The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Government cyber workers increasingly concerned hackers will strike during shutdown

with Bastien Inzaurralde


The government's cybersecurity professionals are increasingly concerned that hackers will take advantage of the partial shutdown to tamper with sensitive government data or steal citizens' information -- and that the bare-bones staff won't be able to fend them off. 

It's far from clear that the cadre of contractors and "essential" employees that remain on the job -- and without pay -- are equipped to defend against such a hack, a furloughed cybersecurity and IT manager tells me. The risk increases every day the shutdown continues, and he worries that failing to combat a serious hack or disinformation campaign would have consequences long after it eventually ends. 

“We’ve never tested the limits like this before and I don’t know if they’re equipped to handle it,” the furloughed worker, who manages a dozen digital systems at a small federal agency, told me. “The risk is much higher than it should be, especially when we’re talking about people’s sensitive data.”

The furloughed worker, who spoke on the condition of anonymity because he’s not authorized to speak to the media, is among more than 1,000 cyber and IT staff barred from working during the shutdown, which is the longest in history. Despite that ban, the worker told me, he fields text messages every day from agency employees and contractors who are working through the shutdown and helps them to keep agency computer systems running securely.

“People say ‘think of this as a paid vacation’ and that’s insulting,” he said. “I’m available 24/7 if they need me. The folks on my team are all unofficially checking in and making sure things are running.”

Of the dozen digital systems that the furloughed worker usually manages, all but one has suspended operations during the shutdown, he told me. The system that’s still operating doesn’t contain sensitive information, he said, so the worst hackers could do by directly penetrating it would be to alter the information it does hold, sowing confusion and increasing distrust in government. 

The threat of a disinformation campaign could have serious consequences. For instance: Hackers could monkey with numbers in government reports that other federal and state agencies rely on to do their own work, or change things in old press releases, speeches and statements. Or they could seize an opening to deface websites so citizens know the government can't protect its own websites.

And because many government systems are interconnected, a hacker who gained a foothold in any one system could use it to jump to other systems that do contain sensitive data, he said.

“We can build all the defenses up on a system, but once someone breaks in, who knows what they can do?” he told me.

The furloughed worker isn’t alone in that fear. Bruce McConnell, a former Homeland Security Department top cyber official, raised a similar concern when I spoke with him during the second week of the shutdown.

“Cyber attackers aren't taking a shutdown. They're taking advantage of the shutdown,” McConnell told me.

Here are three other big takeaways from my conversation with the furloughed cyber worker:

1. This could be the last straw for many federal workers. 

The frustration of a forced furlough and missing a paycheck is sure to drive many federal workers into the private sector, said the furloughed worker who is considering private sector options himself. The lure is even greater for workers in high-paying fields such as cybersecurity, he said.

“Amongst my peers, we’re all raising our eyebrows and saying: ‘Is this really working?’” he told me.

Unfortunately, the most highly skilled and motivated workers will also probably be the first to leave, he told me.

“There are good employees and bad employees in government,” he said, “and this is clearly a disincentive for the good employees to stick around.”

2. Cybersecurity improvements are on hold.

Like many federal agencies, the one the furloughed manager works for is riddled with outdated and insecure software systems, he told me, and efforts to update those systems are on hold. 

The agency will get back to some of those plans when the shutdown ends, he said, but they will almost certainly have to be curtailed during the current fiscal year because of time lost to the shutdown and to the complex process of resuming operations after weeks or longer with a bare-bones staff.

3. There's really no such thing as an "essential" worker

The public might imagine a nice clean list of precisely what functions and people are necessary to keep the government running without incident during a partial shutdown, but it's not really that simple, the furloughed worker told me.

As an example, the furloughed worker was actually eligible for an “essential” slot that would allow him to keep working without pay, managing the one system he oversees that’s still operational during the shutdown, he told me. He opted, instead, to defer that slot to his subordinate who has more expertise in running the system day-to-day, he said. But, actually, neither of them  can  run it perfectly without the other's help and insights, he said, which is one reason he spends so much time texting with the worker who's still on the job. 

The furloughed worker was also concerned that Congress wouldn’t grant back pay to furloughed staff and wanted to ensure his employee, who has a larger family and a smaller financial cushion than he does, had a better chance of getting paid, he said.

 “He’s a father of three kids,” he said. “If anyone needs back pay first, it’s him, not me.”

Attorney general nominee William P. Barr faced questions about his independence, the special counsel investigation and more at his confirmation hearing Jan. 15. (Video: Jenny Starrs/The Washington Post, Photo: Melina Mara/The Washington Post)

PINGED: William P. Barr, President Trump's nominee for attorney general, said during his confirmation hearing that he would let special counsel Robert S. Mueller III complete his investigation but suggested that any report by Mueller might not be made publicThe Washington Post's Devlin Barrett, Karoun Demirjian, Matt Zapotosky and Seung Min Kim reported. “In a sign of potential fights to come, Barr said any report from Mueller would probably be treated like internal Justice Department prosecution memos that are kept secret,” my colleagues wrote.

Barr praised Mueller during a nine-hour hearing before the Senate Judiciary Committee and said he would not allow political considerations to intrude in the Justice Department's decisions on criminal probes. Sen. John Neely Kennedy (R-La.) said the public should be informed of the conclusions of the investigation. “The American people deserve to know what the Department of Justice has concluded,” Kennedy said, according to my colleagues. “I would strongly encourage you to put this all to rest. To make a final report public, and let everybody draw their own conclusions so we can move on.”

PATCHED: Federal authorities filed charges against eight people for hacking a Securities and Exchange Commission system containing corporate secrets, The Washington Post's Renae Merle reported. The people who where charged include Russian and Ukrainian individuals. In the attack that started in 2016, hackers sent emails that infected SEC employees' computers with malware, allowing the attackers to probe the agency's network. They used the confidential financial information that they stole to profit from illegal trading, according to prosecutors.

“The system that was breached, known as Edgar, serves as a clearinghouse for public filings companies must make to the agency, including reports on periodic financial results and newsworthy developments,” Renae wrote. “There can be a lapse between the time when reports are electronically filed with the agency and when they can be viewed by the public, making the system a lucrative target for hackers hoping to learn sensitive information before the rest of the market.”

The scheme resulted in at least $4.1 million in illegal trading profits, my colleague noted. “These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders,” SEC Chairman Jay Clayton said in a statement. “No system can be entirely safe from a cyber intrusion.”

PWNED: Recent policy changes by the Trump administration to give the United States an offensive cyber posture could lead to an escalation in cyberspace and would not increase the efficiency of U.S. cyber operations, according to a paper from the libertarian Cato Institute. Such policy changes rely on the “dangerous myth” that offense can help prevent hacking by foreign adversaries, Marine Corps University's Brandon Valeriano and Benjamin Jensen argued in the paper. The authors advocated instead for “restraint,” adding that the United States should “avoid preemptive strikes against great powers in cyberspace.”

The United States should not only strengthen its defenses but also focus on sharing threat intelligence with allies and businesses and work with “nontraditional actors” such as ethical hackers, according to the authors. “Platitudes like ‘the best defense is a good offense’ are best left for sports, not international politics,” Valeriano and Jensen wrote. “The evidence suggests that in cyberspace, the best defense is actually a good defense.”

As I reported earlier this week, tech companies are mulling a plan to test whether Trump's offensive cyber strategy is doing more harm or good. 


— The House unanimously passed a bill by Reps. Will Hurd (R-Tex.) and Robin L. Kelly (D-Ill.) that would elevate the position of federal chief information officer, according to a news release from Hurd's office. The legislation would make the federal CIO a presidential appointee reporting directly to the director of the Office of Management and Budget. It would also direct the federal CIO to send Congress a proposal to streamline IT in the federal government. Additionally, the bill would codify the position of federal chief information security officer as a presidential appointee reporting to the federal CIO.

The legislation passed the House last year in the previous Congress but did not advance in the Senate. “I’m glad that the House has moved quickly to again pass this important bill,” Kelly said in a statement. “Using business and states as a model, we’ve seen how a strong CIO office can help streaming IT processes and accelerate modernization.”

— The National Security Agency “does not have reasonable assurance regarding the requisite security oversight of some” of its computer systems, according to a report from the agency's Office of the Inspector General. You can read the report here.

— More cybersecurity news from the public sector:

Conservative writer Jerome Corsi says Mueller has summoned his stepson to testify before grand jury (Rosalind S. Helderman)

China’s Confidence Rises in Its Military, U.S. Says (The Wall Street Journal)

The Spyware That Brought Down El Chapo’s Drug Empire (The Atlantic)


— Researchers from the security company ForeScout found that carrying out an attack on building-automation devices — which are present in office buildings, airports and other infrastructure — can be cheap when compared to budgets available to nation-state hackers, according to CyberScoop's Sean Lyngaas. The company put together a lab containing building-automation devices such as systems that control heating and surveillance cameras, and researchers tested malware on that equipment as part of an 18-month research project.

“Additionally, the researchers said they found ‘severe misconfigurations’ on a workstation for managing building automation devices that could allow an attacker to remotely execute code and obtain administrator privileges on the targeted operating system,” Lyngaas wrote. “The vendor claimed the systems integrator was responsible for these issues.”

— Trend Micro security researchers Federico Maggi and Marco Balduzzi managed to hack into construction cranes — after receiving authorization to do so — and take control of the machines at several sites in Italy, Forbes's Thomas Brewster reported. “It soon became obvious: Cranes were hopelessly vulnerable,” Brewster wrote. “And, unless the manufacturers behind the tools could be convinced to secure their kit, the potential for catastrophic damage was very real. The consequences ranged ‘from theft and extortion to sabotage and injury,’ the researchers wrote in a paper handed to Forbes exclusively ahead of publication on Tuesday.”

— More cybersecurity news from the private sector:

Big Tech faces new pressure over facial recognition contracts (The Verge)


Another huge database exposed millions of call logs and SMS text messages (TechCrunch)

Fortnite security issue would have granted hackers access to accounts | ZDNet (ZDNet)


— German authorities detained an individual who worked for the German military and is suspected of passing data to an Iranian intelligence agency, Reuters reported. The suspect was only identified as Abdul Hamid S. and has dual Afghan and German nationalities. “Abdul Hamid S. is strongly suspected of having worked for a foreign intelligence agency. The suspect was a language expert and cultural adviser for the Bundeswehr (German armed forces). In this capacity, he is believed to have passed insights to an Iranian intelligence agency,” Germany’s federal prosecutor’s office said in a statement, according to Reuters.

— More cybersecurity news from abroad:

Polish Ex-Security Official Charged With Spying for China During Government Service (The Wall Street Journal)

Singapore says it won't name hackers who targeted PM (Associated Press)

India Wants Access to Encrypted WhatsApp Messages (The Wall Street Journal)



  •  S4x19 industrial control systems security conference in Miami Beach through tomorrow.

Coming soon


Democrat Gillibrand eyes 2020 White House bid:

Sen. Kirsten Gillibrand (D-N.Y.) told CBS’ “The Late Show With Stephen Colbert” on Jan. 15 that she is forming an exploratory committee for the 2020 election. (Video: Reuters)

Saudi teen says fleeing was “worth the risk”:

Rahaf Mohammed, the Saudi teen who fled her country, says she plans to pursue an education, get a job and live a normal life in Canada. (Video: Reuters)

Trump’s love of fast food, explained:

President Trump’s love of fast food predates politics. His reasons for loving big name brands like McDonald’s, Wendy’s and Burger King are a bit complicated. (Video: Adriana Usero/The Washington Post, Photo: White House/The Washington Post)