The government's cybersecurity professionals are increasingly concerned that hackers will take advantage of the partial shutdown to tamper with sensitive government data or steal citizens' information -- and that the bare-bones staff won't be able to fend them off.
It's far from clear that the cadre of contractors and "essential" employees that remain on the job -- and without pay -- are equipped to defend against such a hack, a furloughed cybersecurity and IT manager tells me. The risk increases every day the shutdown continues, and he worries that failing to combat a serious hack or disinformation campaign would have consequences long after it eventually ends.
“We’ve never tested the limits like this before and I don’t know if they’re equipped to handle it,” the furloughed worker, who manages a dozen digital systems at a small federal agency, told me. “The risk is much higher than it should be, especially when we’re talking about people’s sensitive data.”
The furloughed worker, who spoke on the condition of anonymity because he’s not authorized to speak to the media, is among more than 1,000 cyber and IT staff barred from working during the shutdown, which is the longest in history. Despite that ban, the worker told me, he fields text messages every day from agency employees and contractors who are working through the shutdown and helps them to keep agency computer systems running securely.
“People say ‘think of this as a paid vacation’ and that’s insulting,” he said. “I’m available 24/7 if they need me. The folks on my team are all unofficially checking in and making sure things are running.”
Of the dozen digital systems that the furloughed worker usually manages, all but one has suspended operations during the shutdown, he told me. The system that’s still operating doesn’t contain sensitive information, he said, so the worst hackers could do by directly penetrating it would be to alter the information it does hold, sowing confusion and increasing distrust in government.
The threat of a disinformation campaign could have serious consequences. For instance: Hackers could monkey with numbers in government reports that other federal and state agencies rely on to do their own work, or change things in old press releases, speeches and statements. Or they could seize an opening to deface websites so citizens know the government can't protect its own websites.
And because many government systems are interconnected, a hacker who gained a foothold in any one system could use it to jump to other systems that do contain sensitive data, he said.
“We can build all the defenses up on a system, but once someone breaks in, who knows what they can do?” he told me.
The furloughed worker isn’t alone in that fear. Bruce McConnell, a former Homeland Security Department top cyber official, raised a similar concern when I spoke with him during the second week of the shutdown.
“Cyber attackers aren't taking a shutdown. They're taking advantage of the shutdown,” McConnell told me.
Here are three other big takeaways from my conversation with the furloughed cyber worker:
1. This could be the last straw for many federal workers.
The frustration of a forced furlough and missing a paycheck is sure to drive many federal workers into the private sector, said the furloughed worker who is considering private sector options himself. The lure is even greater for workers in high-paying fields such as cybersecurity, he said.
“Amongst my peers, we’re all raising our eyebrows and saying: ‘Is this really working?’” he told me.
Unfortunately, the most highly skilled and motivated workers will also probably be the first to leave, he told me.
“There are good employees and bad employees in government,” he said, “and this is clearly a disincentive for the good employees to stick around.”
2. Cybersecurity improvements are on hold.
Like many federal agencies, the one the furloughed manager works for is riddled with outdated and insecure software systems, he told me, and efforts to update those systems are on hold.
The agency will get back to some of those plans when the shutdown ends, he said, but they will almost certainly have to be curtailed during the current fiscal year because of time lost to the shutdown and to the complex process of resuming operations after weeks or longer with a bare-bones staff.
3. There's really no such thing as an "essential" worker
The public might imagine a nice clean list of precisely what functions and people are necessary to keep the government running without incident during a partial shutdown, but it's not really that simple, the furloughed worker told me.
As an example, the furloughed worker was actually eligible for an “essential” slot that would allow him to keep working without pay, managing the one system he oversees that’s still operational during the shutdown, he told me. He opted, instead, to defer that slot to his subordinate who has more expertise in running the system day-to-day, he said. But, actually, neither of them can run it perfectly without the other's help and insights, he said, which is one reason he spends so much time texting with the worker who's still on the job.
The furloughed worker was also concerned that Congress wouldn’t grant back pay to furloughed staff and wanted to ensure his employee, who has a larger family and a smaller financial cushion than he does, had a better chance of getting paid, he said.
“He’s a father of three kids,” he said. “If anyone needs back pay first, it’s him, not me.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: William P. Barr, President Trump's nominee for attorney general, said during his confirmation hearing that he would let special counsel Robert S. Mueller III complete his investigation but suggested that any report by Mueller might not be made public, The Washington Post's Devlin Barrett, Karoun Demirjian, Matt Zapotosky and Seung Min Kim reported. “In a sign of potential fights to come, Barr said any report from Mueller would probably be treated like internal Justice Department prosecution memos that are kept secret,” my colleagues wrote.
Barr praised Mueller during a nine-hour hearing before the Senate Judiciary Committee and said he would not allow political considerations to intrude in the Justice Department's decisions on criminal probes. Sen. John Neely Kennedy (R-La.) said the public should be informed of the conclusions of the investigation. “The American people deserve to know what the Department of Justice has concluded,” Kennedy said, according to my colleagues. “I would strongly encourage you to put this all to rest. To make a final report public, and let everybody draw their own conclusions so we can move on.”
PATCHED: Federal authorities filed charges against eight people for hacking a Securities and Exchange Commission system containing corporate secrets, The Washington Post's Renae Merle reported. The people who where charged include Russian and Ukrainian individuals. In the attack that started in 2016, hackers sent emails that infected SEC employees' computers with malware, allowing the attackers to probe the agency's network. They used the confidential financial information that they stole to profit from illegal trading, according to prosecutors.
“The system that was breached, known as Edgar, serves as a clearinghouse for public filings companies must make to the agency, including reports on periodic financial results and newsworthy developments,” Renae wrote. “There can be a lapse between the time when reports are electronically filed with the agency and when they can be viewed by the public, making the system a lucrative target for hackers hoping to learn sensitive information before the rest of the market.”
The scheme resulted in at least $4.1 million in illegal trading profits, my colleague noted. “These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders,” SEC Chairman Jay Clayton said in a statement. “No system can be entirely safe from a cyber intrusion.”
PWNED: Recent policy changes by the Trump administration to give the United States an offensive cyber posture could lead to an escalation in cyberspace and would not increase the efficiency of U.S. cyber operations, according to a paper from the libertarian Cato Institute. Such policy changes rely on the “dangerous myth” that offense can help prevent hacking by foreign adversaries, Marine Corps University's Brandon Valeriano and Benjamin Jensen argued in the paper. The authors advocated instead for “restraint,” adding that the United States should “avoid preemptive strikes against great powers in cyberspace.”
The United States should not only strengthen its defenses but also focus on sharing threat intelligence with allies and businesses and work with “nontraditional actors” such as ethical hackers, according to the authors. “Platitudes like ‘the best defense is a good offense’ are best left for sports, not international politics,” Valeriano and Jensen wrote. “The evidence suggests that in cyberspace, the best defense is actually a good defense.”
As I reported earlier this week, tech companies are mulling a plan to test whether Trump's offensive cyber strategy is doing more harm or good.
— The House unanimously passed a bill by Reps. Will Hurd (R-Tex.) and Robin L. Kelly (D-Ill.) that would elevate the position of federal chief information officer, according to a news release from Hurd's office. The legislation would make the federal CIO a presidential appointee reporting directly to the director of the Office of Management and Budget. It would also direct the federal CIO to send Congress a proposal to streamline IT in the federal government. Additionally, the bill would codify the position of federal chief information security officer as a presidential appointee reporting to the federal CIO.
The legislation passed the House last year in the previous Congress but did not advance in the Senate. “I’m glad that the House has moved quickly to again pass this important bill,” Kelly said in a statement. “Using business and states as a model, we’ve seen how a strong CIO office can help streaming IT processes and accelerate modernization.”
— The National Security Agency “does not have reasonable assurance regarding the requisite security oversight of some” of its computer systems, according to a report from the agency's Office of the Inspector General. You can read the report here.
— More cybersecurity news from the public sector:
— Researchers from the security company ForeScout found that carrying out an attack on building-automation devices — which are present in office buildings, airports and other infrastructure — can be cheap when compared to budgets available to nation-state hackers, according to CyberScoop's Sean Lyngaas. The company put together a lab containing building-automation devices such as systems that control heating and surveillance cameras, and researchers tested malware on that equipment as part of an 18-month research project.
“Additionally, the researchers said they found ‘severe misconfigurations’ on a workstation for managing building automation devices that could allow an attacker to remotely execute code and obtain administrator privileges on the targeted operating system,” Lyngaas wrote. “The vendor claimed the systems integrator was responsible for these issues.”
— Trend Micro security researchers Federico Maggi and Marco Balduzzi managed to hack into construction cranes — after receiving authorization to do so — and take control of the machines at several sites in Italy, Forbes's Thomas Brewster reported. “It soon became obvious: Cranes were hopelessly vulnerable,” Brewster wrote. “And, unless the manufacturers behind the tools could be convinced to secure their kit, the potential for catastrophic damage was very real. The consequences ranged ‘from theft and extortion to sabotage and injury,’ the researchers wrote in a paper handed to Forbes exclusively ahead of publication on Tuesday.”
— More cybersecurity news from the private sector:
— German authorities detained an individual who worked for the German military and is suspected of passing data to an Iranian intelligence agency, Reuters reported. The suspect was only identified as Abdul Hamid S. and has dual Afghan and German nationalities. “Abdul Hamid S. is strongly suspected of having worked for a foreign intelligence agency. The suspect was a language expert and cultural adviser for the Bundeswehr (German armed forces). In this capacity, he is believed to have passed insights to an Iranian intelligence agency,” Germany’s federal prosecutor’s office said in a statement, according to Reuters.
— More cybersecurity news from abroad:
- S4x19 industrial control systems security conference in Miami Beach through tomorrow.
- The Council on Foreign Relations holds a panel discussion titled “Hacking and the Internet of Things” tomorrow.
- ShmooCon hacker conference in Washington on Friday through Sunday.
Democrat Gillibrand eyes 2020 White House bid:
Saudi teen says fleeing was “worth the risk”:
Trump’s love of fast food, explained: