Skip to content ↓ | Skip to navigation ↓

Political posturing has reached another all-time low, resulting in large portions of the federal government being temporarily shuttered while the politicians continue to do what they do best, which is accomplish absolutely nothing.

So where does that leave our nation’s cybersecurity posture? We queried some of Tripwire’s best and brightest on that matter, and while their outlook is certainly short of doom and gloom scenarios, they certainly won’t help anyone to sleep better at night.

Tim Erlin (@TErlin), Tripwire’s Director of Product Management, says that there are two potential impacts for cybersecurity in the wake of the government shutdown: Immediate and ripple. The immediate effect stem from key security people not being at their job today, tomorrow, and for the duration of the shutdown.

“When we look at the immediate effects, the primary issue is the definition of ‘essential.’ The shutdown allows for essential personnel, and by extension, essential services, to be kept in place, so is information security essential? It’s not a yes or no answer,” Erlin said.

“It’s clear that keeping the national vulnerability database site running is essential, but it’s likely that the level of staffing for the adding of new content has been dramatically reduced,” Erlin continued.

He says that at a minimum, many of these ‘essential’ services are now under-supported, and that means that serious security events are going to be harder to deal with.

“Information security is very often about exceptional circumstances, and the end result of the shutdown is that as a nation we are more vulnerable to cyber-attack,” Erlin said.

In addition, the ripple effects of the shutdown will stem from the changing threat environment. As new vulnerabilities are discovered, systems that remain static over time become progressively less secure, and the longer the shutdown continues the worse this situation becomes, creating a backlog of work and an increased opportunity for compromise.

“Additionally, compromised systems may go for a longer period without detection, allowing an attacker to take more than one step toward their targeted without being noticed,” Erlin warns. “These deeper intrusions are more likely during this shutdown and harder to uncover when the shutdown ends.”

Lamar Bailey (@btle310), who leads Tripwire’s Vulnerability and Exposures Research Team (VERT), that the shutdown may be the catalyst for attackers to escalate malicious operations targeting critical systems that contain sensitive information vital to national security.

“If I were a hostile nation state, I would start unleashing everything I have right now in an attempt to exploit as much as possible while federal agencies are distracted,” Bailey said. “In the late 1990’s and early 2000’s, the greatest number of exploits happened over holidays, weekends, and late at night when the IT staff was operating on a skeleton crew. This is no different.”

Bailey points out that next week is Microsoft’s patch Tuesday, and that the release will probably include at least one critical patch.

“The government shutdown means that there will be fewer resources to update affected systems with this patch, and that means government systems will remain vulnerable until enough resources are available to update them,” Bailey continued. “This is just one example, software patches are being issued all the time, and the longer the shutdown continues, the more that security risks increase.”

Dwayne Melancon (@ThatDwayne), Tripwire’s Chief Technology Officer, says he has been in contact with several Federal agencies that just furloughed a surprisingly large number of IT staff, including information security personnel.

“With this kind of shutdown, electronic infrastructure will keep running even  though physical offices shut down, and since some of these agencies have experienced data breaches in the past, the extent of the furlough surprising, Melancon said.

“If I were leading an agency right now, I’d place a huge emphasis on retaining adequate security personnel to monitor for suspicious activity and protect systems and data.”

Melancon says that ultimately, this is a question of “connecting security to the mission” in that If you have a clear understanding of which systems are most critical to achieving your mission objectives, decisions about where to invest your limited resources become clearer.

“This mindset is key to making the right decisions when you have to determine critical and non-critical staff.  This is true for any business, not just government agencies,” Melancon advised.

 

Related Articles:

 

P.S. Have you met John Powers, supernatural CISO?

 

Title image courtesy of ShutterStock

Hacking Point of Sale
  • Patrick Bryant

    I am contractor for a Federal Agency employed as a cyber security incident responder. During this shutdown, I am going without pay, and unlike Civil Service employees, there has been no bill passed by the House to reimburse contractors for their lost wages.

    This situation creates a very serious danger for our nation caused by a convergence of factors:

    1)The information systems of the United States Government are under continual attack from sophisticated and well-funded foreign governments. At this moment, practically no one is working to repel those attacks. We are in fact engaged in a cyber war right now with several nations. And at this moment – no one is guarding the fort.
    2)Under normal circumstances, the US Government has a serious shortage of trained personnel to maintain countermeasures to those cyber attacks. Most of the personnel that do exist are now furloughed contractors, who have no hope of reimbursement once they return to work.
    3) Since the private sector has a similar shortage of trained cyber security personnel, it behooves those of us who are employed as Federal contractors to seek more reliable employment elsewhere. This will only increase the personnel shortage and exacerbate the risks to the information systems that are an essential part of Federal Government operations.

    I have no doubt that several hostile foreign governments are currently celebrating their unfettered freedom to compromise the security and operational integrity of the Federal Government’s computers and networks. And I am challenged to express in words how demoralizing it is to be considered “non-essential” and to be summarily tossed off our jobs and told to eek out an existence without pay.

    Those of us who work as cyber security contractors for the Federal Government are generally paid less than our counterparts in the private sector. Patriotism and pride in our mission is a large part of our compensation. But pride and patriotism won’t pay our bills, feed our children, or compensate for the lost wages caused by unreliable employment.

    • Patrick – thank you for sharing your "boots on the ground" insight into the matter. It is clear most people, and the majority of power holders in Washington, do not understand the critical role you and other professionals play in protecting our national security. Let's hope everyone gets back to work ASAP.