Despite respite, national security has been severely impacted by government shutdown

Jan. 25, 2019
Federal law enforcement and intelligence agencies, along with aviation and cybersecurity sectors now in critical mode

Many veteran federal government officials have been struck by the irony of the ongoing government shutdown which lasted 35 days before Congress and the Administration settled on a brief respite today. The current administration has built its argument around the premise that the principles propping up the shutdown rest on the preservation of national security. Yet, how disturbingly ironic it is said former and present FBI personnel, cybersecurity experts and corporate security executives that the effects of the government shutdown are instead throwing the United States into a potential national security crisis on more than one front. For the myriad concerned security and government agencies, the realities of the shutdown are that homeland, aviation, transportation, school, critical infrastructure and cybersecurity are all being severely impacted; and that is not fake news.

Airport security managers around the country are at odds with TSA officials concerning unscheduled absences of TSA rank and file claiming the safety of the flying public is at stake, while TSA says there has “been no degradation of security effectiveness.”

Even the Airline Pilots Association sent a letter to the President in early January voicing their security and safety concerns. “The nation’s airspace system is a complex transportation network that involves government and industry partnerships to function properly, and the disruptions being caused by the shutdown are threatening the safe operations of this network… When any of [DOT and DHS] responsibilities are placed on pause due to a shutdown there are safety, security and efficiency gaps that immediately emerge.”

Security Threats on all Fronts

As Frank Figliuzzi sees it, the government shutdown is a triple national security whammy. The former Assistant Director of Counterintelligence for the FBI who had more than 25 years of service with the Bureau and is currently the COO for ETS Global Risk Management in Boston, admits there are three ways the shutdown may impact our national security.

“First, this increases the risk of the insider threat. U.S. intelligence and counterintelligence professionals understand that one way we assess the stability or vulnerability of other governments is to observe how they treat their own public servants,” says Figliuzzi. “When foreign intelligence officers can't feed their families or pay the rent, we seize that opportunity to recruit or solicit intelligence from those disgruntled employees. So, we can be sure that our adversary counterparts are plotting, or may have already tried, to approach vulnerable U.S. intelligence officers and tried to exploit this shutdown by offering them cash.”

In fact, the January 2019 issue of Voices from the Field, a printed glossy newsletter published by the FBI Agents Association, contained reports from FBI Special Agents nationwide that illustrate how the government shutdown affects their work and identifies the risks that may emerge as it continues.

As stated in the opening pages, “FBIAA is releasing Voices from the Field to ensure that Congress, the Administration, and the public are aware of the real and daily challenges faced by FBI Agents and the risks to national security posed by a prolonged shutdown.”

The bottom line, according to the FBIAA, is that due to the essential role of protecting national security, FBI Special Agents are working without pay and most feel it is undermining the FBI’s mission. Not only are crucial FBI investigative missions both in the U.S. and abroad in dire need of funding to continue operations, thus putting terrorist investigations, sex-trafficking and other high-value criminal operations on hold, the uncertainty of future paychecks and the continued rebuke of the President towards the FBI itself is seriously undermining the FBI’s “ability to recruit and retain high-caliber professionals....The ongoing financial insecurity caused by the failure to fund the FBI could lead some FBI Agents to consider career options that provide more stability for their families.”

According to Figliuzzi, there is also the external threats that pose a danger to national security.

“Our adversaries plan for scenarios like this where the U.S. defenses or ability to collect and process intelligence are weakened. I would not be at all surprised if we see our defenses tested during this shutdown. A Russian submarine off the East Coast, a Chinese fighter jet challenging an American ship or aircraft. The threat may be even greater on the Counterterrorism side where our linguists may be sitting at home unpaid instead of interpreting electronic intercepts of communications between subjects planning to attack us,” warns Figliuzzi. “Let's not forget our cyber defenses and the likelihood that furloughed IT security professionals are no longer updating encryption certificates or pushing patches through an agency's network. Countries like Iran and North Korea can be expected to test weaknesses in our cyber defenses.”

The former Assistant Director of Counterintelligence also chides the current atmosphere of distrust by the current administration with the traditional norms usually associated with the country’s intelligence community as a potential security risk.

“Third, there's the long-term impact on our intelligence community. Lowered morale, increased frustrations, and lack of compensation are now combined with the denigrating way this President has treated and mistreated our nation's intelligence and federal law enforcement officers. The ability to recruit and retain talent will suffer if this shut down lasts much longer. As we speak, I'm certain that some of the most talented professionals in our governments are sending their resumes out in search of more stable work with higher compensation,” blasts Figliuzzi.

Impacts to Cybersecurity Could be Crippling for Years to Come

While the shutdown’s crippling effect on the FBI and national intelligence agencies to properly perform their jobs related to national security are tangible and custom-made for sound-bite cable television talking heads, the more insidious security threats swim beneath the headlines in the rivers of networked systems in federal agencies and IT data centers across the country.

For Jason Yakencheck, the President for ISACA’s Greater Washington D.C. chapter, the longest government shutdown in U.S. history will impact the effectiveness of cybersecurity in the federal government for years to come. He says the near-term effects of the shutdown are more apparent than some of the downstream impacts.

“We regularly see or hear about the furloughed staff not receiving a paycheck, the growing list of .gov websites with expired Transport Layer Security (TLS) certificates, the unavailable National Institute of Standards and Technology (NIST) content, or bare-bones staff left to perform system monitoring. Conversely, it is much harder to quantify the adverse long-term impact of the prolonged government shutdown,” Yakencheck surmises.

He continues that when one takes a closer look at some affected elements, the extent of the consequences will only be known later. NIST resources being affected by the shutdown hurts both the public and private sectors. Its guidance is heavily relied upon for compliance and security, regardless of industry. NIST is expected to release updates to major Special Publications in 2019 such as 800-53: Rev 5, 800-53A: Rev 5, 800-160: Rev 2, and 800-171: Rev 2. Updates to FIPS 199 and FIPS 200 are also on the horizon. The shutdown may cause delays to the completion of these efforts and thus push back adoption by the government and private industry.

“The government already faces an incredible cybersecurity skills and resources gap. The shutdown is surely going to exacerbate this problem by making it more difficult to attract talented new employees and fill critical needs. University graduates are going to think twice before taking a job with the government compared to the private sector. It may get to the point where existing government employees possessing in-demand skills may start seeking new employment opportunities,” laments Yakencheck. “DHS’s new Cybersecurity and Infrastructure Security Agency suffers from a large percentage of its staff currently furloughed. The new agency ‘leads the national effort to defend critical infrastructure against the threats of today, while working with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow.’ But with such a significant portion of its staff not working, the agency’s ability to meet its goals and objectives will be affected.”

Yakencheck also points out the danger of some government projects that are not currently on hold may soon be reaching the point where they run out of funding and must be stopped. He says that this situation will not only results in more furloughs but may cause delays to implementation schedules. An increase in contractor furloughs may also cause them to seek new employment opportunities, leaving the government project short-staffed when the shutdown ends. The lost time will have to be made up through scope reduction or sliding the schedule to the right.

“Unfortunately, the end result is likely to be increased spending by the government and a final product delivered later than originally planned,” Yakencheck warns. “We are all hopeful that the government shutdown will conclude soon, and agencies can get back on track quickly. Regardless of when it ends, the extent of the lasting impact on cybersecurity is daunting.”

Current Shutdown Only Exacerbates Security Brain Drain

Many cybersecurity experts are worried the government shutdown’s biggest security gap is the furloughing of cybersecurity analysts. The vulnerabilities to government networks have Nick Bilogorskiy, a cybersecurity strategist at Juniper Networks extremely concerned.

“As we all know, the top problem in security today is the shortage of trained cybersecurity professionals, and the cybersecurity skills shortage was already getting worse in 2018 with millions of unfilled cybersecurity jobs. Now, with the shutdown and some staff furloughed, this problem is exacerbated. Attackers are likely to intensify their activity during the shutdown to exploit this. Longer term, it’s likely that the government will lose valuable cybersecurity talent to the private sector,” he says.

Dave Mihelcic, Federal Chief Technology and Strategy Officer for Juniper Networks, and former Chief Technology Officer of the government’s Defense Information Systems Agency (DISA) says the evidence from prior shutdowns proves that recruiting and hiring cybersecurity candidates for crucial government functions suffers. But he warns that perhaps the most significant challenge posed by these shutdowns has been the lasting impressions they made on young IT professionals.

“Undoubtedly IT job seekers had a more negative view of federal employment due to the shutdown.  Likewise, the most talented IT professionals in federal service were left with lasting questions about their future that would cause some to seek outside opportunities,” adds Mihelcic. “With the class of 2019 graduating in just a few months, there is a new pool of talent entering the job market who have a dynamic set of IT and cyber skills to offer employers from both the private and public sector. As the war for this pool of talent begins, the government furlough could present significant ramifications for agencies because they are currently precluded from making any headway in attracting, recruiting and hiring prospective IT and cyber candidates.”

According to Mihelcic, the shutdown could greatly hinder the federal government’s ability to recruit top IT talent. In many cases, agencies are simply incapable of competing against private industry on salary alone. Coupled with a more complex recruiting process and security clearances that can last up to 18 months, the shutdown could be the tipping point for soon-to-be graduates who are pursuing careers in IT and cyber to join the private sector rather than the federal government, as it signals there could be far less stability for future jobs in the public sector.  However, data from the Office of Personnel Management shows that millennial talent is needed now more than ever before. In fact, the number of federal employees who are eligible to retire will rise to 30 percent within the next five years. This means that the existing cyber and IT talent gaps affecting the federal government will continue to widen if the federal government is unable to tap prospective candidates.  

Gary Hayslip, the CISO for Webroot has the benefit of experience for the ramifications of both a shutdown and its impact on personnel. He says it depends on each organization and whether they have designated their cybersecurity teams as essential personnel.

“I was my organization’s CISO and considered essential so I would have to come in. However, most of my team was considered non-essential so they would stay home. Of course, this isn't a way to operate a security program but in a federal shutdown, most security operations go into a coast mode. Large organizations like the NSA or essential cyber operations at DoD may have a waiver to keep everyone there but they are still affected because contractors they may rely on who will not be able to work and support organizations like NIST, US-Cert (United States Computer Emergency Readiness Team), or their own procurement department will be closed.

“What should be worrying the federal government is that they already said they are in a crunch to try and hire enough cybersecurity personnel. With this ongoing shutdown, you must wonder how many of their current cybersecurity personnel aren't looking over the fence at private industry and thinking maybe it’s time for a change,” concludes Hayslip.

About the Author:

Steve Lasky is a 32-year veteran of the security industry. He is the editorial director of SecurityInfoWatch.com Media Group. He can be reached at [email protected].

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]