Last month, the longest government shutdown in U.S. history finally came to an end. The five-week partial shutdown, caused by a standoff between Congress and the president over border wall funding, cost the U.S. economy $11 billion, according to an estimate from the nonpartisan Congressional Budget Office. The CBO projects that all but $3 billion of that sum will eventually be recovered.
That said, shutdown fallout continues in the cybersecurity space, and many questions about the short- and long-term effects on readiness remain. Has the cybersecurity posture of the U.S. sustained damage, and if so, is it temporary or permanent? Were there any benefits to the shutdown from a cybersecurity perspective? And finally, what lessons will government IT professionals learn, and how will they prepare for future shutdowns? Let’s unpack these questions.
The Upside to the Shutdown
It may seem counterintuitive, but some good news came out of the government shutdown from a cybersecurity point of view. Users are the weakest link in security defenses, which is why security incident volume typically declines on weekends. That pattern likely held true during the shutdown. Fewer active users means fewer opportunities for successful phishing scams, zero-day threat exploits, etc., for endpoints protected by a “detect and respond” strategy (more on that later).
There’s also anecdotal evidence that, in addition to lower user volume, the 35-day shutdown gave government IT teams breathing room to apply security patches and conduct other general cybersecurity hygiene projects. With nonessential personnel furloughed and fewer user support demands, government IT professionals who were still on the job had more time for routine security tasks.
The Downside to the Shutdown
Despite those unintended benefits, the shutdown overall was bad news for government IT security for a number of reasons. There were reports of security certification lapses on government websites, with pages either down or up with a security warning displayed to visitors. Also, government cybersecurity standards that private sector developers rely on weren’t updated during the shutdown.
Federal shutdown effects cascaded to state and local government IT groups. A Midwestern state’s CIO reported that his office was unable to complete simple tasks like making an IP change on a joint state and federal site due to concerns about being unable to troubleshoot any problems with federal counterparts. It was a temporary inconvenience, but it did disrupt routine security processes.
Longer-term effects could include challenges in recruiting talent with technical expertise that is in high demand in the private sector. That happened after a much shorter government shutdown in 2013. One former NASA employee doubled his salary by taking a private sector cybersecurity job after the 2013 shutdown. Last month, he told The Washington Post he’d received inquiries from furloughed former colleagues who were interested in making the jump to a corporate position after the 2019 shutdown.
Moving Past the Shutdown — And Planning for the Next
Federal employees are back on the job — at least for now. But as they recover from the shutdown, they’re likely to encounter delays and problems as they confront the backlog. While employees were idled, important planning was almost certainly deferred, maybe even including work like gaming out strategies to counter hacking and intellectual property theft from state actors such as China.
Delays in deploying security solutions could also take a toll on government cybersecurity readiness. It happens in the private sector when there’s a delay in cybersecurity plans. To cite one example, a firm that purchased the AppGuard endpoint protection solution (which has never been breached) and didn’t immediately deploy it came to regret the delay. The customer experienced a data breach prior to AppGuard implementation — a breach the new software would have prevented.
As government IT groups move on from the last shutdown and plan for the next, savvy professionals will take time to identify lessons learned. Here’s one takeaway for consideration: Deploy a software solution that prevents breaches from known and unknown cyber threats without degrading system performance or requiring IT intervention. With a solution like that, government IT groups will be in a better place from a breach prevention standpoint than they were in December 2018, when the shutdown began.