Government Shutdown Creates New Cybersecurity RisksJanuary 16, 2019 | Avigael C. Fyman |
The partial government shutdown, now the longest in U.S. history stretching into its fourth week, presents new risks to cybersecurity, both short term and long term. These effects will be felt not only within government operations, but also in the private sector, which relies upon and works with the government to protect against cyber threats.
Many federal cybersecurity staffers, including, nearly half of the staff at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), have been furloughed. Moreover, a significant part of cybersecurity work is performed by government contractors who are not working during the shutdown.
With reduced staffing to monitor and protect critical infrastructure, including engaging in security operations, software patching and penetration testing, government agencies will be more vulnerable to hacking by criminal and nation-state actors.
The potential hacking of government agencies poses risks not just to the agencies themselves, but also to private businesses and individuals who are required to submit information to those agencies for taxation or regulatory purposes. For example, in a recent letter to Treasury Secretary Steven Mnuchin and IRS Commissioner Charles Rettig, Senator Ron Wyden, the ranking member of the Senate Finance Committee, raised concerns that an understaffed IRS faces an elevated risk of cyber criminals filing fraudulent tax returns in order to steal taxpayer refunds.
Also adversely affected by the shutdown are CISA initiatives to work with the private sector, such as the Automated Indicator Sharing program. Automated Indicator Sharing, which enables the sharing of cyber-threat indicators between the federal government and the private sector at machine speed, plays a critical role in processing and responding to cyber threats to both commercial and public infrastructure. The shutdown has hampered this information-sharing capacity, meaning that cyber attackers may be able to get more mileage out of their attack tools and techniques before they are detected and neutralized.
Private companies also rely on public-private partnerships with government agencies such as the National Institute for Standards and Technology (NIST), which maintains a voluntary framework for private industry to assist in reducing cyber risks to critical infrastructure. With 85% of NIST’s staff furloughed, NIST-affiliated websites are unavailable, and NIST staffers are unable engage with their private sector counterparts.
Another concern is that scammers may use the shutdown to prey upon vulnerable populations, including government employees going without pay and beneficiaries of government services. For example, Pennsylvania State Police have warned of scammers claiming to need personal bank information in relation to federal benefits like Medicare, or offers of temporary jobs to furloughed workers requiring an application fee. These scams will likely proliferate as the Federal Communications Commission and the Federal Trade Commission, which are involved in protecting consumers from fraud, are shuttered.
A longer-term shutdown will also affect the regular privacy protection and cybersecurity oversight functions of government. For example, government agencies typically operate privacy offices, which are tasked with ensuring compliance with the Privacy Act of 1974, the e-Government Act of 2002 and other laws, orders and policies governing the use and disclosure of personal information. For agencies that are subject to the shutdown, activities of the privacy offices, including privacy impact assessments and investigations, have been suspended. Likewise, staff at the Division of Privacy and Identity Protection at the Federal Trade Commission are on furlough, meaning that their regular work of conducting investigations is not taking place.
Another long-term concern for the government is the ability to adequately staff a cybersecurity work force, as the government’s loss may be the private sector’s gain. Before the shutdown, the Department of Homeland Security, the Department of Commerce and the Government Accountability Office had all raised concerns regarding the difficulty in hiring skilled cybersecurity professionals for government roles, given the competition for talent with higher-paying private sector jobs. Repeated and lengthy shutdowns will harm morale and lead talented government cybersecurity professionals to exit for the private sector, creating a hiring crisis at government agencies.
While the shutdown continues, cybersecurity professionals should be aware of the increased risk for scams and hacks, as the government’s capacity to combat such threats is limited. Moreover, even when the shutdown ends and the government reopens, cybersecurity professionals may need to consider means for modifying both governmental and private sector networks to make them more resilient, given the risk of interruptions to government operations.
- Avigael C. Fyman