The recent shutdown now entering 24 days brings with it risks that threaten our nation’s cyber security. A number of agencies perform important functions in helping the public and private sectors secure our nation’s commercial and public infrastructure from cyber attack are running at limited capacity. The longer the shutdown drags on, the greater the adverse impact will be on our national cyber security defensive position. There appears to be no likelihood of a short-term resolution will occur.
The main impacted agencies of concern that are not running important cyber programs are the Department of Homeland Security (DHS) and the National Institute of Science and Technology (NIST). One such sub-agency within DHS is the Cybersecurity and Infrastructure Security Agency, known as CISA. This agency was created in November of 2018 to help strengthen our nation’s cyber security standing. CISA leads the national effort to defend critical infrastructure against the threats of today. CISA works with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow. Unfortunately, many of the new cyber security recruits hired by CISA have not received a paycheck this year and are likely to take other assignments if the current impasse isn’t resolved. Fort-five percent of employees in this agency are currently furloughed, many of which are likely newer recruits or transfers from other agencies. This agency began operations only last November, accordingly, many of the new employees in this agency have only received a handful of paychecks and are now furloughed. This is not a good way to retain cyber talent.
Another program within DHS that is impacted impacted is the Automated Indicator Sharing (AIS) initiative that has furloughed more than eighty percent of its staff, as reported by Duo Security. AIS helps government agencies and the private sector share threat intelligence across its partners to help ensure that a successful attack against one entity is not perpetuated again using the same techniques against other members. The shutdown has stopped this type of information sharing. Accordingly, successful attackers will be able to get much more mileage of their new attack tools and techniques, allowing them to exploit many more targets, given the diminished indicator sharing activities by our government.
Another agency that is impacted by the shut down and not offering its full breadth of support to the public and private sector is the NIST. This agency provides various cyber security tools and frameworks to the public and private sector to help secure information technology resources across the enterprise. Almost eighty five percent of NIST staffers are currently furloughed. NIST regulates federal agencies security standards, but many corporate security teams use NIST standards in setting their baselines for corporate security programs. NIST provides concrete best practice recommendations and details on mitigating various threat scenarios. The NIST website presently states that not all website contents are available online due to funding lapses. Additionally, NIST conducts FIPS testing to ensure that new computing devices meet the standards necessary to run safely on government networks. Federal Information Processing Standards (FIPS) certification is also used by the private sector to help secure corporate computing environments. During the shutdown period, no FIPS testing is being conducted by NIST to grant new certifications to recently released more secure computing technologies.
On the physical security front, TSA staff working at the nation’s airports without pay are becoming angry. After clearing initial security at the airport in the last week, I commented to the TSA staffer, “I hope you receive a paycheck soon! Thanks for your service to our county.” His response was one of vitriol against the elected officials who are messing around with him and his family. One passenger asked a TSA agent if they needed to remove their laptop from their bag and the agent responded, “I don’t care, I’m not getting paid.”
Furlough rates are likely to increase as the current impasse drags on. Delays in providing critical tools and information to cyber security professionals within the corporate and public sectors will weaken the future state of cyber security over time. With each week that passes that cyber security and technical staff within the government go without a paycheck, the likelihood of loss of those staff members to private sector paying jobs increases.
As time elapses with important cyber defense initiatives of the government curtailed, successful new cyber-attack strategies are likely to be shared by our adversaries magnifying the impact of cyber compromises of our nation’s corporations and public resources.
Our elected officials need to work towards compromise on the issues at hand that should include at a minimum, putting important cyber security staff back to work before another major cyber attack takes place. The cost alone of the shutdown will soon exceed the $5 billion cost of providing the funding requested by the President for border security. S&P Global Ratings reported that the shutdown has already cost the US $3.7 billion with that number expected to reach $6 billion in the next 10 days. A smart compromise that mixes technology, staffing and physical barriers is needed. Both sides should be willing to make compromises for the sake of national security. In the meantime, it is prudent and important that short-term funding of some of these important cyber security agencies receive funding. Not addressing this issue will result in the loss of many highly sought-after cyber security professionals leaving the government for more reliable and better paying positions in the private sector. I urge everyone to contact their elected officials and encourage them to resolve the current impasse by making some reasonable compromises to secure and protect our country from cyber attacks.