The nation’s cybersecurity may have dodged a bullet Saturday night when Congress passed legislation to keep the federal government open for the next 45 days. The stopgap measure was sent to President Joe Biden for his signature.
The shutdown would have had an immediate and far-reaching impact on many government activities—including the work of federal agenices to protect the country from cyberattacks. Depending on how long the self-inflicted emergency would have lasted, the ripple effect could have created a crisis for companies and organzations around the country.
Degrading Cybersecurity
“The mass furloughs that would result from a government shutdown would degrade the cybersecurity of the entirety of the nation’s software supply chain, including critical infrastructure, transportation, healthcare, and energy, according to a statement from Justin Williams, managing partner at Optiv,” Dark Reading reported.
In the hours leading up to a possible government shutdown, the Cybersecurity and Infrastructure Security Agency was prepared to furlough more than 80% of its workforce, according to the Federal News Network.
“The capacity to provide timely and actionable guidance to help partners defend their networks would have degraded,” according the Department of Homeland Security.
CISA would would have been forced “to suspend both physical and cybersecurity assessments for government and industry partners, including election officials as well as target rich, cyber poor sectors like water, K-12, and health care, which are prime targets for ransomware,” the agency warned before tonight’s bipartisan passage of the funding bill.
“I don’t think we’ve really thought through as a country what it means to have your cyber agency at such a low level of activity when the cyber incidents and attack vectors are just increasing,” Chris Cummiskey, a former senior DHS official, said regarding the shutdown plans,” told the Federal New Network.
Good And Bad News
“The good news is the operational footprint of CISA, the operational scanning and the true cyber warriors on keyboard,” would not miss a beat, Matt Hayden, a former DHS and CISA official said.
“The bad news is there’s a lot of engagement with industry, exercises that are done with sector leadership, there are efforts that, just due to the nature of a shutdown, don’t get flagged as critical, and they get paused for however long the shutdown takes.”
But there are no assurances that the country’s protections from cyberattacks won’t be at risk again when the temporary government funding runs out in November.
‘Can Have Far-Reaching Consequences’
“When it comes to cybersecurity, a government shutdown can have far-reaching consequences,” Jeffrey Wells, a cyber risk expert at risk services company 7 Sigma, said via email.
“The exact impact on cybersecurity during a shutdown depends on various factors and can differ between shutdowns. While these thoughts draw from past shutdown experiences, it highlights the very real risks associated with [a] government shutdown,” Wells said.
“These risks extend beyond the public sector and can affect the private sector, especially in the realm of cybersecurity. It should serve as a stark reminder that political gridlock can have consequences that reach deep into the nation’s critical systems, making us more susceptible to unforeseen cyber threats,” Wells warned.
Protecting The Private Sector
“Despite our reliance on the U.S. government and its role in cybersecurity protection, there are quite a few steps the private sector can take to protect itself and its organization,” Heather Buker, a cybersecurity expert at 6 Clicks, a cyber risk and compliance company, said via email.
She said those protective steps include:
- Increasing appropriate internal cyber governance by having relevant policies, procedures, and internal controls in place.
- Creating and maintaining procedures to immediately respond to cyber risks.
- Maintaining cyber-related infrastructures and systems.
Practice, Practice, Practice
All companies and organizations should account for the effect of future government shutdowns in their crisis management and crisis communication plans.
Do not forget to practice responding to those scenarios when holding exercises, drills, and simulations to ensure those plans will work when needed.
Read the full article here