’s Known Exploited Vulnerabilities catalog could be delayed in updates with the proper resources. This catalog informs organizations of recognized attacks to organizations with known exploits seen in the wild, thus disrupting organizations’ threat intelligence programs.”
James McQuiggan, security awareness advocate at KnowBe4, said with the impending government shutdown, there is concern about the lack of cybersecurity resources to protect the nation. However, 15% of the DHS workforce would be retained and working during the shutdown without compensation.
“Reviewing attacks during the last government shutdown in 2019, no major attacks against the U.S. infrastructure occurred, but there were delays in responses to cyber activities with limited resources,” he said. “Private organizations mainly operate electricity, water and transportation systems, so while they may be targeted, the government shutdown will not impact their operations.”
With a limited staff running within DHS and CISA, any maintenance or upgrades could be delayed in the event of an incident, McQuiggan said.
“There will be delays in resolving and hindering the ability of the government to support private organizations with any attacks,” he said. “Such programs as the CISA’s Known Exploited Vulnerabilities catalog could be delayed in updates with the proper resources. This catalog informs organizations of recognized attacks to organizations with known exploits seen in the wild, thus disrupting organizations’ threat intelligence programs.”
A federal government shutdown would likely weaken national security, which is good news for cybercriminals across the globe.
In the event of a government shutdown, the Cybersecurity and Infrastructure Security Agency (CISA) would furlough more than 80% of its workforce, potentially leaving the agency with a drastically limited crew to initially respond to attacks on the networks of federal agencies and critical infrastructure.
The Department of Homeland Security (DHS) plan for a “lapse in appropriations,” updated Thursday, shows CISA estimates it would retain 571 employees out of the 3,117 it had on board as of mid-June. Retained staff would be required to work during a government shutdown, while the rest would be furloughed.
CISA leads the national effort to understand, manage and reduce risk to the nation’s cyber and physical infrastructure. Its mission expands across three primary areas: cybersecurity, infrastructure security and emergency communications.
CISA issues warnings over actively exploited vulnerabilities, helps investigate high-impact cyberattacks, creates guidance and helps critical infrastructure organizations beef up their security, conducting cyber exercises and assisting with incident response.
Government Shutdown ‘National Security Crisis’
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said a government shutdown would become a “national security crisis.”
Contrast Security’s Tom Kellermann
“We are already dealing with a historic cyber insurgency.” he said. “We don’t have enough watchers on the wall to sustain our defenses.”
Debrup Ghosh, staff product manager at Synopsys Software Integrity Group, said when the nation’s infrastructure has been threatened – for example, the Colonial Pipeline – the industry leans on CISA for guidelines and best practices related to incident detection, response and prevention for novel threats and vulnerabilities.
Synopsys’ Debrup Ghosh
“With reduced staffing at CISA, these timelines to react may be impacted, and business leaders should have contingency plans in place to engage cybersecurity consulting firms at short notice to protect critical infrastructure and respond quickly to potential cyberattacks,” he said.
Scroll through our slideshow above for more from cybersecurity experts on a possible government shutdown and cybersecurity.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like