Federal Cybersecurity Needs Its Own Shutdown
Soon, I think it's likely that government leaders will be forced to conclude that the security implications of keeping unpaid federal employees on the job are worse than the implications of shutting those functions down altogether.
The law that allows the government to maintain “essential” functions during a lapse in funding, The Anti-Deficiency Act, provides a fairly narrow definition of what essential means. Under it, the only personnel that may be kept at work are those necessary for the prevention of “emergencies involving the safety of human life or the protection of property.”
More on:
I’ve argued elsewhere that continuing 85 percent of government operations stretches the bounds of this definition. But, at thirty plus days, the national security implications of keeping some federal employees working are likely worse than the national security implications of sending them home. This is likely true for TSA workers, air traffic controllers, and IT and IT security teams.
In an organization as large and complex as the federal government, knowing with any degree of certainty which IT roles are essential is all but impossible. Moreover, as the shutdown lengthens and morale goes from bad to worse, the likelihood that the remaining employees are doing their jobs and doing them well is low. A colleague at a security rating firm told me that there are signs that scores for even basic cybersecurity hygiene are going down.
The shutdown is the best thing that ever happened to recruiters at cybersecurity firms. With savings depleted and credit cards maxed, giving up on “the mission” and taking a private sector role is a lot easier to do (I expect any day now that firms will offer starting bonuses equal to the back wages since the shutdown).
And while the defenders of federal networks are facing low morale and are unsupported, I have no doubt that our adversaries are fully supported in their mission to compromise federal networks. It’s likely that the postmortem of the next major federal breach will show that the initial compromise occurred during or shortly after the end of the shutdown.
There is an old adage in IT security that the only secure computer is one that is unplugged. Thinking along these lines, the best course of action at this stage may be to reduce the federal IT infrastructure to a bare minimum.
More on:
Right now, millions of email messages are queuing up, waiting for federal workers to return and start the process of plowing through them. Many thousands are going to be targeted spear-phishing emails from adversaries that are counting on rushed workers letting their guards down in the days after the shutdown ends. Instead of the polite automated replies streaming out of email servers, shut down the servers.
Along similar lines, instead of what appear to be ad hoc decisions on whether and how to maintain web presences, federal agencies should shut down their web servers and thereby reduce the attack surface. When funding is reinstated, federal IT systems should be brought back online slowly and deliberately.
The shutdown is a political failure that is likely to cause cascading failures for IT systems and the IT security systems that protect them. Rather than attempting to maintain the security of these systems, a better alternative is to put them in fail-safe mode and shut them down.