Risk
10/3/2013
02:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Shutdown Heightens Cybersecurity Risks, Feds Warn

Federal officials say shutdown is invitation to hackers and puts nation at risk.

Senior federal officials are voicing concern that the partial shutdown of federal operations and the furlough of thousands of cybersecurity and intelligence specialists are an open invitation to hackers to exploit security vulnerabilities.

Federal CIO Steven VanRoekel says he fears the reduced number of cybersecurity professionals on active duty across federal agencies gives hackers greater opportunities to move about within agency IT networks and heightens the risks agencies already face that their systems could be compromised.

"If I was a wrongdoer looking for an opportunity, I'd contemplate poking at infrastructure when there are fewer people looking at it," VanRoekel said in remarks to the The Wall Street Journal.

[ For more on how the federal government shutdown is affecting national security, see Government Shutdown Stalls Cybersecurity Legislation. ]

VanRoekel explained that while government shutdown plans exempt workers critical to national security, cybersecurity teams had been reduced to a skeleton crew. If agencies came under cyberattack specialists could be called in, but the loss of real-time response was a real concern, he told the Journal. "I have fewer eyes out there," he added.

VanRoekel, who oversees but has limited direct control over the $82 billion agencies spend on IT and cybersecurity annually, said he isn't able to assess what portion of the government's cybersecurity or IT workers overall have been furloughed. The decision of which employees have been exempted from the current shutdown is made on an agency-by-agency basis.

"The people I would have do that assessment are currently not working," he said, noting one of the many consequences of the government shutdown and its impact on the White House Office of Management and Budget, where VanRoekel works.

Meanwhile, director of national intelligence James R. Clapper, Jr. warned senators Wednesday that the government shutdown, coming on the heels of this year's sequestration cuts, will "further damage our ability to protect the safety and security of this nation and its citizens." Clapper made the remarks during testimony at a previously scheduled hearing on domestic surveillance before the Senate Judiciary Committee, where Chairman Patrick J. Leahy (D-Vt.) asked intelligence leaders to address the effects of the shutdown.

"I've been in the intelligence business for about 50 years. I've never seen anything like this," Clapper told the senators, according to Roll Call. Clapper said 70% of the intelligence community's employees had been deemed non-essential to their agencies' missions and subject to furloughs.

"Our nation needs people like this, and the way we treat them is to tell them, 'You need to go home because we can't afford to pay you,'" National Security agency director Gen. Keith B. Alexander told the lawmaker. "From my perspective, it has had a huge impact on morale." Sen. Lindsey Graham, (R-S.C.), noting that this is the first government shutdown since the terrorist attacks of Sept. 11, 2001, said the comments of Clapper and Alexander "scared the hell out of all of us," according to Roll Call's account.

"The government shutdown in a post-9/11 world is making this nation less safe," Graham said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PatrickB222
50%
50%
PatrickB222,
User Rank: Apprentice
10/10/2013 | 5:00:23 PM
re: Shutdown Heightens Cybersecurity Risks, Feds Warn
I am contractor for a Federal Agency employed as a cyber security incident responder. During this shutdown, I am going without pay, and unlike Civil Service employees, there has been no bill passed by the House to reimburse contractors for their lost wages.

This situation creates a very serious danger for our nation caused by a convergence of factors:

1)The information systems of the United States Government are under continual attack from sophisticated and well-funded foreign governments. At this moment, practically no one is working to repel those attacks. We are in fact engaged in a cyber war right now with several nations. And at this moment G«Ű no one is guarding the fort.

2)Under normal circumstances, the US Government has a serious shortage of trained personnel to maintain countermeasures to those cyber attacks. Most of the personnel that do exist are now furloughed contractors, who have no hope of reimbursement once they return to work.

3) Since the private sector has a similar shortage of trained cyber security personnel, it behooves those of us who are employed as Federal contractors to seek more reliable employment elsewhere. This will only increase the personnel shortage and exacerbate the risks to the information systems that are an essential part of Federal Government operations.

I have no doubt that several hostile foreign governments are currently celebrating their unfettered freedom to compromise the security and operational integrity of the Federal GovernmentG«÷s computers and networks. And I am challenged to express in words how demoralizing it is to be considered G«£non-essentialG«• and to be summarily tossed off our jobs and told to eek out an existence without pay.

Those of us who work as cyber security contractors for the Federal Government are generally paid less than our counterparts in the private sector. Patriotism and pride in our mission is a large part of our compensation. But pride and patriotism wonG«÷t pay our bills, feed our children, or compensate for the lost wages caused by unreliable employment.
WKash
50%
50%
WKash,
User Rank: Apprentice
10/3/2013 | 7:58:57 PM
re: Shutdown Heightens Cybersecurity Risks, Feds Warn
A neighbor of mine is the lead certified security executive responsible for network and cyber security at an agency that supports first responders. He is among those furloughed this week. From what I can tell, the skeletal crew left in charge lacks the depth or detail to know how to deal with a security breach. My neighbor, being the public servant he is, is always close to his phones (plural). But that doesn't give him -- or me -- a lot of assurance.

Just think: two Marine generals were just sacked for neglecting their base from attack. Who gets sacked IF/when federal agencies get attacked? Sadly, it won't likely be anyone in Congress.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.