Congress finally reopened the government after almost two weeks and it was welcomed with much relief from the federal IT departments that had been affected. We addressed what the impact of a shutdown could have in a previous post, and now that it has happened, here is what the impact was.
During the shutdown, government IT departments and the security of crucial government data were left out of work, leaving the crucial data more easily accessible. It is a known fact that the US government agencies (DOD, Civilian and Intelligence) are a primary target of state sponsored cyber attacks and other external vulnerabilities. The government’s IT infrastructure is extremely complex and diverse. There are millions of IT assets that are connected to the Internet, thousands, if not millions, of vulnerabilities that need to be patched on a daily, weekly and monthly basis. Government IT pros typically manage these jobs with great skills but now with a shortage of workers to handle these crucial tasks, a great crisis looms.
There is a multitude of unintended and dangerous consequences of the current government shutdown of cyber security. Here are just a few:
- A majority of the thousands of cyber security projects that were funded and awarded during the last government fiscal year ending September 30th, 2013, were in limbo as great majority of them are normally implemented with the help of civilian contractors. These projects were key to improve cyber security surrounding our Nation’s critical infrastructure as well as data intelligence at several government departments, programs and agencies.
- Civilian contractors were forced to either reduce the staff assigned to these projects or deploy them elsewhere. Even with the Secretary of Defense recalling all civilian and non-government contractors, it will require compensation for lost time and talent. Several data breaches and real IP instability were inevitable. These highly talented security experts are already scarce and will seek employment elsewhere and will not be returning to work on government cyber security programs. In a market where there is a significant shortage of trained cyber security professionals, this loss will have long term implications on our ability to fight cyber wars.
- Implementation of programs such as DHS CDM (Continuous Diagnostics and Mitigation), whose goal is to protect all government agencies and departments from cyber attacks by improving their cyber defenses, had virtually come to a halt as a result of the shutdown. The phase I implementation of CDM is now delayed, thus exposing 100s of agencies.
- The development and completion of a cyber security framework that is under development by NIST as per President Obama’s executive order was put on hold. This places undue time pressure and constraints to complete the work in time to meet the February 2014 deadline. A comprehensive framework and policy is critical to protect our critical infrastructure needs and requires resources for to be truly effective when implemented. The current shutdown makes this a challenging task.
- The skeleton staff that is managing cyber security programs across all government agencies (DODN, Civilian and Intelligence), were forced to make hard choices on where they can spend their limited human resources. Several damaging breaches and attacks that are not investigated in a timely and comprehensive way increased the threat level and weakens cyber security s protections.
The skeleton resources, makes all of these necessary process extremely challenging to complete implementation of security controls and patches in a timely manner. Even in a normal period, patching all systems across all government agencies is monumental. Any security professional will tell you that bad actors need just one access point or one vulnerability to wreak havoc. The unwise decision to scale back cyber security and network operations by eliminating the civilian work force form protecting our government networks means that there were thousands of vulnerabilities that are being exploited on a daily basis and terabytes of valuable IP is being stolen across many government agencies.
Even though the government has reopened, these systems will take some time to be patched up. The lawmakers should take a real hard look at the consequences of their politically motivated actions. At the end of the day it is the tax payers, and citizens who pay the big price. US government agencies spent billions of dollars inventing and creating this huge treasure of IP that gives us global competitive edge – commercially and militarily. This is being compromised due to the shut down and the damage from our weakened cyber security will be irreversible.