Last month, as the federal government halted operations for the second time in five years, you may have wondered whether federal cybersecurity workers tasked with fighting global computer threats like WannaCry, NotPetya, and Mirai were told to stay home.
Many certainly were in 2013, when the government closed shop for 17 days. Fortunately, globally destructive hacks also took a vacation during that shutdown, a period attackers may have seen as an opportune time to probe government networks, says Gregory Touhill, a former Air Force general and federal chief information security officer late in President Barack Obama’s administration.
“[Cybersecurity] folks were furloughed or sent home, and that was unacceptable, because it’s the equivalent of leaving your gates wide open,” Touhill says. “When you know that you’re not at full strength, that’s when potential adversaries will test you the most.”
READ MORE ON GOVERNMENT CYBERSECURITY
Should we be skeptical of government hack attributions?
How antivirus software could be used for government espionage
Jennifer Granick on government surveillance: ‘The more we collect, the less we know’ (Q&A)
How Spain is waging Internet war on Catalan separatists
Debate over data security conflates tech and legal issues
Touhill, now president of the federal group at secure-infrastructure specialist Cyxtera Technologies, became determined to take a “risk-based approach” during the next shutdown. He and other government officials used the 2013 shutdown as “teachable moment” in developing contingency plans outlining which federal programs and workers are essential during an official government shutdown. They successfully pushed for cybersecurity employees and contractors to be included in the list.
Those plans were put in place this January, just in time for the shutdown. And with a hyperpartisan Congress currently operating the government on short-term funding bills, they might come into play again this month.
The cybersecurity programs of federal agencies today are exempt from a shutdown, “as these functions are necessary to avoid imminent threat to federal property,” the U.S. Office of Management and Budget said in an advisory it issued January 19, a day before the recent shutdown started. “Agencies must also ensure the preservation of agency information, including electronic records, and maintain the security, confidentiality, and integrity of such information.”
It’s unclear whether all agencies followed the OMB guidelines. The Department of Homeland Security, the agency focused on bolstering cybersecurity for civilian agencies, didn’t respond to requests asking how agencies responded during the recent shutdown.
In some cases, cybersecurity contractors may still be sent home during a shutdown, says Don Maclean, chief cybersecurity technologist at DLT Solutions, a technology reseller focused on government markets. And he says a lot of “little things” can keep them from working, regardless, such as security guards not knowing who’s allowed in the building during the shutdown.
“I can tell you that morale decreases at the threat of a government shutdown and during an actual government shutdown.”—John Lainhart, senior cybersecurity strategist, Grant Thornton
In past shutdowns, some agencies turned off some of their IT systems as a precaution, Maclean says. “It’s kind of hard to attack a system when the machines are all turned off.”
Cybersecurity response teams at the FBI, DHS, Department of Defense, and intelligence agencies remained at work during January’s shutdown, but some support staff and cybersecurity researchers may have been furloughed, says Suzanne Magee, CEO of Bandura Systems, a cybersecurity vendor with several government customers.
There are “people in chairs” who will respond, if there’s a cyberattack during a government shutdown, she says. But the prospect of repeated shutdowns and furloughs could impact workplace morale among—and retention of—government cybersecurity workers.
“It’s hard enough to find good cyber talent,” she says. Cybersecurity researchers who are furloughed may think they can “go to a Silicon Valley company and make a lot more money.”
John Lainhart, who as a federal employee for 30 years experienced “several” government shutdown, agrees. Cybersecurity workers “can easily leave the madness of government, and work for a company that values what they do and is funded with a steady stream of cash,” says Lainhart, now senior cybersecurity strategist for the public sector at auditing firm Grant Thornton, a federal-government vendor. “They will let their feet do the talking as they walk out.”
Poor employee morale can also hurt security, Lainhart adds. “I can tell you that morale decreases at the threat of a government shutdown and during an actual government shutdown,” he says. “As a result, the insider threat is increased—people are upset and may want to get back at the system that has let them down.”
And the prospect of government shutdowns also impacts cybersecurity research, Lainhart and Magee say.
By running the government on short-term budgets, “we are prohibiting the investment in new cybersecurity programs,” Lainhart says. “While cybersecurity adversaries are constantly innovating and developing new methods of attack, running a government under a [short-term budget] prevents our ability to innovate and fight against cyberattacks.”
Updated at 10:35 a.m. on February 5 to fix a typo. A previous government shutdown occurred in 2013.