Shutdown sets back U.S. cyber defenders

By Blake Sobczak | 01/08/2019 07:05 AM EST

A popular cyber technology showcase is the latest casualty of a partial government shutdown that’s taking a toll on U.S. cybersecurity.

The government shutdown is slowing some cybersecurity operations.

The government shutdown is slowing some cybersecurity operations. Claudine Hellmuth/E&E News(illustration); Jason Goulding/Flickr (photo)

A popular cyber technology showcase is the latest casualty of a partial government shutdown that’s taking a toll on U.S. cybersecurity.

The Department of Homeland Security expected up to 1,000 attendees at its 2019 Cybersecurity and Innovation Showcase, which has been billed as the government’s largest cyber research and development conference. It was initially scheduled to kick off today.

Would-be guests were told Friday that the event would be canceled "due to the ongoing lapse in appropriations" for DHS that has stretched on for 17 days and counting.

Advertisement

An agency official said DHS’s Science and Technology Directorate is hoping to reschedule the event once the government reopens.

But it’s not clear when that date may be, as President Trump and federal lawmakers remain at loggerheads over funding for another part of DHS’s wide-ranging mission: border security. Trump has pledged to prolong the shutdown until he receives authorization for building a $5.7 billion wall along the U.S. border with Mexico, among other immigration-related funds. Trump is set to deliver a national address this evening from the Oval Office before heading to the southern border Thursday (E&E News PM, Jan. 7).

Democratic lawmakers have scoffed at the notion of building a wall to block immigrants and asylum-seekers from reaching the country illegally. The new Democratic majority in the House has refused to fund the wall.

The impasse has spilled over into the cybersecurity arena as agencies like DHS and the Department of Commerce cancel events, take down widely used online resources, call off nonessential travel and stop delivering paychecks to "exempted" employees who are required to keep working through the shutdown.

At DHS’s newly established Cybersecurity and Infrastructure Security Agency, roughly 45 percent of the workforce, or about 1,500 people, is furloughed. The rest are still staffing 24/7 cybersecurity watch floors or standing ready to respond to cyber events affecting critical infrastructure like the power grid or oil and gas pipelines, based on the agency’s latest plan for operating without federal funding.

"I like to think that the work that I do is important," Allan Friedman, director of cybersecurity at Commerce’s National Telecommunications and Information Administration, said in a Twitter post yesterday. "But a lot of real heavy lifting to secure the critical infrastructure is done by my DHS colleagues. None are being paid — including those running the 24-hour watch at the NCCIC [National Cybersecurity and Communications Integration Center] — and only half of them are able to do their job."

Friedman, as he notes in his personal Twitter account, is currently furloughed.

Cyber ‘standstill’

"Government employees, especially the ones working in critical infrastructure, understand the importance of the mission," said Jason Christopher, a former Department of Energy employee and chief technology officer at cyber risk consultancy Axio Global Inc. (For its part, DOE remains funded through September, a spokesperson confirmed.) "They keep on with the mission, even in times of crisis."

While that may serve to keep the lights on, Christopher pointed out that a lot of voluntary, collaborative work among the government, private sector and academia has "come to a standstill" amid the lapse in appropriations.

He cited work on cybersecurity standards at the National Institute of Standards and Technology, part of the Commerce Department that drafts guidelines on securing everything from industrial control systems to cellphones.

At NIST, fewer than 500 of 3,378 employees are working through the shutdown. The agency has dropped support for a variety of websites that host popular cybersecurity documents like the Framework for Improving Critical Infrastructure Cybersecurity or the widely referenced 800-53 catalog of federal security controls.

"This is not my first rodeo, so I downloaded a lot of those; I already have those offline," Christopher said. "But a lot of folks, if they’re having a question about something for the first time, they may find themselves a little bit out of the loop."

That adds up to an "inconvenience" for cybersecurity efforts rather than a major risk, Christopher noted.

But current and former government workers, including the previous deputy undersecretary of the Cybersecurity and Infrastructure Security Agency’s precursor office at DHS, have warned that the lingering shutdown could have long-term side effects on morale.

Whitney Merrill, a former cybersecurity attorney at the Federal Trade Commission, pointed out that "the government shutdown is anxiety inducing, and drives great employees away from government service."

"Imagine not knowing when or if you’ll get paid," she said.