With every passing day, the partial government shutdown takes the nation deeper into new territory. Not only is a new record set daily for the disabling of government services, but perhaps even more worrying, this disruption is crippling a key element in the nation’s defense: our cybersecurity.
Yes, we’ve had government shutdowns before, one lasting 16 days in 2013, but that was still a time when cyber-attacks were less common and far less sophisticated than today. As for the previous record shutdown, 21 days spanning 1995 and 1996, that is so far back in internet time, cybersecurity was hardly a word!
The budget impasse has triggered a cascade of events, all bad for the nation’s digital infrastructure — and its economy. The severity of those costs depends on the sophistication of the cyber-attacks undoubtably underway. These costs could end up cataclysmic.
This is what we know: Not only did the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency furlough about 1,500 of its 3,500 workforce, but also the private contractors that manage much of nation’s cybersecurity networks have been forced to stand down.
The words of a spokesperson were hardly reassuring: “Due to the lapse of appropriations, the Cybersecurity and Infrastructure Security Agency has ceased a variety of critical cybersecurity and infrastructure protection capabilities . . . . However, we have maintained baseline operational capabilities supporting national security.”
“Baseline operational capabilities?” That’s another way of saying “Bare-bone capabilities.” Would you consider depositing your money in a bank that announced that its protection of your assets has been reduced to bare-bone capabilities? Perhaps you cannot wait to be admitted to a hospital with a critical emergency that is sporting “baseline operational capabilities!”
It doesn‘t get better.
Report after report is describing a government in the dark. Reportedly, the House Homeland Security Committee is “concerned” that the Department of Homeland Security is working at 57 percent. They should be. Hacker’s favorite targets have long been the Department of Homeland Security, the Environmental Protection Agency, the National Institute of Standards and Technology, Department of Agriculture, the Department of Commerce, Housing and Urban Development, and, of course, everyone’s favorite: the Internal Revenue Service.
That list is far from complete, but you get the idea: Government and private infrastructure is exposed to the world. We have furloughed a significant percentage of our cybersecurity capabilities, something we would never do with our conventional defenses.
We can talk about the costs of crippling our cybersecurity posture. They are measured in the hard dollars of salaries, delayed and cancelled projects, loss of productivity, loss of human resources, and destruction of morale across agencies whose one recruitment tool is “For God and Country” as opposed to high salaries and perks. Thousands of cybersecurity professionals work for the mission but make no mistake: they have families to feed, rent to pay, expenses to meet. Mission alone does not put food on the table, and once these professionals are gone, they cannot be easily replaced.
There are other costs, hard costs, to consider. In July, IBM and Ponemon Institute released their 13th Annual Cost of Data Breach study. They found that the global average cost of a data breech is $3.86 million, up 6.4 percent from the year prior. If you look at the United States, the cost jumps to $7.91 million per data breach. The more interesting metric is not the dollars, but the time it takes to discover the breach. Globally discovery takes 196 days. In the U.S. it takes 201 days, and to contain it takes an additional 52 days. The study also points out the average cost of deploying cybersecurity solutions to about $2.88 million versus the potential cost of a breach at about $4.43 million.
Now, consider how this translates to our governmental institutions and our critical infrastructure. In the Ponemon study, the “Public Sector” is the fifth largest sector in data breach frequency. And that was while our defenses were running at maximum operating efficiency! I wonder what it is during this shutdown.
Even more unsettling, though, is that we don’t know whether the shutdown has left us vulnerable, even after our cybersecurity posture has recovered and has been restored, something likely to take as long as the shutdown itself. Cybersecurity is not a switch you throw on or off. Protecting our systems is a long and complex process, requiring the expertise of many professionals and the smooth operation of hundreds of systems.
As it stands, if I was directing a hacking attack force, I could not ask for a better gift than having my enemy, my target, reduce its defenses for a prolonged period. You see, I wouldn’t be interested in crashing the IRS computers. I wouldn’t try to shut down DHS or compromise the EPA. Instead, I would be using this time to gain multiple footholds in as many systems as I could. I would penetrate the poorly guarded institutions and I would create as many back doors as possible. My goal would be asset collection, not asset destruction. At least not yet. I would make myself a “permanent guest” in as many of these systems as possible.
And then, when my target finally resumes its guarded stance, I would sit back and take stock on all the systems I “own.” I would have all the time in the world to devise my exploitation strategy and make it align with my strategic and economic interests.
That is the cost, the real cost of a cyber nation unguarded.