With fewer eyeballs monitoring the government’s networks for malicious activities and an increasing number of federal systems sitting idle during the shutdown, security experts fear it could create a perfect storm for insiders and hackers looking to do agencies harm.
“The longer this goes on, the more the likelihood that the government becomes a target, a target of opportunity,” said a federal chief information security officer, who asked not to be named because he was not authorized to speak to the media.
Agencies don’t have as many people around to detect obscure events that may signal a larger problem, the chief information security officer (CISO) said. They only have the capacity to respond to big things, such as restoring essential online services that may have been knocked offline.
The CISO and his staff have been on furlough since the partial government shutdown began on Oct. 1. “We manage contract services, and we direct responses, so we can be called in to react to an event,” he said. An on-call status requires him to report to the office within two hours if any major decisions need to be made.
The agency didn’t shut down any of its IT systems, he said — that would have introduced more risk in trying to reboot the system later on and ensuring no data were lost or corrupted.
While his agency has capabilities to detect incidents, despite having fewer employees on hand, the capacity to respond is slower than normal, he said. “I think that’s true across the board.”
The government’s network and security operations centers, including those operated by the Department of Homeland Security, will remain staffed to provide incident monitoring and detection services. This includes oversight of the government’s external network traffic to ensure agencies’ connections to the Internet are secure.
“That would be suicide to turn that stuff off,” the CISO said. “We can go to bare bones because the big wall is still up.”
But even the government’s lead defender of civilian computer networks is operating with fewer resources during the shutdown. DHS’ National Protection and Programs Directorate (NPPD), which contains many of the department’s cybersecurity personnel, is operating with nearly half of its staff gone, according to the agency’s Sept. 27 shutdown plan.
NPPD estimates 1,617, or 57 percent, of its 2,835 employees will continue working through a shutdown because they are either presidential appointees, law enforcement officers, paid with funds other than annual appropriations or needed to protect life and property.
“From a manager’s perspective, this is what I’m concerned about,” said Patrick Flynn, director of national and homeland security at McAfee.
The primary reason security personnel are there is to get information, analyze it and act, Flynn said. Some cyber issues can be solved with technology, but the human factor is the most precious part of the cycle, he argued.
Flynn is also concerned about the shutdown delaying further action on DHS’ Continuous Diagnostics and Mitigation (CDM) contract. Flynn and others in industry were expecting DHS to release a request for quotation under the contract last week, but as of late last week that had not happened, he said. He suspects the shutdown was the reason.
The RFQ was to include civilian agencies’ needs for tools that manage their hardware and software inventories, whether they are configured properly, and the known vulnerabilities to those systems, said Scott Montgomery, vice president of public sector solutions at McAfee.
Work between the private sector and National Institute of Standards and Technology to develop voluntary cybersecurity standards for companies has also ceased since the shutdown, Flynn said.
One of the most unsettling issues for security experts like Montgomery is that attackers can glean intelligence during a shutdown. There is a cadre of people in security designated as so critical that during a shutdown they have to work and have access to tools and environments to preserve mission functions, he said.
Hackers will learn that the remaining employees are worth targeting because they are deemed critical to agencies’ operations, Montgomery said.
“I might not be attacking them today, but I’m going to learn everything I can because the government told me they are important,” he said. “I would expect there to be a rise in spear phishing attacks against [those] individuals, [and] that’s what we need to be vigilant against.”
On its blog last week, security firm Symantec reported seeing an increase in spam messages related to the government shutdown. That’s fairly common when there is a high-profile event, and hackers or spammers try to use that as an entry way to penetrate systems, said Gigi Schumm, vice president and general manager of Symantec’s public sector organization.
“We always say that the most secure system is a well managed system. Whether desktop or server, these days it takes pretty constant vigilance to make sure you’re keeping up to date with patches and fixes,” Schumm said. “Those are the things that will be very difficult for customers to do with smaller staffs during a shutdown.”
An extended shutdown, over the course of weeks rather than days, would create more work for systems administrators when agencies’ operations are fully restored and systems left idle during the shutdown have to be running again with the proper updates, Schumm said.
“I think it really gets down to how long this goes on,” she said.
Ken Ammon, chief strategy officer at Xceedium, said the shutdown may create another potential problem: insider threats. Ammon said the risk of potential insider threats to government networks increases with every day of the shutdown.
Data show that insider attacks often occur within the last two weeks of employment, Ammon said.
“Anytime you run into a situation where you’re potentially disenfranchising a bunch of folks that may be now quickly looking for something to do in the near future, that’s a significant uptick in the folks that may be considering leaving, too.”