02:00 PM

Shutdown Heightens Cybersecurity Risks, Feds Warn

Federal officials say shutdown is invitation to hackers and puts nation at risk.

Senior federal officials are voicing concern that the partial shutdown of federal operations and the furlough of thousands of cybersecurity and intelligence specialists are an open invitation to hackers to exploit security vulnerabilities.

Federal CIO Steven VanRoekel says he fears the reduced number of cybersecurity professionals on active duty across federal agencies gives hackers greater opportunities to move about within agency IT networks and heightens the risks agencies already face that their systems could be compromised.

"If I was a wrongdoer looking for an opportunity, I'd contemplate poking at infrastructure when there are fewer people looking at it," VanRoekel said in remarks to the The Wall Street Journal.

[ For more on how the federal government shutdown is affecting national security, see Government Shutdown Stalls Cybersecurity Legislation. ]

VanRoekel explained that while government shutdown plans exempt workers critical to national security, cybersecurity teams had been reduced to a skeleton crew. If agencies came under cyberattack specialists could be called in, but the loss of real-time response was a real concern, he told the Journal. "I have fewer eyes out there," he added.

VanRoekel, who oversees but has limited direct control over the $82 billion agencies spend on IT and cybersecurity annually, said he isn't able to assess what portion of the government's cybersecurity or IT workers overall have been furloughed. The decision of which employees have been exempted from the current shutdown is made on an agency-by-agency basis.

"The people I would have do that assessment are currently not working," he said, noting one of the many consequences of the government shutdown and its impact on the White House Office of Management and Budget, where VanRoekel works.

Meanwhile, director of national intelligence James R. Clapper, Jr. warned senators Wednesday that the government shutdown, coming on the heels of this year's sequestration cuts, will "further damage our ability to protect the safety and security of this nation and its citizens." Clapper made the remarks during testimony at a previously scheduled hearing on domestic surveillance before the Senate Judiciary Committee, where Chairman Patrick J. Leahy (D-Vt.) asked intelligence leaders to address the effects of the shutdown.

"I've been in the intelligence business for about 50 years. I've never seen anything like this," Clapper told the senators, according to Roll Call. Clapper said 70% of the intelligence community's employees had been deemed non-essential to their agencies' missions and subject to furloughs.

"Our nation needs people like this, and the way we treat them is to tell them, 'You need to go home because we can't afford to pay you,'" National Security agency director Gen. Keith B. Alexander told the lawmaker. "From my perspective, it has had a huge impact on morale." Sen. Lindsey Graham, (R-S.C.), noting that this is the first government shutdown since the terrorist attacks of Sept. 11, 2001, said the comments of Clapper and Alexander "scared the hell out of all of us," according to Roll Call's account.

"The government shutdown in a post-9/11 world is making this nation less safe," Graham said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/10/2013 | 5:00:23 PM
re: Shutdown Heightens Cybersecurity Risks, Feds Warn
I am contractor for a Federal Agency employed as a cyber security incident responder. During this shutdown, I am going without pay, and unlike Civil Service employees, there has been no bill passed by the House to reimburse contractors for their lost wages.

This situation creates a very serious danger for our nation caused by a convergence of factors:

1)The information systems of the United States Government are under continual attack from sophisticated and well-funded foreign governments. At this moment, practically no one is working to repel those attacks. We are in fact engaged in a cyber war right now with several nations. And at this moment G«Ű no one is guarding the fort.

2)Under normal circumstances, the US Government has a serious shortage of trained personnel to maintain countermeasures to those cyber attacks. Most of the personnel that do exist are now furloughed contractors, who have no hope of reimbursement once they return to work.

3) Since the private sector has a similar shortage of trained cyber security personnel, it behooves those of us who are employed as Federal contractors to seek more reliable employment elsewhere. This will only increase the personnel shortage and exacerbate the risks to the information systems that are an essential part of Federal Government operations.

I have no doubt that several hostile foreign governments are currently celebrating their unfettered freedom to compromise the security and operational integrity of the Federal GovernmentG«÷s computers and networks. And I am challenged to express in words how demoralizing it is to be considered G«£non-essentialG«• and to be summarily tossed off our jobs and told to eek out an existence without pay.

Those of us who work as cyber security contractors for the Federal Government are generally paid less than our counterparts in the private sector. Patriotism and pride in our mission is a large part of our compensation. But pride and patriotism wonG«÷t pay our bills, feed our children, or compensate for the lost wages caused by unreliable employment.
User Rank: Apprentice
10/3/2013 | 7:58:57 PM
re: Shutdown Heightens Cybersecurity Risks, Feds Warn
A neighbor of mine is the lead certified security executive responsible for network and cyber security at an agency that supports first responders. He is among those furloughed this week. From what I can tell, the skeletal crew left in charge lacks the depth or detail to know how to deal with a security breach. My neighbor, being the public servant he is, is always close to his phones (plural). But that doesn't give him -- or me -- a lot of assurance.

Just think: two Marine generals were just sacked for neglecting their base from attack. Who gets sacked IF/when federal agencies get attacked? Sadly, it won't likely be anyone in Congress.
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

Published: 2015-04-01
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.

Published: 2015-04-01
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.