Facing Government Shutdown Cybersecurity Challenges Requires Strong Planning, Risk Assessment
It has been nine days since the federal government began sending employees home on furloughs due to the stalemate in Congress.
During that time, several government websites have either shutdown completely, like usda.gov, while others have curtailed their operations while remaining publicly available. In a less visible side effect, NSA Director Keith B. Alexander said Tuesday that the morale of the country’s cybersecurity workforce is suffering.
Unfortunately, during those nine days, it is unlikely that attackers – both sophisticated and not – have taken furloughs of their own – a reality that caused federal chief information officer Steven VanRoekel to tell the Wall Street Journal he was afraid that hackers could seize on the staffing gaps to compromise U.S. systems.
“If I was a wrongdoer looking for an opportunity, I’d contemplate poking at infrastructure when there are fewer people looking at it,” he told the Journal Oct. 2, noting that while critical workers were spared, most federal sites are being run on a “skeleton crew.”
Mitigating the threat posed by this type of scenario for government agencies begins with proper planning and risk assessment, security experts told SecurityWeek.
“A scenario like the one we are experiencing today should have been rehearsed as a part of the business continuity program,” said TK Keanini, CTO at Lancope. “Some agencies have contracted external help and I would guess the same applies to critical Internet Infrastructure but I may be wrong. For those systems still running on a skeleton crew, a known good snapshot taken before the shutdown is insurance to return to a known good state should something happen during the shutdown.”
Organizations should make a list of updates that were released during the shutdown that will need to be applied when people return to work. They should also ensure their detection tools have adequate retention so that any event can analyzed retroactively, he said.
“It is critical that agencies rehearse these very likely events,” he said. “Roundtable exercises with these scenarios help the agency understand all of the interdependencies and communication channels well before it is a real event.”
“In every case, the most effective strategies seem to include two things: leadership involvement and proactive testing/continuous monitoring,” he said. “In the first factor, leaders who show interest in continuity planning, provide clear guidance, monitor key performance indicators, and hold their teams accountable for results have so far enjoyed a quieter and slightly less stressful event.”
Before the shutdown, VanRoekel said he advised U.S. agencies to exempt cybersecurity staff that monitor computer networks for attacks. Still, most of the staff responsible for responding to cyberattacks were furloughed, he told the Journal.
It only makes sense for attackers to try to seize on that opportunity, Slobodzian said.
“For instance, there are fresh vulnerabilities that may not be patched as quickly as normal,” he said. “More sophisticated attacks that require expert analysis to identify may stand out more while authorized traffic is reduced. However, if the expert analysts are furloughed or understaffed the sophisticated attacks may be more successful. Oftentimes it is necessary to undergo the time-consuming task of log analysis to catch a sophisticated attack. A shutdown will require some security teams to limit or delay their analysis of logs, making innovative attacks more likely to succeed.”
With advanced threats, now is a great time to compromise a host and lay low for a while, Keanini said. Attacks are still triggering alerts – just with less people around to process security-related events.
“Another weakness during times like this is that people are easily fooled given that nothing is normal,” he said. “Traffic patterns are different, the person staffing the desk may be different, with all this change, social engineering attacks can be very effective.”
The good news is that with less activity, unauthorized or inappropriate actions may be easier to spot. Still, it is important not to underestimate the number of active campaigns attempting to inflitrate government networks, noted Tom Kellermann, vice president of cybersecurity at Trend Micro.
“Every day we deal with this shutdown they move laterally and infest another critical host of the United States government,” he said.