Request Demo

NIST Cybersecurity Framework, NIST Risk Management Framework

The Cybersecurity Impact Of The Government Shutdown Is Not What You Think

down-arrow

There has been a great deal of speculation around the cybersecurity posture of the nation in light of the most recent (and longest documented) government shutdown. I’ve seen two main concerns arise within the cyber community speculating about the impact of the government shutdown:

  1. Limited security personnel during the shutdown
  2. The cybersecurity talent shortage becomes a crisis for the public sector

 

Infiltration during and after the government shutdown

Many experts are noting that due to the weakened state of the government’s cybersecurity teams, they will not be able to defend against a bad-actor breaking in and sitting within government networks after the shutdown ends. This would allow the bad-actor to sit within the federal networks undetected until they decide to truly execute a cyber attack.

While reports indicate that roughly 50% of the newly created Cybersecurity and Infrastructure Security Agency (CISA) has been furloughed as a result of the government shutdown, these teams were drastically understaffed before the shutdown even began. The CISA, newly elevated within the Department of Homeland Security a month before the shutdown started, was still establishing itself before the funding ran out. The sites and networks that the government has deemed of significant importance (primarily .mil URLs) are still under constant monitoring. The primary concern that I’ve seen has been the civilian facing sites - social security, Medicare/Medicaid, and food stamps. The concern around these sites is the SSL certification running out during the government shutdown. The fact is that it is that the SSL certificate is actually the least of the concerns for these organization, the IRS suffered a breach weeks before the government shutdown even began. While yes, skimming is of concern for these organizations, the SSL certification is actually the least of their worries.

Government cybersecurity skills shortage becomes a crisis

One of the greatest challenges facing anyone in the cybersecurity field is the growing talent shortage. Public and private sector organizations have scrambled for talent as cybersecurity is elevated to a board-level issue at private sector companies and it is also drawing more focus in the public sector as well. However, for public sector organizations, this government shutdown will have lasting effects on the interest in government cybersecurity positions but not in the way many experts are thinking. 

The current stance of many cybersecurity professionals is that it will exacerbate an already competitive recruiting market and given the perceived instability of a government cybersecurity position, new entrants will be deterred from joining the workforce. I don’t think this will be the case. New entrants in the job market, namely recent graduates, are more concerned with experience rather than stability. What the shutdown will do is cause a brain drain rather than a recruiting crisis. The retention of current employees will be a greater immediate issue once the government opens following the shutdown. 

NIST proves essential

Within the cybersecurity community, one of the greatest issues that occurred as a result of the government shutdown was the National Institute of Standards and Technology website. The gold-standard NIST Cybersecurity Framework as well as their other portfolio of standards and practices for cybersecurity were inaccessible for the first three weeks of the shutdown. Both public and private sector security leaders alike were blindsided by the lack of access. Losing these gold-standard documentations surpasses talent and team size in terms of cybersecurity risk for the nation.

Despite the government shutdown continuing on, the public outcry over the NIST website going down caused a shift in resources in the government and now the NIST website is at least partially functioning. With the government being one of the more important users of NIST publications, the lapse in access is the greatest threat that we faced as a result of the shutdown.

What the government shutdown really has done for the nation’s cybersecurity

While many members of the industry are concerned with the impact of the shutdown itself, the government shutdown has had a greater longer-term impact. Rather than creating new openings for cybercriminals, the government shutdown has illuminated existing risks that the government faced before the shutdown and caused the industry to react. The government shutdown has acted as a catalyst for the nation to start asking questions about how our government approaches cybersecurity. 

The shutdown has also load tested what about the nation’s approach to cybersecurity is deemed “essential”. It is not simply the personnel, but the resources. More specifically, the NIST resources that, while are shared between the public and private sectors, is critical to the nation’s cybersecurity operations. The longer-term implications of which are that the CISA will need to reassess its relationship with NIST and determine a contingency plan to keep the NIST cybersecurity resources operational in the event of a future shutdown.

You may also like

Integrating GRC: Governance, ...
on June 6, 2019

In our Integrating Governance Risk and Compliance series, CyberSaint leadership explores the process through which cybersecurity leaders can reconfigure their organizations to ...

Jerry Layden
Critical Capabilities of Cyber ...
on June 4, 2019

As Boards and CEOs start taking a greater concern with the security posture of their enterprise, CISOs and information security teams are being faced with translating their cyber ...

Integrating Governance, Risk, and ...
on May 30, 2019

When Gartner released the magic quadrant for integrated risk management (IRM) in 2018 rather than for governance risk and compliance (GRC), members of the information security ...

An Integrated Risk Management ...
on May 28, 2019

As cybersecurity is elevated to a Board- and CEO-level issue, the role it plays in overall enterprise risk management is is becoming more apparent. With that comes a need for an ...

Using NIST 800-30 To Implement The ...
on May 23, 2019

The National Institutes of Standard and Technology’s Risk Management Framework (RMF) is a foundational aspect to managing cybersecurity risk. When coupled with the NIST ...

NIST Cybersecurity Framework Tool ...
on May 21, 2019

For almost all organizations large and small the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) represents the gold standard for managing ...