02:00 PM

Shutdown Heightens Cybersecurity Risks, Feds Warn

Federal officials say shutdown is invitation to hackers and puts nation at risk.

Senior federal officials are voicing concern that the partial shutdown of federal operations and the furlough of thousands of cybersecurity and intelligence specialists are an open invitation to hackers to exploit security vulnerabilities.

Federal CIO Steven VanRoekel says he fears the reduced number of cybersecurity professionals on active duty across federal agencies gives hackers greater opportunities to move about within agency IT networks and heightens the risks agencies already face that their systems could be compromised.

"If I was a wrongdoer looking for an opportunity, I'd contemplate poking at infrastructure when there are fewer people looking at it," VanRoekel said in remarks to the The Wall Street Journal.

[ For more on how the federal government shutdown is affecting national security, see Government Shutdown Stalls Cybersecurity Legislation. ]

VanRoekel explained that while government shutdown plans exempt workers critical to national security, cybersecurity teams had been reduced to a skeleton crew. If agencies came under cyberattack specialists could be called in, but the loss of real-time response was a real concern, he told the Journal. "I have fewer eyes out there," he added.

VanRoekel, who oversees but has limited direct control over the $82 billion agencies spend on IT and cybersecurity annually, said he isn't able to assess what portion of the government's cybersecurity or IT workers overall have been furloughed. The decision of which employees have been exempted from the current shutdown is made on an agency-by-agency basis.

"The people I would have do that assessment are currently not working," he said, noting one of the many consequences of the government shutdown and its impact on the White House Office of Management and Budget, where VanRoekel works.

Meanwhile, director of national intelligence James R. Clapper, Jr. warned senators Wednesday that the government shutdown, coming on the heels of this year's sequestration cuts, will "further damage our ability to protect the safety and security of this nation and its citizens." Clapper made the remarks during testimony at a previously scheduled hearing on domestic surveillance before the Senate Judiciary Committee, where Chairman Patrick J. Leahy (D-Vt.) asked intelligence leaders to address the effects of the shutdown.

"I've been in the intelligence business for about 50 years. I've never seen anything like this," Clapper told the senators, according to Roll Call. Clapper said 70% of the intelligence community's employees had been deemed non-essential to their agencies' missions and subject to furloughs.

"Our nation needs people like this, and the way we treat them is to tell them, 'You need to go home because we can't afford to pay you,'" National Security agency director Gen. Keith B. Alexander told the lawmaker. "From my perspective, it has had a huge impact on morale." Sen. Lindsey Graham, (R-S.C.), noting that this is the first government shutdown since the terrorist attacks of Sept. 11, 2001, said the comments of Clapper and Alexander "scared the hell out of all of us," according to Roll Call's account.

"The government shutdown in a post-9/11 world is making this nation less safe," Graham said.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
10/3/2013 | 7:58:57 PM
re: Shutdown Heightens Cybersecurity Risks, Feds Warn
A neighbor of mine is the lead certified security executive responsible for network and cyber security at an agency that supports first responders. He is among those furloughed this week. From what I can tell, the skeletal crew left in charge lacks the depth or detail to know how to deal with a security breach. My neighbor, being the public servant he is, is always close to his phones (plural). But that doesn't give him -- or me -- a lot of assurance.

Just think: two Marine generals were just sacked for neglecting their base from attack. Who gets sacked IF/when federal agencies get attacked? Sadly, it won't likely be anyone in Congress.
User Rank: Apprentice
10/10/2013 | 5:00:23 PM
re: Shutdown Heightens Cybersecurity Risks, Feds Warn
I am contractor for a Federal Agency employed as a cyber security incident responder. During this shutdown, I am going without pay, and unlike Civil Service employees, there has been no bill passed by the House to reimburse contractors for their lost wages.

This situation creates a very serious danger for our nation caused by a convergence of factors:

1)The information systems of the United States Government are under continual attack from sophisticated and well-funded foreign governments. At this moment, practically no one is working to repel those attacks. We are in fact engaged in a cyber war right now with several nations. And at this moment G«Ű no one is guarding the fort.

2)Under normal circumstances, the US Government has a serious shortage of trained personnel to maintain countermeasures to those cyber attacks. Most of the personnel that do exist are now furloughed contractors, who have no hope of reimbursement once they return to work.

3) Since the private sector has a similar shortage of trained cyber security personnel, it behooves those of us who are employed as Federal contractors to seek more reliable employment elsewhere. This will only increase the personnel shortage and exacerbate the risks to the information systems that are an essential part of Federal Government operations.

I have no doubt that several hostile foreign governments are currently celebrating their unfettered freedom to compromise the security and operational integrity of the Federal GovernmentG«÷s computers and networks. And I am challenged to express in words how demoralizing it is to be considered G«£non-essentialG«• and to be summarily tossed off our jobs and told to eek out an existence without pay.

Those of us who work as cyber security contractors for the Federal Government are generally paid less than our counterparts in the private sector. Patriotism and pride in our mission is a large part of our compensation. But pride and patriotism wonG«÷t pay our bills, feed our children, or compensate for the lost wages caused by unreliable employment.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in the live preview in the Panopoly Magic module before 7.x-1.17 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a pane title.

Published: 2015-02-26
Unrestricted file upload vulnerability in the Avatar Uploader module before 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via unspecified vectors.

Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Term Queue module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

Published: 2015-02-26
Multiple cross-site request forgery (CSRF) vulnerabilities in the CrossSlide jQuery (crossslide-jquery-plugin-for-wordpress) plugin 2.0.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (...

Published: 2015-02-26
SQL injection vulnerability in the ajax_survey function in settings.php in the WordPress Survey and Poll plugin 1.1.7 for Wordpress allows remote attackers to execute arbitrary SQL commands via the survey_id parameter in an ajax_survey action to wp-admin/admin-ajax.php.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industryís professional organizations about how security pros can get more involved Ė with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.