What was the cybersecurity impact of the shutdown?
For 35 days, former high-ranking feds and Congress publicly warned about the potential negative ramifications of the partial shutdown on federal cybersecurity initiatives. Now with a short-term spending deal in place, many on Capitol Hill are shifting focus towards sifting through the wreckage to determine just how much damage was actually done.
House Homeland Security Committee chairman Bennie Thompson (D-Miss.) said earlier this month that DHS and Congress “will be dealing with the consequences of [the shutdown] for months — or even years — to come.”
At the Jan. 29 State of the Net conference in Washington D.C., Moira Bergin, subcommittee director for the House Homeland subcommittee on Cybersecurity and Infrastructure Protection listed a number of cybersecurity initiatives at DHS — from pipeline security to botnets to election security and activities at the new National Risk Management Center — that simply stopped during the shutdown.
Bergin said the shutdown, coming just over a month after Congress passed a long-awaited reorganization law for the Cybersecurity and Infrastructure Security Agency, “couldn’t have happened at a less opportune time.”
“I think there’s concern among our members about cascading effects of the lost time and strategic planning,” said Bergin. “We learned yesterday that there’s a [monetary] cost to the shutdown, but really the loss is the month we can’t get back.”
A spokesperson for the committee told FCW earlier this month that members plan to use oversight hearings to further press DHS and Trump administration officials on the question in the future.
DHS may not even know the full impact of the shutdown on cybersecurity yet. As FCW reported last week, CISA did not have a plan in place to weather a prolonged funding lapse and one of the priorities coming out of the shutdown is for leadership and regional offices to canvass their systems and programs to determine short-term and long-term operational impacts.
During the shutdown, CISA issued an emergency directive to counter a domain name system tampering campaign that was targeting federal agencies.
Sen. Mark Warner (D-Va.) vice chairman of the Senate Intelligence Committee is concerned. In a Jan. 29 letter to DHS Secretary Kirstjen Nielsen, Warner mentioned the DNS vulnerabilities and noted that the Office of Personnel Management hack that led to the compromise of personal information for more than 21 million federal employees started just weeks after the last shutdown ended in 2013.
“The troubling reality…is that with our federal employees just returning to work, we can only now begin a full accounting of the impact it has had on our nation’s security,” wrote Warner.
Warner wants to know whether the department saw an uptick in attempted attacks or intrusions in the last month, how many cyber employees and contractors were furloughed, where the department is in assessing the impact of the shutdown, impact on workforce and morale, how long it will take to spin back up contract activity and what, if any, work was accomplished on election security.
Sens. Amy Klobuchar (D-Minn.), Ed Markey (D-Mass), Cory Booker (D-NJ), Tom Udall (D-N.M.) and Catherine Cortez Masto (D-Nev.) and Jack Reed (D-R.I.) sent a similar letter to DHS and the National Security Agency the same day.
Of particular concern are the medium and long-term effects the shutdown will have on recruitment and retention of highly qualified cybersecurity talent at DHS. Part of the rationale for changing the name of CISA’s predecessor, the National Protection and Programs Directorate, was that it would help communicate to prospective hires that the agency would serve as the central hub for federal civilian cybersecurity efforts. A funding lapse that results in multiple missed paychecks complicates that recruiting pitch.
“It’s not as if cyber experts that CISA is looking to hire have nowhere else to go,” said Bergin. “They have plenty of places to go where they’re definitely going to get a paycheck.”
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor’s degree in journalism from Hofstra University and a Master’s degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.