The lack of a security crisis during the government shutdown has created a false confidence about the safety of U.S. networks and critical infrastructure.
We’re approaching the end of the second week of the federal shutdown and so far there have been no cyber crises. This is the point in the movie where the hero says, “It’s quiet out there. Almost too quiet.”
We should not assume that because we haven’t seen major actions against our IT systems that nothing is happening. If we have learned anything from experience it is that the breaches we don’t see are far worse than the ones we do, and there’s no reason to believe that stealthy intrusions are less likely now that staff, funding and other resources have been cut to the bone.
The United States is the number one target in an ongoing global cyber cold war and that is not going to stop because Congress will not pass a budget.
“It is wishful thinking that in the current environment we are not going to be targeted and that a few people can manage all of that infrastructure,” said Vijay Basani, CEO of EiQ Networks, which provides security intelligence tools and services to the government.
Since Oct. 1, shuttered websites have been sending the wrong message to our enemies and our friends about our commitment to cybersecurity. A particular concern: Online versions of the National Institute of Standards and Technology’s cybersecurity guidance are unavailable and NIST’s work on a cybersecurity framework for critical infrastructure, due Oct. 10, has been halted, unfinished.
Yet our IT systems have not disappeared. Patching and monitoring cannot get the same level of attention as during normal operations and dealing with cybersecurity as a crisis rather than a process is bad policy and bad security.
Essential crews remain at work, but the morale of IT and security professionals still on the job without pay cannot be very good and the prospect of hiring qualified professionals in the future becomes bleaker by the day. What competent worker would choose to go to work for a dysfunctional government that won’t pay its bills as long as there are jobs in the private sector?
Basani warned that the impact of gridlock began even before the shutdown. The sequester cut into budgets before the end of the fiscal year, when many procurements and acquisitions are done. And contracts that were in place by the end of the year cannot be implemented, so upgrades and replacement of systems, components and security tools are delayed. Meanwhile, the Homeland Security Department’s Continuous Diagnostics and Mitigation program, which was to be spurred by the award of 17 blanket purchase agreements in August, has been essentially put on hold until government can get back to business.
In short, as Basani said, “as much as politicians talk about cybersecurity, I don’t think they really understand the implications of the shutdown on cybersecurity.”
The best we can hope for is that those in charge learn from this experience and realize that cybersecurity should be outside the scope of political spitting matches.
The worst we can fear is that nothing is learned because there is no obvious cyber Armageddon and we do not see the cancer working its way through out systems.