An optimistic view that a short government funding gap -- during an extended holiday period -- would have little impact is giving way to sobering calculations that the ongoing partial federal shutdown will very shortly begin to threaten both cybersecurity and momentum in various cyber collaborations with industry.
“With each passing day, the impact on our nation's security grows. Meanwhile, our adversaries are not missing a beat and the daily attacks on our systems continue,” said Suzanne Spaulding, the former DHS cyber chief during the Obama administration.
Funding elapsed for multiple federal agencies on Dec. 21 including the departments of Homeland Security and Commerce, which are both at the vanguard of cyber collaborations with industry.
Congressional leaders met with President Trump at the White House on Wednesday but there was no breakthrough. The House convenes today with Democrats in charge and Rep. Nancy Pelosi (D-CA) set to be elected speaker for the 116th Congress.
“If we go into week three, it's going to be hard to make progress,” said Robert Mayer, senior vice president for cybersecurity at USTelecom and a leader on multiple cyber engagements with government. “It becomes more concerning as we go into week three, it really affects the momentum we've established” under collaborative efforts launched in 2018.
Commerce, which is almost completely shut down, is the lead agency on a collaboration with industry on fighting botnets, while DHS is leading initiatives on securing the information and communications technology supply chain and on other fronts.
Upcoming planned meetings under the government-industry botnets collaboration are now in jeopardy, according to one industry source, as the Commerce Department officials leading that engagement have been sent home by the shutdown.
At DHS, essential security functions continue, according to sources, but that does not cover personnel working on various risk management initiatives.
A top DHS official earlier this week signaled that cyber activities would be affected by the shutdown.
“Due to the lapse of appropriations, CISA has ceased a variety of critical cybersecurity and infrastructure protection capabilities,” Emily Early, Cybersecurity and Infrastructure Security Agency chief of staff, told Inside Cybersecurity. “However, we have maintained baseline operational capabilities supporting national security, including staff in the National Risk Management Center, in accordance with DHS and OMB guidance."
On the ICT initiative, Mayer said, “I can work with the communications sector on who will be on working groups, and anything that doesn't implicate our government partners can go forward. But otherwise, it wouldn't be appropriate to go forward, especially in this formative stage where we're trying to prioritize scope and resources.”
An industry source said the shutdown is going to “materially affect these projects,” citing the botnet and ICT work, among others. “I don't see how we make any progress in areas where we have to engage with government partners.”
Within the ICT task force, for instance, sources pointed out that the four working groups established under that initiative are each led by a communications, IT and industry representative. “We can't get started without our government partner,” a source said, noting that the composition of the working groups hasn't been finalized.
Impacts on government IT and more
Former DHS official Spaulding cited a number of other impacts.
She told Inside Cybersecurity: “The impact on cybersecurity is potentially significant and not well understood. For example, on Dec. 21, Trump signed the SECURE Technology Act (H.R. 7327), which pulled together several cybersecurity bills, including a supply chain measure from [now-former Sen.] Claire McCaskill [D-MO] and [Sen.] James Lankford [R-OK] and two bills expanding the DHS vulnerability remediation program. There are a slew of deadlines for DHS to accomplish key tasks outlined in the legislation to strengthen cybersecurity. These are exactly the kind of activities that are put on hold during a shutdown.”
Spaulding said, “That time cannot be made up because the folks working on those projects are typically over-extended to begin with. Those deadlines will simply be missed and important protections and policies will be delayed.”
She observed that “monitoring of government systems and responding to significant incidents will likely continue but other important activities, for which demand already exceeds capacity, such as working with departments and agencies to identify and secure their high-value assets or work with states to improve election security, are probably not exempt and are therefore not happening.” -- Charlie Mitchell (cmitchell@iwpnews.com)