Shutdown, Policy Gridlock Deal Major Blows to Cybersecurity Efforts
A mix of pessimism and disbelief best describes the mood of the cybersecurity community, which is seeing programs derailed by the U.S. government shutdown and policy priorities relegated to the bottom of the pile of unfinished business in Washington.
Cybersecurity advocates on Capitol Hill also have been frustrated as new legislation remains stuck in gridlock and mired in contentious debates over government surveillance.
The most immediate consequence of the shutdown that began Oct. 1 is a demoralized workforce, government and industry officials said Oct. 8 at a Politico cybersecurity conference in Washington, D.C.
At the National Security Agency, the U.S. government’s most skilled cyber workers have been told to stay home, including nearly 1,000 Ph.Ds, about the same number of mathematicians and 4,000 computer scientists, said Army Gen. Keith Alexander, commander of U.S. Cyber Command and NSA director.
The furloughs also will undermine U.S. government initiatives to recruit new workers, Alexander said at the conference.
Lawmakers who have long been engaged in cybersecurity policy oversight said they worry that the shutdown is distracting government agencies from protecting the nation from hackers and spies.
“If we have to take a step backwards because of the lack of funding, that gives the bad guys an opportunity,” said Sen. Saxby Chambliss, R-Ga., ranking member of the Senate Select Committee on Intelligence
Chambliss would like to see the Senate move forward with a debate on a two-year old piece of legislation that the House passed — theCyber Intelligence Sharing and Protection Act, or CISPA — intended to promote intelligence sharing on cyber attacks between the government and the private sector. The bill has been stalled in the Senate due to disagreements over the role of civilian and military agencies in dealing with the private sector. The Snowden leaks also have put the brakes on the legislation, as many lawmakers want to address concerns about government surveillance on U.S. citizens before any cyber bill is passed.
“Cybersecurity has been crowded out” not only by the budget fight but also by calls for reforms to the Federal Intelligence Surveillance Act, Chambliss said.
The Senate expects a backlog of legislation — among the major ones being federal budget appropriations bills and the defense authorization act — to get crammed into a short number of weeks before the end of the year, which means the odds of passing a cyber bill are diminishing, said Chambliss. “The clock is ticking and here we are, arguing over funding.”
If bills slip into next year, their prospects only will worsen as Congress shifts to election mode, Chambliss said. “Things are going to get harder to deal with in January. We get into an election year and things tend to fall off the table.”
He said he worries cybersecurity will suffer a double whammy from the shutdown and from sequester budget cuts. If sequester remains in place, he said, there will be considerable furloughs in cyber agencies and the intelligence community next year. As a result of the slowdown in cyber efforts, he said, the “Chinese, Russians and Iranians licking their chops.”
A rollback in cybersecurity programs also is costly to the private sector, said Rep. Adam Schiff, D-Calif., ranking member of the House subcommittee on technical and tactical intelligence. He said government contractors lose billions of dollars a year to intellectual property theft.
The economic impact of NSA furloughs has been significant, said Rep. Dutch Ruppersberger, D-Md., ranking member of the House Intelligence Committee. “My district is known as the cyber capital of the world,” he said. “NSA contractors are losing $20 million a day.”
As the government seeks to beef up its ranks of cybersecurity experts, the furloughs are going to leave a lasting, negative impression on potential recruits, said Rep. Mac Thornberry, R-Texas, chairman of the House Armed Services subcommittee on intelligence, emerging threats and capabilities. “The upheaval is detrimental to this country,” he said. “We need budget stability. Living from CR [continuing resolution] to CR, and the threat of sequestration makes it a difficult environment to recruit people.”
At the Department of Homeland Security, more than half of the cyber workforce was furloughed. “I would argue that puts the nation at risk,” said Rep. Michael McCaul, R-Texas, chairman of the House Committee on Homeland Security
Like Chambliss, he fears that cyber legislation is getting crowded out of his committee’s schedule by the shutdown and other pending bills such as border security. “Government spending is front and center for a lot of members,” he said.
For the private sector, the realization that cybersecurity is no longer a front burner issue in Washington has been cause for alarm.
The shutdown has diverted everyone’s attention, said Tim Sample, vice president of national security programs at Battelle. The budget standoff is happening at a time when cyber threats are increasing, he said. Companies would like to see the administration and Congress agree on broad policy guidelines for cybersecurity, he said. “We do not have a doctrine. … We have a lot of programs and policies without an underlying framework.”
The vast majority of American companies do not have the means to protect themselves from cyber attacks, he said. The United States needs to address the issue that the Internet has become a de facto utility. It affects the entire global economy, he said, and should be treated as critical infrastructure.
The tech industry also is disappointed that the shutdown has eclipsed discussions on education and immigration reforms. “That is essential from a tech perspective, to ensure we have the talent to continue to innovate,” said Chris Finan, a former White House official and currently a fellow at the Truman National Security Project. “There are a lot of challenges we need D.C. to tackle” and will not be because of the budget crisis, he said. Case in point is the Obama administration’s latest draft of a new executive order that is expected to provide standards that companies can voluntarily adopt to improve cyber defenses. Finan said he went online to read the latest draft but the website was unavailable. “People are going to get sick of these shenanigans,” he said.
From a law-enforcement perspective, the government shutdown is hurting companies’ ability to obtain valuable threat intelligence from the FBI, said Richard Bejtlich, chief security officer of Mandiant, a cybersecurity firm. “One of the most effective programs I've seen is the FBI external notification program,” he said. The FBI informs companies of suspected intrusions. “Interruptions to that program worry me,” he said.
Jay Kaplan, CEO of Synack, said the shutdown only aggravates a larger human-capital problem that the government faces as it tries to beef up cybersecurity. Talent shortages are going to be a serious handicap for federal agencies, he said. “Government workers are disparaged by elected officials, they have no realistic prospects of increases in pay.” The federal procurement process, too, is a deterrent to recruits, he said. To manage multibillion-dollar programs takes knowledge and experience, he said, “and a lot of that is leaving.