As you read this, there’s a virtual certainty that nation-state actors who intend to harm the United States have already invaded critical networks and computing facilities. Those same actors may have begun downloaded secure databases, they may be traversing networks looking for classified information, and they may be laying traps for federal workers when they return so that they can then harvest credentials for another round of attacks.
Right now, though, it’s impossible to tell exactly where any of these attacks may be taking place because the cybersecurity workers who normally keep the attackers at bay have been mostly furloughed. Those that remain are at best a skeleton crew of overworked, but unpaid, specialists who are some of the very best in the business. But they’re being asked to perform an impossible task.
“When something like this happens, most Americans look to the visible impacts -- like the fiscal strain it puts on federal workers, closures at Smithsonian museums, and vandalism at national parks,” Theresa Payton, former White House CIO and CEO and founder of Fortalice Solutions said in an email. “But the reality is that invisible impacts -- like cyber security -- are some of the most staggering. In times like these, cyber criminals here at home and abroad hone in on our vulnerabilities and try their hardest to find ways to exploit them ... or worse, embed.”
Partisan Bickering Helps Nothing in Security
The only outlook a month after the shutdown began is for more partisan bickering, more sophomoric behavior and nobody at the helm as the fight against cyber-attackers as the battle goes unattended. Sadly, the cyberwar that has already begun won’t be the defining moment that stirs some sort of action. The politicians involved have no clue what’s going on, and worse, once the cyberwar is won by the other side, we may never know.
Rumors of an ongoing cyber-attack are already quietly circulating in Washington. Most cybersecurity experts I’ve spoken with acknowledge that the cyber war has already started, and that the US forces to prevent it have been able to do little. They all say that the longer the shutdown goes on, the worse it will be.
“The longer it goes on, the more at-risk it gets,” said Grant Kirkwood, founder and CTO at Unitas Global, a managed services provider for large enterprises. “Things go unpatched. Security and intrusion monitors aren’t being watched.”
“The door is open at this point. It would not surprise me if those rumors were true,” Kirkwood said.
“The real concern for me, though, is that breaches will occur during the shutdown that might go undetected for months -- that there will be a silent but successful penetration of networks that we don’t learn about until much, much later,” Payton said.
“Risk is on the rise across the board, because the USG (U.S. government) doesn’t have the proper manpower or adequate response staff to support in the event of a security incident. Some of our brightest cyber minds are on the sidelines for the time being, and that invites bad actors across the board to dip their toe in the water,” Payton said.
Feds May Lose Best People to Private Enterprises
What’s worse is that the federal government may lose its most skilled cyber warriors to private industry.
“One of the major long-term impacts I’m concerned about is that this will significantly deter cyber professionals from entering the federal workforce,” Payton said. “It’s tough to expect our best and brightest to enter civil service if they think it could lead to long period of unpredictability and lost wages.”
“A far bigger risk is long after the shutdown is over,” Kirkwood said. “The job market for top-tier technical talent is the strongest it’s been in a decade.” Kirkwood noted that in addition to the federal cybersecurity workers who aren’t getting paid, there’s a huge federal contractor talent pool that’s also not getting paid.
“Look at what the federal government is protecting, and you want the best people,” Kirkwood said.
What’s worse, the level of disrespect with which the cyber security professionals are being treated is already hitting their morale badly. “Events like this can signal that cybersecurity is not a priority, and -- like anyone else -- people working in cybersecurity want to be valued for their skill and significant national security efforts,” Payton said.
“I have a hard time seeing how this walks back,” Kirkwood said. “Real lasting damage is going to be done in a lot of places.”
Damage to Morale is Already Bad
Kirkwood said that much of the damage is being done to the federal cybersecurity workforce where morale is already very low. He wonders if those workers are going to hang around and wait for the shutdown to be over. “Top-tier talent isn’t going to take a job for less money, less in benefits and not getting paid,” he said.
Perhaps hardest hit will be the new Cybersecurity and Infrastructure Security Agency, which began only a couple of weeks before the shutdown began, where nearly half of its new staff has been furloughed.
There, the question has got to be whether anyone will show up for work once the shutdown is over, or whether they will have moved on to better, more secure jobs elsewhere.