![\"The](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/bigstock-Capitol-Building-Retro-Ad-Ar-17988470-300x240.jpg\")
<\/figure><\/div>\n\n\n\nMy job isn\u2019t to wax philosophic about politics, so I\u2019ll just stick to the facts. The dispute is over immigration, specifically securing the United States\u2019 southern border with Mexico. The president, in keeping with a campaign promise, wants $5 billion to pay for a physical barrier, a wall, and has refused to sign any legislation to continue funding the government until he gets it. In the meantime, the US government is effectively shut down \u2013 including the State department, Justice Department, Treasury, Transportation Department, Department of the Interior, of Agriculture and of Homeland Security \u2013 and about 800,000 federal employees are currently furloughed or working without pay to carry out \u201cessential\u201d operations like air traffic control.<\/p>\n\n\n\n
So today we\u2019re going to talk about what the shut down is\ndoing to the United States\u2019 cyber defenses, and what impact this could have in\nthe future. <\/p>\n\n\n\n
Let\u2019s hash it out.<\/p>\n\n\n\n
Who is still at work?<\/h2>\n\n\n\n
As we discussed in November, the US recently created a new agency<\/a>, the Cybersecurity and Infrastructure Security Agency (CISA), under the umbrella of the Department of Homeland Security. <\/p>\n\n\n\n “Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms,” said NPPD Under Secretary Christopher Krebs. “The changes will also improve the Department’s ability to engage with industry and government stakeholders and recruit top cybersecurity talent.”<\/p><\/blockquote>\n\n\n\n Now, not even two months later, CISA has effectively been\nknee-capped by the shutdown. As has the National Institute for Standards in\nTechnology (NIST). <\/p>\n\n\n\n Let\u2019s start with CISA, the agency that has been created specifically to help with US cybersecurity. <\/p>\n\n\n\n What the federal government considers \u201cessential\u201d is a bit opaque, and purposefully so. But that does mean some of the federal security apparatus is exempt.<\/p>\n\n\n\n Per the Office of Management and Budget in a January 2018\nmemo offering guidance on a previous government shutdown:<\/p>\n\n\n\n \u201cAt a minimum, agencies must avoid any threat to the security, confidentiality and integrity of the agency information and information systems maintained by or on behalf of the government\u2026 Agencies should maintain appropriate cybersecurity functions across all agency information technology systems, including patch management and security operations center (SOC) and incident response capabilities.\u201d<\/p><\/blockquote>\n\n\n\n But, as reassuring as that may sound, it forgets two very\nimportant facts: <\/p>\n\n\n\n Now, the Senate did pass a bill that should give these\nemployees backpay, but that doesn\u2019t change the fact that these people haven\u2019t\nbeen paid in at least 18 days and this shutdown could continue for weeks. <\/p>\n\n\n\n And beyond that, even at full strength the US cyber defense apparatus is being pushed to the brink by foreign, state-sponsored hackers and cyber cells<\/a>. So weakening it puts the whole country at greater risk.<\/p>\n\n\n\n \u201cCyber threats don\u2019t operate on Washington\u2019s political timetable, and they don\u2019t stop because of a shutdown,\u201d Lisa Monaco, former assistant to the president for homeland security and counterterrorism, told Axios<\/a>.<\/p><\/blockquote>\n\n\n\n Or, as\na report from Duo Security said<\/a>:<\/p>\n\n\n\n \u201cTrying to keep networks and data safe and thwarting attacks when not at full-strength is risky, especially when no one can predict how long this state of affairs will last.\u201d<\/p><\/blockquote>\n\n\n\n Right now, 45% of the Cybersecurity and Infrastructure\nSecurity Agency is furloughed. 45% is also the percentage of employees on the\nDHS\u2019 analysis and operations teams \u2013 comprised of the Office of Intelligence\n& Analysis, and the Office of Operations Coordination \u2013 that are furloughed,\ntoo. <\/p>\n\n\n\n The National Protection and Programs Directorate \u2013 which handles a range of functions like the US-CERT (US \u2013 Computer Emergency Readiness Team) Continuous Diagnostics (CDM) and Automated Indicator Sharing (AIS) programs \u2013 has a whopping 85% of its workforce furloughed. <\/p>\n\n\n\n And depending on how long this shutdown continues, we could see a lot of these agencies that are currently operating on short-term reserves run out of money and be forced to shutter even more of their operations.<\/p>\n\n\n\n NIST is the agency responsible for setting standards. For instance, it\u2019s issued extensive guidance on encryption standards<\/a> that has helped inform the industry standards set forth by the CA\/B Forum. It\u2019s an exceedingly useful agency and it has been thoroughly depleted by this shutdown. <\/p>\n\n\n\n 85% of NIST is furloughed.<\/p>\n\n\n\n That means a number of new standards that have been under review \u2013 standards that businesses rely on to set a baseline for their own security programs \u2013 are now on indefinite hold. <\/p>\n\n\n\n That includes: <\/p>\n\n\n\n Currently, clicking any of those links effectively leads you\nto a dead end courtesy of this shutdown.<\/p>\n\n\n\n There are a few NIST services that will stay open, but to say they are lightly staffed would be a profound understatement. <\/p>\n\n\n\n That\u2019s one of those tidbits of information that is supposed to make you feel better but actually just makes everything seem worse. That\u2019s less than 20 people handling critical functions for a country of nearly 300,000,000.<\/p>\n\n\n\n Eventually, possibly as soon as today, this shutdown will\nend. But it\u2019s also quite possible that it stretches on days or even weeks\nlonger. With every passing day, more and more long-term damage to the US\nnational cybersecurity apparatus is being done. <\/p>\n\n\n\n Here\u2019s why: If you\u2019re a talented cybersecurity professional, why would you ever work for the US government?<\/strong><\/p>\n\n\n\n That may sound silly or unpatriotic, but ask any of the nearly 400,000 federal employees that didn\u2019t get paid over the holidays if their patriotism took care of their power bill or put food on their family\u2019s table? <\/p>\n\n\n\n No, patriotism is going to give way to pragmatism, and let\u2019s\nlook at the facts:<\/p>\n\n\n\n And here\u2019s the real match in the powder barrel, all of those\ngovernment officials whose whims have cost you pay and potentially even caused\nyou to have to work for free \u2013 they\u2019re all getting paid.<\/p>\n\n\n\n Congress and the Executive Branch have already been funded\nvia a previous spending bill.<\/p>\n\n\n\n And while historically the federal employees that are\ncurrently affected \u2013 both furloughed and working without pay \u2013 have been given\nbackpay to compensate, the timing of that backpay is contingent upon the\nshutdown ending and Congress passing a bill (oh, and the wheels of bureaucracy churning)\nbefore you actually see that money.<\/p>\n\n\n\n Already, they\u2019ve missed an entire pay period (December\n23-January 5). <\/p>\n\n\n\n None of that is going to attract the best and brightest. And\nwhy should it? The average American couldn\u2019t scrape together $400 in an\nemergency, try taking away an entire paycheck. That\u2019s the type of uncertainty\nyou\u2019d do well to avoid.<\/p>\n\n\n\n And this is not without precedent, the NSA got hammered\nfollowing the 2013 shutdown. For one, it caused management to divide employees\ninto \u201cessential\u201d and \u201cnon-essential\u201d categories \u2013 not exactly a shot in the arm\nfor morale \u2013 and the 16 days out of work threw many lives into disarray.<\/p>\n\n\n\n \u201cI was paying money out of my pocket\u2026 The guys were sitting at home, they couldn\u2019t go work with the shutdown because they had to work from government spaces, so they really could not go,\u201d one former NSA employee who left following the 2013 shutdown told Buzzfeed<\/a>. \u201cI can say anecdotally, because I do know several guys who worked there who went off on their own around 2013, 2014. There was a bigger exodus than normal, and you\u2019ve gotta [sic] figure at least some of that was due to the shutdown and guys going \u2018screw this.\u2019\u201d<\/p><\/blockquote>\n\n\n\n The current shutdown has already gone on two days longer and if a morning conference between the president and the two leaders of the congressional democrats doesn\u2019t solve things\u2014it could go on much longer.<\/p>\n\n\n\n![\"The](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/thumbnail_CISA.jpg\")
<\/figure><\/div>\n\n\n\nThe Cybersecurity and Infrastructure Security Agency <\/h2>\n\n\n\n
![\"The](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/logo-nist-300x300.png\"){kind=logo}
<\/figure><\/div>\n\n\n\nThe National Institute of Standards in Technology<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Dead-end-1024x742.jpg\")
<\/figure>\n\n\n\nThe real damage this shutdown may cause is long-term<\/h2>\n\n\n\n
![\"The](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/uncle-sam.jpg\")
<\/figure><\/div>\n\n\n\n
![\"Hashed](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"