It has been nearly four months since the US government shutdown ended on January 25, 2019. Yet in the wake of the record-setting event, one critical component of the federal government is still reeling: its cybersecurity workers.
Furloughed for more than a month, these employees are now scrambling to patch outdated systems and sift through a massive pile of network activity logs. Making their struggle even more challenging, federal cybersecurity efforts weren’t exactly progressing efficiently or thoroughly prior to the shutdown.
One recent report found that 74% of federal agencies urgently need an upgrade of their digital defenses, half of government agencies lack the ability to catalog software that runs on their networks, and only 25% of the agencies meet the Office of Management and Budget standards when it comes to identifying and assessing any evidence of a data breach.
The number of compounding challenges agencies face, coupled with increasing sophistication of highly-patient attackers, should lead us to deeper questions about how the shutdown is still impacting the nation’s security today.
Existing tactics are no match for ever-increasing threats and a chronic backlog
Perhaps more concerning than the precarious state of federal cybersecurity is the harsh reality that there’s no catching up when it comes to cybersecurity. Federal workers are dealing with issues that are all too familiar to anyone working in the field:
- The ever-increasing volume and rate of incoming alerts make it impossible to keep up, and the clock never stops. There are 50 billion connected devices today that all require constant discovery, monitoring, profiling and classification. It’s no wonder, then, that the time needed to detect and respond to all these corresponding device alerts is currently 197 days, on average.
- The chronic shortage of cybersecurity professionals needed to review these alerts makes the problem even worse, and this shortage shows little sign of improving any time soon. In fact, the Departments of Commerce and Homeland Security estimate that the cybersecurity skills gap will grow to 1.8 million unfilled positions by 2022.
In the federal government – where cyber-attacks don’t just lead to financial loss or reputational damage but can also have much dire geopolitical consequences – keeping on top of security alerts in a timely, scalable manner is paramount. Pausing cybersecurity efforts during a government shutdown is unacceptable and continuing to rely on existing tactics and resources (or lack thereof) is futile.
It’s difficult to estimate the volume of threats across government agencies, but there’s no doubt it’s an extremely large number. For comparison, the Defense Department alone thwarts 36 million emails full of malware, viruses and phishing schemes every single day. Considering the most recent government shutdown lasted 34 full days, that’s a staggering 1,224,000,000 email breach attempts – just email breach attempts, mind you – during that time period.
Again, with cybersecurity workers furloughed, the threats they would normally deal with (or more accurately, struggle to deal with) on a daily basis just continued to add up and expand the backlog during the shutdown.
In cybersecurity as in politics, history matters
Even as attention turns to securing the 2020 elections, the shutdown is very recent history for a patient nation-state or other sophisticated attackers.
Looking backwards as well as forwards will be equally critical for ensuring our national cybersecurity. This doesn’t just mean catching up with alerts (a monumental task in itself), it also means giving attention to shifts in trends and behaviors that occurred during or after the shutdown. We should be asking whether the government’s alert triage and network monitoring efforts incorporate historical data and context.
If something did get through our defenses during the shutdown, full-packet capture and triage conducted through autonomous detection is the only practical way to identify its footprint.
From a practical standpoint, changes in the government workforce as a result of people opting for jobs in the private sector because of the shutdown will have led to several changes in the network, as is bound to happen when there is employee churn. This impacts devices, user accounts, new people coming on board and so on. Are these shifts being monitored and correlated with context, protocols and timelines? Is there even the time to do this manually? It’s clearly a job that must be done at machine scale if we hope to detect suspicious behaviors and indicators that might indicate an insider threat or outside compromise.
Improving government readiness and the tools our cyber-defenders have at their disposal is important. At the very least, it might also be time to revisit the definition of who we consider to be essential employees during a shutdown.
With attackers able to move laterally and “work the system” once inside, our federal cybersecurity is only as secure as its weakest link. Pausing the work of cybersecurity professionals across furloughed agencies seriously weakens our armor.
As the US government continues to work to catch up from the shutdown and strengthen its cybersecurity posture, the numbers alone unfortunately tell us that we shouldn’t be surprised if the “Ides of January” haunt us. I expect that this ghost hasn’t yet been exorcised and will reappear at some point in the months and even years ahead.