The big shutdown threat we aren't talking about
I'm talking about cybersecurity. It may not be front of mind for most Americans, but with the federal government shuttered for an unprecedented fourth straight week, you can bet that it is for many of America's enemies.
The shutdown is a call to action for cyber criminals at home and around the globe to probe for vulnerabilities and strategically position themselves for decisive strikes in the future. While they might not do the big break right now, their silent successful penetrations of networks today -- and their devastating effects -- would not be known for months, or even longer.
We faced several potential shutdowns during my tenure as CIO for the Executive Office of the President at the White House, from 2006 to 2008. We prepared for the worst and hoped for the best. Thankfully, we never ended up having to execute those plans. But I can tell you that just focusing on a shutdown creates a diversion from the mission, and critical momentum is lost. For reference, an impending government shutdown typically required three lead days of preparation to ensure things functioned appropriately and securely.
During the 2013 shutdown, which lasted for 16 days, many departments and agencies, including the Department of Homeland Security, rather quickly developed plans to keep mission-critical work moving in the case of a shutdown. I'm confident that federal departments and agencies are making similar plans now, but we must remember this: A fire alarm going off doesn't mean the fire is put out.
In other words, cybersecurity systems are in place and running. However, someone has to not only see the alarm, but also be on hand to assess the situation, coordinate assets for response and then actually extinguish the threat.
With its "essential personnel," national security agencies for the most part remain staffed and fully functioning. Staying at home, however, are tens of thousands of government employees and contractors in agencies such as the Departments of State, Homeland Security and Justice, which oversee critical assets in diplomacy, security and judicial oversight.
The stakes today are much higher than in any previous shutdown. This is now the longest furlough of government workers in US history, so it's also the biggest window of increased exposure to hacking to date. Combine that with the fact that cybercriminal capabilities have enhanced significantly over the past six years since the last lengthy shutdown.
So, what exactly are the potential consequences?
First, routine cybersecurity "hygiene" tasks, like firewall maintenance, are likely being postponed because they often require the buy-in of federal employees that might be furloughed and of federal contract workers who might have been deemed nonessential.
Second, getting to the bottom of whether an "incident" is a false alarm or a major security breach is impossible to do without support staff who are trained to analyze and assess the severity of the threat. Again, they cannot do this work in a vacuum. They need their counterparts in information technology to help them with the systems side, and many of these employees in civilian branches across the federal government are at home
Third, hiring for key federal cybersecurity and IT positions has slowed -- and perhaps altogether stalled -- diminishing the pipeline of candidates for several months. For those federal workers and contractors who already have those jobs but aren't getting a paycheck, they may well look for more reliable work in the private sector where they're less likely to be victims of our nation's dysfunctional politics.
So too key decisions on contracts and initiatives for cybersecurity are being postponed indefinitely. For example, Congress recently approved the new Cybersecurity and Infrastructure Security Agency (CISA) at DHS. CISA is just getting off the ground. Running at full speed requires a lot of work and resources, but according to shutdown guidance, over 40% of CISA's staff is furloughed.
And just last month, President Donald Trump signed the SECURE Technology Act, which addresses supply chain vulnerabilities. The funding and program implementation behind SECURE has now ground to a halt. DHS's 2019 Cybersecurity and Innovation Showcase, a leading conference with approximately 1,000 attendees, had to be canceled.
Cybersecurity is hard enough when we're fully staffed and operating effectively. On a good day, we are outmanned, outgunned and out-funded by bold and creative cybercriminals and adversaries. Due to the shutdown, America's cyber defenses are more vulnerable than ever.