Cybersecurity experts are worried that the United States is at greater risk of cyberattack due to the federal.
Maintaining the nation's robust cyber-defense infrastructure—including hardware and software systems—relies on thousands of now-furloughed employees. With fewer trained professionals monitoring U.S. digital systems, the country is at greater risk of attack, data theft, and falling behind in the cyber arms race, experts say.
A large percentage of workers at two of the nation's most important cyber-defense agencies are not working due to the partial government shutdown. According to the MIT Technology Review, approximately 45 percent of employees at the Cybersecurity and Infrastructure Protection Agency, a part of the Department of Homeland Security, and 85 percent of staffers at the National Institute of Standards and Technology, the department in charge of maintaining cybersecurity standards, are on furlough.
"We have laid out the welcome mat to any and all nefarious actors," said Mike O'Malley, VP of strategy at cloud defense firm Radware. "Unfortunately, we know all too well from experience that hackers, especially nation-state sponsored, have a high level of patience and are willing to lie in wait for the most opportune moment to strike."
And a government shutdown, he said, is the perfect moment to strike. With our defenses down attackers will try to quietly exfiltrate data or plant malware that snoops on U.S. computer systems.
"Any department that has sensitive information that can be used in espionage or fraud would be hit hardest by an attack," O'Malley said, "such as the Department of Homeland Security, State Department, and all of the intelligence services. The risk is not only for short-term data theft but also injection of longer-term persistent attacks."
Short staffing also leaves the IRS exposed to hostile and covert cyber activity, said Bryson Bort, CEO of cyberdefense firm SCYTHE and a fellow at the National Security Institute. Cyber vulnerabilities at the IRS could prevent millions of Americans fromon time.
"Monitoring is probably not happening at 100 percent of usual operations, which means that there is an increased chance that malicious activity may not be spotted," said Bort, noting "the timing of the shutdown right as we move into tax season."
Bort is primarily concerned with two interconnected types of threat actors: for-profit hackers and organized nation-state groups. For-profit hackers will either want to sell data back to nation-states, or are looking for personal identity records to use in fraud and identity theft. Nation-state actors may include "China, Iran, Russia, and North Korea," said Bort. "But I don't think they will 'attack.' I do think this is a good opportunity to step up iterative campaigns to compromise, gather intelligence, and place something quiet for the future."
A cyberattack or data breach targeting government agencies during the shutdown could also cost taxpayers millions of dollars. In its annual data breach analysis report, IBM estimated the average total cost per breach to businesses was about $3.86 million in 2018, up 6.4 percent from the previous year. The cost to the government could be significantly higher because without proper monitoring during the shutdown, digital holes could persist for weeks or longer.
The shutdown will also impact agencies' ability to upgrade existing systems, repair hardware, and build new cyber defense capabilities, said Dave Mihelcic, federal chief technology and strategy officer for Juniper Networks and the former chief technology officer of the Pentagon's Defense Information Systems Agency.
"Many projects were likely already on hold due to the continuing resolution affecting numerous agencies," said Mihelcic. "With the shutdown, even previously funded efforts have been slowed. For example, the upgrading of desktop operating systems to the most recent and secure versions. The shutdown could have lasting impacts in the cyber-readiness longer term."
Ray DeMeo, co-founder and COO of cyber-defense firm Virsec, is concerned that the government shutdown could have negative long-term consequences on government staffing and recruiting for important cybersecurity jobs in the future. These jobs, DeMeo says, keep Americans safe.
"Even at full capacity, resources are at a bare minimum for the mountain of work at hand just to get the government's IT infrastructure up to minimum levels of resiliency, all while working against the nonstop firehose of hour-by-hour attacker assaults," DeMeo said. "Attempting to parse critical and non-critical cyber personnel is not possible. It's quite literally dismissing the people who are building your fort while you are in the middle of fighting a war."