The looming US federal government shutdown will put the nation’s cybersecurity apparatus under intense strain, increasing the likelihood of cyberattacks across the country’s entire software supply chain if Congress does not pass a budget by the Oct. 1 deadline, experts warn.
The US Department of Homeland Security (DHS) updated its plan to respond to the “lapse in appropriations” that will be triggered in less than three days unless Congress reaches a compromise to fund the federal government. The government shutdown plan includes the indefinite furlough of more than 80% of the Cybersecurity and Infrastructure Security Agency (CISA) workforce.
Shutdown Would Put Enterprise, Infrastructure at Risk
The mass furloughs that would result from a government shutdown would degrade the cybersecurity of the entirety of the nation’s software supply chain, including critical infrastructure, transportation, healthcare, and energy, according to a statement from Justin Williams, managing partner at Optiv.
Threat actor campaigns could run amok without CISA’s ability to rapidly share indicators of compromise; supply chain cyberattacks could go unnoticed and spread unchecked beyond government systems; and even simple regulatory and certification functions would grind to a halt in the wake of a shutdown.
“CISA provides critical linkages by and between our commercial organization and government,” Williams said. “This linkage includes support for organizations who are under duress or otherwise dealing with a cyber event or incident, putting commercial organizations and industry sectors at risk when indicators of compromise (IOC) are not shared among the proper groups to slow or stop the movement of adversaries.”
Skeleton crews left inside government cybersecurity posts working across the government and beyond CISA are working under intense conditions, according to Roselle Safran, founder and CEO of KeyCaliber. She was the head of cybersecurity efforts of the Executive Office of the President during the 2013 government shutdown, which lasted over two weeks.
“When I was at EOP, I had to work the night shift part of the week because the analysts on my team were furloughed,” Safran says. “It brings lots of stress to those who are working because they are acutely short-staffed and covering the work of multiple people. And it brings lots of stress to those who aren’t working because they don’t know whether or not they will receive pay for the time period.”
Reminiscing on her experience, Safran adds, “And my daughter is a shutdown baby.”
Government Shutdown Concerning for Cybersecurity
The prospect of a government shutdown should be cause for “concern” among enterprise security teams, according to Jeffrey Wells, a former cyber czar for Maryland and current partner at Sigma7.
Beyond incident response support, a government shutdown will likely draw the attention of threat actors.
“The shutdown can create an environment that’s perfect for exploitation by hackers,” Wells says. “With government resources and response capabilities potentially limited, threat actors may seize the opportunity to target organizations.”
In preparation, enterprise security teams should be vigilant about monitoring and threat detection measures, he adds.
Government contractors will be affected by furloughs as well, adding even more potential risk into the software supply chain, Wells says.
“To address this, cybersecurity teams should establish alternative channels for reporting incidents and seeking assistance,” Wells adds.
A MITRE spokesperson says the longer the shutdown drags on, the more risk to the nation’s cybersecurity posture, as the contingency operations inevitably become strained.
To help, MITRE recommends any contractors working under federal contracts continue working, to the extent that it’s reasonable, until they receive a “stop work order.”
State and local governments may also step in to provide reinforcements to the feds, the spokesperson notes.
In the meantime, MITRE says it will continue to offer its tools throughout the shutdown.
“MITRE’s open frameworks and knowledge bases such as MITRE ATT&CK, Caldera, D3FEND, Engage, ATLAS, Security Automation, System of Trust, CVE, and CWE, to name a few, will remain active and available for cyber defenders to level up their threat-informed defense and stay on top of possible adversary threats and cyber vulnerabilities,” the spokesperson says.