Political posturing has reached another all-time low, resulting in large portions of the federal government being temporarily shuttered while the politicians continue to do what they do best, which is accomplish absolutely nothing.
So where does that leave our nation’s cybersecurity posture? We queried some of Tripwire’s best and brightest on that matter, and while their outlook is certainly short of doom and gloom scenarios, they certainly won’t help anyone to sleep better at night.
Tim Erlin (@TErlin), Tripwire’s Director of Product Management, says that there are two potential impacts for cybersecurity in the wake of the government shutdown: Immediate and ripple. The immediate effect stem from key security people not being at their job today, tomorrow, and for the duration of the shutdown.
“When we look at the immediate effects, the primary issue is the definition of ‘essential.’ The shutdown allows for essential personnel, and by extension, essential services, to be kept in place, so is information security essential? It’s not a yes or no answer,” Erlin said.
“It’s clear that keeping the national vulnerability database site running is essential, but it’s likely that the level of staffing for the adding of new content has been dramatically reduced,” Erlin continued.
He says that at a minimum, many of these ‘essential’ services are now under-supported, and that means that serious security events are going to be harder to deal with.
“Information security is very often about exceptional circumstances, and the end result of the shutdown is that as a nation we are more vulnerable to cyber-attack,” Erlin said.
In addition, the ripple effects of the shutdown will stem from the changing threat environment. As new vulnerabilities are discovered, systems that remain static over time become progressively less secure, and the longer the shutdown continues the worse this situation becomes, creating a backlog of work and an increased opportunity for compromise.
“Additionally, compromised systems may go for a longer period without detection, allowing an attacker to take more than one step toward their targeted without being noticed,” Erlin warns. “These deeper intrusions are more likely during this shutdown and harder to uncover when the shutdown ends.”
Lamar Bailey (@btle310), who leads Tripwire’s Vulnerability and Exposures Research Team (VERT), that the shutdown may be the catalyst for attackers to escalate malicious operations targeting critical systems that contain sensitive information vital to national security.
“If I were a hostile nation state, I would start unleashing everything I have right now in an attempt to exploit as much as possible while federal agencies are distracted,” Bailey said. “In the late 1990’s and early 2000’s, the greatest number of exploits happened over holidays, weekends, and late at night when the IT staff was operating on a skeleton crew. This is no different.”
Bailey points out that next week is Microsoft’s patch Tuesday, and that the release will probably include at least one critical patch.
“The government shutdown means that there will be fewer resources to update affected systems with this patch, and that means government systems will remain vulnerable until enough resources are available to update them,” Bailey continued. “This is just one example, software patches are being issued all the time, and the longer the shutdown continues, the more that security risks increase.”
Dwayne Melancon (@ThatDwayne), Tripwire’s Chief Technology Officer, says he has been in contact with several Federal agencies that just furloughed a surprisingly large number of IT staff, including information security personnel.
“With this kind of shutdown, electronic infrastructure will keep running even though physical offices shut down, and since some of these agencies have experienced data breaches in the past, the extent of the furlough surprising, Melancon said.
“If I were leading an agency right now, I’d place a huge emphasis on retaining adequate security personnel to monitor for suspicious activity and protect systems and data.”
Melancon says that ultimately, this is a question of “connecting security to the mission” in that If you have a clear understanding of which systems are most critical to achieving your mission objectives, decisions about where to invest your limited resources become clearer.
“This mindset is key to making the right decisions when you have to determine critical and non-critical staff. This is true for any business, not just government agencies,” Melancon advised.
- NIST: It’s Time to Abandon Control Frameworks as We Know Them
- Enterprise Insurance Policies and the 20 Critical Security Controls
- NERC CIP Version 5: One Giant Leap
- Security Standards: Are We Doing It Right?
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock