Cybersecurity

What was the cybersecurity impact of the shutdown?

 

For 35 days, former high-ranking feds and Congress publicly warned about the potential negative ramifications of the partial shutdown on federal cybersecurity initiatives. Now with a short-term spending deal in place, many on Capitol Hill are shifting focus towards sifting through the wreckage to determine just how much damage was actually done.

House Homeland Security Committee chairman Bennie Thompson (D-Miss.) said earlier this month that DHS and Congress "will be dealing with the consequences of [the shutdown] for months -- or even years -- to come."

At the Jan. 29 State of the Net conference in Washington D.C., Moira Bergin, subcommittee director for the House Homeland subcommittee on Cybersecurity and Infrastructure Protection listed a number of cybersecurity initiatives at DHS -- from pipeline security to botnets to election security and activities at the new National Risk Management Center -- that simply stopped during the shutdown.

Bergin said the shutdown, coming just over a month after Congress passed a long-awaited reorganization law for the Cybersecurity and Infrastructure Security Agency, "couldn't have happened at a less opportune time."

"I think there's concern among our members about cascading effects of the lost time and strategic planning," said Bergin. "We learned yesterday that there's a [monetary] cost to the shutdown, but really the loss is the month we can't get back."

A spokesperson for the committee told FCW earlier this month that members plan to use oversight hearings to further press DHS and Trump administration officials on the question in the future.

DHS may not even know the full impact of the shutdown on cybersecurity yet. As FCW reported last week, CISA did not have a plan in place to weather a prolonged funding lapse and one of the priorities coming out of the shutdown is for leadership and regional offices to canvass their systems and programs to determine short-term and long-term operational impacts.

During the shutdown, CISA issued an emergency directive to counter a domain name system tampering campaign that was targeting federal agencies.

Sen. Mark Warner (D-Va.) vice chairman of the Senate Intelligence Committee is concerned. In a Jan. 29 letter to DHS Secretary Kirstjen Nielsen, Warner mentioned the DNS vulnerabilities and noted that the Office of Personnel Management hack that led to the compromise of personal information for more than 21 million federal employees started just weeks after the last shutdown ended in 2013.

"The troubling reality…is that with our federal employees just returning to work, we can only now begin a full accounting of the impact it has had on our nation's security," wrote Warner.

Warner wants to know whether the department saw an uptick in attempted attacks or intrusions in the last month, how many cyber employees and contractors were furloughed, where the department is in assessing the impact of the shutdown, impact on workforce and morale, how long it will take to spin back up contract activity and what, if any, work was accomplished on election security.

Sens. Amy Klobuchar (D-Minn.), Ed Markey (D-Mass), Cory Booker (D-NJ), Tom Udall (D-N.M.) and Catherine Cortez Masto (D-Nev.) and Jack Reed (D-R.I.) sent a similar letter to DHS and the National Security Agency the same day.

Of particular concern are the medium and long-term effects the shutdown will have on recruitment and retention of highly qualified cybersecurity talent at DHS. Part of the rationale for changing the name of CISA's predecessor, the National Protection and Programs Directorate, was that it would help communicate to prospective hires that the agency would serve as the central hub for federal civilian cybersecurity efforts. A funding lapse that results in multiple missed paychecks complicates that recruiting pitch.

"It's not as if cyber experts that CISA is looking to hire have nowhere else to go," said Bergin. "They have plenty of places to go where they're definitely going to get a paycheck."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.