by James Arnold. January 10, 2019.
The most recent government shutdown is approaching the record for the longest shutdown in United States history, but what does that mean for American cybersecurity? To put it simply, nothing good.
In the process of allegedly attempting to strengthen security on our southern border, the shutdown has severely inhibited the government’s cybersecurity capabilities. Starting December 22nd, the shutdown has affected over a third of all federal employees from various departments including Justice, State, Treasury, and Homeland Security, all of which serve critical roles in defending our nation from cybersecurity threats. However, nearly half of those affected by the shutdown are still working, but remain without pay.
Most departments identified cybersecurity as an essential service, which means the Justice Department’s Justice Security Center and the Treasury Department’s incident response/emergency operations teams will continue working, yet almost 45% of employees at DHS’ new Cybersecurity and Infrastructure Security Agency have been furloughed, along with 85% of employees at the National Institute of Standards and Technology (NIST). Though both of these departments have retained their emergency response personnel, their roles in cybersecurity span far beyond emergency response and incident response: most notably, NIST was expected to release new guidelines on risk management and threat-mitigation, but is now expected to be significantly delayed. Furthermore, numerous online resources like the Computer Security Resource Center have been shut down due to the lapse in government funding.
Though the lack of access to resources that corporate security teams have been waiting for and relying on does not pose an immediate threat, it will certainly result in frustration among employees of both the federal government and private corporations. Following the 2013 shutdown, there was a massive drop in interest in federal cybersecurity positions that lasted for years due to the extreme uncertainty experienced during the shutdown. Not only will the shutdown result in a loss of talent, but the cancellation of DHS’ Cybersecurity and Innovation Showcase will set security officials behind on their knowledge of emerging next-generation technology.
Of the services running on short-term cash reserves, NIST’s time servers are some of the most important operations. Though only two employees are operating the National Vulnerability Database and a single employee manning the National Cybersecurity Center of Excellence, sixteen employees are dedicated to the time servers, which are essential to national security (UTC), national economy (SEC requirements), and infrastructure synchronization (systems of radio clocks). As these reserves are impacted, it is expected that numerous government agencies may begin to close down services that are currently open and shuffle around funds to continue operating the most important ones.
Most importantly, a cessation of federal cybersecurity functions may appear to certain malicious cyber actors as an opportunity to launch attacks on the United States (regardless of whether or not American defense capabilities would be lessened in a particular case).
Cyber threats are worrying enough when defense operations are fully staffed and fully funded, but even more so when they’re weakened and there’s no definite end to this state of affairs. As Lisa Monaco (the former assistant to the president for homeland security and counterterrorism) told Axios, “cyber threats don’t operate on Washington’s political timetable, and they don’t stop because of a shutdown.”
Though the shutdown doesn’t necessarily present imminent cybersecurity vulnerabilities in the cyber defenses of the United States government, it certainly won’t be beneficial and is likely to have long-term impacts on government cybersecurity and the employees who manage it.
James Arnold is a first-year majoring in physics and a member of the Duke Cyber Team.