Cybersecurity threats don't just disappear during a government shutdown -- in fact, some think that the shutdown increases the risks associated with digital federal infrastructure. We spoke to Mike Carpenter, President for the Americas at cybersecurity company McAfee about how the shutdown might make government cybersecurity worse. This interview has been lightly edited for length and clarity.
Andrea Peterson: Tell me a little about yourself and your role.
Mike Carpenter: I'm the President of the Americas at McAfee -- been here for 12 years. Actually, my background at McAfee is that I was the VP of public sector and the VP of federal at one point. So I have a lot experience specifically in this space.
So you've dealt a lot with government security, I would imagine.
Yes, absolutely -- both domestically and internationally.
And what have you seen in relation to cybersecurity challenges and the shutdown?
A couple different things. One is that after the president's executive order, we started to see a lot of momentum, mainly around CDM (Continuous Diagnostics and Mitigation) and with the exfiltration from [Edward] Snowden, there's been a lot of momentum around developing programs, policy, and measurement criteria to help start to mitigate these threats. The risk that I see with the shutdown is for every day that you have a shutdown like this, the damage is a little more punitive: You're two days to get back on track -- it's not a day for day, if you go down for a day, you make up a day -- it's a little bit more aggressive than that because you have the momentum, impact, and beyond.
I think another piece which is interesting is that you're in position where there's a critical workforce that shows up which is the skeleton crew that shows up to keep everything operationally active as well as secure. That can be the target of some phishing attacks. The people that are showing up, responding to e-mails could create some targets of people with critical access who are required, which would be a good social engineering ploy to go after. So it creates vulnerabilities as much as it create opportunity.
The final piece I think is that you're talking about a huge shortage of cybersecurity experts. And the reason that someone would come to work for the government is most importantly support of the mission, but the second piece if you surveyed them would be about stability. I think the shutdown creates a bit of a gap in that belief about job security. With the shortage of workforce that you have and the demand you have for a cybersecurity workforce, I think it's going to open up some of the more talented cybersecurity experts to look at public versus privacy industry roles.
Can you tell me more about this potential phishing problem and how adversaries would identify who those critical people are from the outside?
Sure, so everything from phishing attacks is to see who is responding to e-mails, who is at work, and then being able to take that information back from anyone who responds from a .gov e-mail address to targeted attacks from people that they know are working with them in IT to see if they're active that day. A phishing attack is basically an attack where you are putting information out there to get them to click on it for an alternative response -- that response could just be "yes, I'm aware, I'm here" or that response could be click on this to download a piece of malware. But it's an attack that's meant to look legitimate for a legitimate click-through response, and that could give an adversary awareness that this person is active and they are deemed a critical employee to keep operational efficiency running.
And what about the question of the attractiveness of public roles in the cybersecurity field?
For me, the perception is about stability. When somebody is taking a job in the public world versus the private world, they are looking for job stability. It's a big piece of someone's core need system, right? Them being able to support their family, have a stable job, and feel like they are working towards a mission. But that starts to get disrupted when you have a shutdown and some of the political issues that we face. Whether you are at home or you're traveling, you're hearing a lot of people frustrated with what is happening in the political landscape. You combine that with the fact that they're at home, not working, wondering when this is going to stop, and it starts to have an impact and starts to threaten the core need of stability that they have in their life.
Do you think that could be partially attributed to differing levels of compensation in the public versus private sector?
I can't really speak to the financial difference, but there's a massive shortage of cybersecurity experts across North America, if not across the world. You can take that demand and say is that cybersecurity expert going to make more in the private world than they are in the public world? That answer, my assumption would be, is yes. Now what is that difference? I'm not sure, it depends on that person's level of skillset and the demand for that level of skillset. And it varies -- it could be anywhere from 10 percent to 30 percent, to beyond depending stock impacts and total package impacts.
But what you risk when you are in the private world is demand decrease and job elimination and or powers beyond your control that put you in a position where your stability is threatened -- whether you're at a start up that doesn't make or a company that downsizes. For a lot of people that take public service roles, the first piece is the mission, but when you combine the mission with the stability it really provides a winning hand to pick up people who are willing to make a little bit less for that level of stability and that level of pride. When you combine the shutdown into that, I think it starts to threaten those areas.
Is there anything else about the shutdown and cybersecurity that you think I should be asking about?
I think the bigger piece is the vulnerability of who is in the office which leaves you open to phishing attacks, and then the final piece I mentioned earlier is that third leg of the stool here: It's a big deal with the momentum stops. When you have a program and key initiatives, you're marching forward and then the music stops and have to start up again. You have to recreate that momentum and recreate that drive. It puts us a step back. It's not like that's unrecoverable, but I do think it has a punitive effect where it's a point of diminishing returns: For every day you lose, you're going to lose more time to respond to that [cybersecurity issue] if you ever get back to where you were in the past.