There has been a great deal of speculation around the cybersecurity posture of the nation in light of the most recent (and longest documented) government shutdown. I’ve seen two main concerns arise within the cyber community speculating about the impact of the government shutdown:
Many experts are noting that due to the weakened state of the government’s cybersecurity teams, they will not be able to defend against a bad-actor breaking in and sitting within government networks after the shutdown ends. This would allow the bad-actor to sit within the federal networks undetected until they decide to truly execute a cyber attack.
While reports indicate that roughly 50% of the newly created Cybersecurity and Infrastructure Security Agency (CISA) has been furloughed as a result of the government shutdown, these teams were drastically understaffed before the shutdown even began. The CISA, newly elevated within the Department of Homeland Security a month before the shutdown started, was still establishing itself before the funding ran out. The sites and networks that the government has deemed of significant importance (primarily .mil URLs) are still under constant monitoring. The primary concern that I’ve seen has been the civilian facing sites - social security, Medicare/Medicaid, and food stamps. The concern around these sites is the SSL certification running out during the government shutdown. The fact is that it is that the SSL certificate is actually the least of the concerns for these organization, the IRS suffered a breach weeks before the government shutdown even began. While yes, skimming is of concern for these organizations, the SSL certification is actually the least of their worries.
One of the greatest challenges facing anyone in the cybersecurity field is the growing talent shortage. Public and private sector organizations have scrambled for talent as cybersecurity is elevated to a board-level issue at private sector companies and it is also drawing more focus in the public sector as well. However, for public sector organizations, this government shutdown will have lasting effects on the interest in government cybersecurity positions but not in the way many experts are thinking.
The current stance of many cybersecurity professionals is that it will exacerbate an already competitive recruiting market and given the perceived instability of a government cybersecurity position, new entrants will be deterred from joining the workforce. I don’t think this will be the case. New entrants in the job market, namely recent graduates, are more concerned with experience rather than stability. What the shutdown will do is cause a brain drain rather than a recruiting crisis. The retention of current employees will be a greater immediate issue once the government opens following the shutdown.
Within the cybersecurity community, one of the greatest issues that occurred as a result of the government shutdown was the National Institute of Standards and Technology website. The gold-standard NIST Cybersecurity Framework as well as their other portfolio of standards and practices for cybersecurity were inaccessible for the first three weeks of the shutdown. Both public and private sector security leaders alike were blindsided by the lack of access. Losing these gold-standard documentations surpasses talent and team size in terms of cybersecurity risk for the nation.
Despite the government shutdown continuing on, the public outcry over the NIST website going down caused a shift in resources in the government and now the NIST website is at least partially functioning. With the government being one of the more important users of NIST publications, the lapse in access is the greatest threat that we faced as a result of the shutdown.
While many members of the industry are concerned with the impact of the shutdown itself, the government shutdown has had a greater longer-term impact. Rather than creating new openings for cybercriminals, the government shutdown has illuminated existing risks that the government faced before the shutdown and caused the industry to react. The government shutdown has acted as a catalyst for the nation to start asking questions about how our government approaches cybersecurity.
The shutdown has also load tested what about the nation’s approach to cybersecurity is deemed “essential”. It is not simply the personnel, but the resources. More specifically, the NIST resources that, while are shared between the public and private sectors, is critical to the nation’s cybersecurity operations. The longer-term implications of which are that the CISA will need to reassess its relationship with NIST and determine a contingency plan to keep the NIST cybersecurity resources operational in the event of a future shutdown.