Now that we’re into the second week of the government shutdown and the media frenzy has moved on from PandaCam and the closing of the ocean, it’s time to examine what the real consequences of the government shutdown mean for national critical infrastructure. In recent days several agency CIOs and CISOs have been consulted on how vulnerable national cybersecurity becomes to both insider threats and hackers as the shutdown continues. In fact, when called to the Capitol to answer questions from the Senate Judiciary Committee on the second day of the shutdown, Director of National Intelligence, James Clapper, responded to questions from Senator Grassley and Senator Leahy with a distinct lack of confidence about long-term cybersecurity.
Sen. Grassley: Does America remain safe, even with a shutdown?
Clapper: Um. [pauses] I have to qualify that sir. I don’t feel that I can make such a guarantee as each day of this shutdown goes by. I’m very concerned about the jeopardy to the country because of this.
Sen. Leahy: What you’re saying is that it becomes cumulative. You’re saying the danger and threat becomes cumulative.
Clapper: Yes, sir.”
While most agency IT leaders have been unwilling to speak on the record, there is palpable concern that the reliance on technology without an adequate personnel presence is simply a flawed strategy. For example, DHS’s National Protection and Programs Directorate (NPPD) is functioning with approximately half its personnel, based on the agency’s shutdown plan. While the use of sophisticated monitoring technologies is a critical element of cybersecurity, the human element of analysis and response has long been acknowledged as the key to effective network security.
And, as director Clapper pointed out, the effects of the shutdown on cybersecurity are cumulative – from the volume of data that will still need to be analyzed once the shutdown ends and workers return from furloughs, to the delay in contract finalization for the DHS’s continuous diagnostics and monitoring program.
Yet, it is not only the agencies that will feel the impact; public-private partnerships are already suffering. For example, The National Institute of Standards and Technology (NIST) was tasked to develop a cybersecurity framework for companies across the U.S – these standardization efforts have been halted during the government shutdown.
IT departments may be working at half strength, but hackers and cyber criminals are not. In fact, security experts predict that attackers will use this government shutdown and diminished IT staff to their advantage in planning attacks.
As Congress and the president continue their standoff, it’s the dedication of non-furloughed agency personnel and the undoubtedly long hours they’re putting in that will keep the country secure. Let’s hope they’ve got plenty of coffee on hand.