C. Warren Axelrod

Cybersecurity and the Government Shutdown

I had originally thought of comparing the impact on cybersecurity of the December 2018/January 2019 35-day partial government shutdown to other forms of upheaval, bringing in references to my chapter “IAM Risks during Organizational Change and Other Forms of Major Upheaval,” in Digital Identity and Access Management: Technologies and Framework (IGI Global, 2012), edited by Raj Sharman et al. That article was precipitated, in part, by my experience managing access to systems of two major financial firms during the takeover and transition from one firm’s systems to the other firm’s systems. But I also realized that these issues are common to many forms of disruption.

Now, we are beginning to see what the real impact of the government shutdown might be. In a February 10, 2019 article in Wired with the title “Cybersecurity workers scramble to fix a post-shutdown mess,” available at https://www.wired.com/story/government-shutdown-cybersecurity-recovery/?CNDID=29496384&CNDID=29496384&bxid=MjM5NjgwOTIyOTM4S0&hasha=61af23827242e8e56b3107595c181e7b&hashb=7b7de14b5b88c5ca5a3f1f843db00f5aa57a7785&mbid=nl_021019_daily_list1_p4&source=DAILY_NEWSLETTER&utm_brand=wired&utm_mailing=WIRED%20NL%20021019%20(1)&utm_medium=email&utm_source=nl Lily May Newman describes a whole series of issues confronting cybersecurity staff on their return to work. Newman reports on the problems encountered, such as expired software licenses (more an IT ops problem) and encryption certificates (security operations).

As reported by Newman, half a dozen U.S. Senators sent a letter to DHS and NSA quoting experts who “… warned that our reduced capacity for cybersecurity during shutdowns provides an opportunity for adversaries and cybercriminals.” Further they asserted that they “… are concerned that these circumstances have left our government and citizens vulnerable to cyberattacks.”

While the concerns about encryption certificates expressed in the letter are important, there are other aspects that should also be included as areas of concern. I would add identity and access management (IAM) to the list. While many cybersecurity professionals seemingly took jobs in the private sector because they were furloughed or burned out, depending whether they were among the staff working or not, it is likely that their login credentials were not deleted, especially since workers have been catching up on other needs. This leaves open a hole through which disgruntled government employees might access systems for nefarious activities, as well as facilitating criminals’ access since it is likely that the overworked employees, who are trying to ensure that former staffers’ accesses are deleted and new staff and contractors are added, will open up and delete access where they shouldn’t.

Cybersecurity is a critical function that should be augmented, rather than being allowed to atrophy, during shutdowns and other forms of government (and private sector) disruption. This is a matter of who is to blame (if anyone) and who takes on responsibility in disruptive situations, as I describe in my chapter “Responsibilities and Liabilities with Respect to Catastrophes,” in the Handbook of Research on Social and Organizational Liabilities in Information Security (IGI Global, 2008), which was edited by Manish Gupta and Raj Sharman.

And then there is my October 30, 2017 Bloginfosec column “Catastrophes and Information Security Risk,” available at https://www.bloginfosec.com/2017/10/30/catastrophes-and-information-security-risk/ which suggests that individuals are at their most vulnerable, with respect to identity theft and fraud, when records are destroyed, lost or poorly managed.

There is good reason to be concerned when catastrophes and disastrous, disruptive events occur. This is a time to boost security, yet it is often the opposite where cybersecurity support is fragmented at best and demolished at worst. Disaster recovery plans must consider not only the security of backup systems and facilities, but also the backup of security systems and operations. It is too early to learn the extent of the damage caused by the Government shutdown … and maybe we never will. But you can be sure that there will have been deleterious activities that were not considered ahead of the shutdown and not corrected after the shutdown. It is unfortunate that we do not have such information since, without it, it is difficult to justify having a disaster plan for security. And, of course, if there is no justification, there will not be any plans.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*