Eric Geller
Warning that the longest government shutdown in U.S. history may have opened the U.S. up to new national security risks because of undetected cyberattacks, Democratic lawmakers on Tuesday pressed the Trump administration to explain how furloughs disrupted efforts to defend federal computer systems from hackers.
Six Senate Democrats sought answers from senior administration officials about how the government will overcome delays in contracts with firms that safeguard U.S. networks. They also worried that, during the shutdown, agencies weren't able to quickly implement an emergency Department of Homeland Security order to secure web traffic.
The lawmakers also expressed alarm about the shutdown's effect on the morale of federal cybersecurity workers, especially as Washington struggles to compete with the private sector for top talent.
The requests came as top U.S. intelligence officials testified before the Senate Intelligence Committee that a relentless pace of cyberattacks from Russia, China and other adversaries posed a serious and growing threat to American lives, property and data.
“We are concerned that these circumstances have left our government and citizens vulnerable to cyberattacks,” Sens. Amy Klobuchar (D-Minn.), Ed Markey (D-Mass.), Tom Udall (D-N.M.), Catherine Cortez Masto (D-Nev.) and Cory Booker (D-N.J.) said in a letter to DHS Secretary Kirstjen Nielsen and NSA Director Gen. Paul Nakasone.
Hours later, Sen. Mark Warner, the top Democrat on the Intelligence Committee, released his own letter to Nielsen expressing his “sincere hope that we will not come to learn that malicious actors opportunely chose to exploit our defenses while hundreds of thousands of government employees were needlessly pulled away from their jobs.”
During the shutdown, more than half of the employees at the new DHS Cybersecurity and Infrastructure Security Agency were furloughed, as were 86 percent of employees at NIST, which develops security standards for agencies that are widely used in the private sector.
And while FBI agents and support personnel continued to investigate cybercrimes — and federal prosecutors continued to pursue indictments — the shutdown halted important training seminars and jeopardized paid source arrangements. (The Pentagon, home of the NSA and U.S. Cyber Command, remained funded.)
“Experts have warned that our reduced capacity for cybersecurity during shutdowns provides an opportunity for adversaries and cybercriminals,” Klobuchar and her colleagues wrote to Nielsen and Nakasone.
In addition to creating vulnerabilities, shutdowns demoralize the talented corps of cyber professionals who work for federal agencies. The government and the private sector both face dire cyber workforce shortages, but private firms pay far better, and cyber experts regularly leave the FBI, DHS and other agencies for senior corporate roles. The shutdown is expected to exacerbate that worrisome trend.
“Needless shutdowns like this one have the effect of discouraging talented individuals from joining the Federal workforce, and pushes some of our best towards alluring careers in the private sector,” Warner wrote in his letter to Nielsen. “What is being done to address the likely effects of the shutdown on employee morale, and what additional efforts will [DHS] take, if any, to retain and recruit cyber talent?”
On Jan. 22, CISA issued an emergency directive ordering agencies to take steps to prevent hackers from intercepting traffic meant for federal websites. By tampering with the Domain Name System, the phone book of the internet, “attackers have redirected and intercepted web and mail traffic, and could do so for other networked services,” CISA Director Chris Krebs told agency leaders. On Twitter, Krebs acknowledged that the shutdown might delay implementation of the directive.
In his letter, Warner asked Nielsen if DHS had “estimated the impacts of the shutdown on compliance” with the order.
With non-furloughed workers forbidden from performing many routine tasks, the security certificates for more than 130 federal websites expired, potentially compromising data uploaded to or downloaded from those websites. Because of modern web browsers’ default security settings, some of those websites would have been unreachable except through workarounds known only to savvy internet users.
“Long term, the effect is an undermining of public trust in the competence and security of federal websites and web-based government services,” Warner wrote of the certificate issue.
Klobuchar and her colleagues asked whether DHS had considered requiring automatic certificate renewals and whether it needed “additional authorities” to do so.
They also asked whether the government would assess federal websites for “suspicious activity that may have occurred during the shutdown.”
Warner asked Nielsen about the DHS plan for the shutdown’s aftermath, how long it would take to restart cyber contracts that were paused and whether any election security work continued during the shutdown.
The Democrats offered several examples of previous shutdown-related incidents. During the October 2013 shutdown, Chinese hackers breached the Federal Election Commission. Their initial intrusions into the U.S. Office of Personnel Management — which would eventually result in the theft of more than 21 million federal workers’ sensitive personal data — began weeks after that shutdown ended.
“The troubling reality,” Warner wrote, “is that with our federal employees just returning to work, we can only now begin a full accounting of the impact it has had on our nation’s security.”