Washington Exec and CBS News, January 18, 2019, with comments by Ray DeMeo
In the midst of the ongoing government shutdown, those of us observing from the outside can clearly see the government is suffering from myopia. Each of the parties involved sees their own perspective with crystal clarity to the exclusion of seeing other increasingly glaring and serious side effects that are growing day by day.
The side effects are many, and this article highlights two of them. The first is the affect the shutdown is having on contractor staff and employee personnel. When it comes to hiring good talent, the government has always faced steep competition with private employers, for both contractors and employees. Private organizations can often pay high salaries but government employers could counter that with stability, pensions and other benefits. But now, with three shutdowns in just 2018 alone, government jobs aren’t looking so stable. In fact, they are looking far from appealing on any level.
Some larger companies have been able to shift contractors to a different, funded department. But small firms lack those options. Even after this shutdown ends and any back pay is received, many employees could choose to leave and avoid having to face this kind of situation again. The current tight labor market makes it tougher because it gives employees more options of places to go.
Ray DeMeo, co-founder and chief operating officer at Virsec, told WashingtonExec it’s hard for a company to recruit people to work on contracts whose government counterparts — contracting officers, etc. — are currently furloughed. And he noted many firms don’t have much financial flexibility. “Contractors bid these jobs as tight as they can and work very hard to recruit, DeMeo said. “Not every contractor has huge operational overhead to retain people.”
He also agreed the shutdown is threatening to take the sheen off government contract work.
“It makes those jobs less stable than other jobs in the commercial sector,” DeMeo said. “And if a government contractor employee feels like a job is less stable or less fulfilling, it’s a no brainer to take another opportunity.”
On another front that’s gotten little attention until the last few days but perhaps is even more dangerous and even related to staffing in some ways are threats to cyber security. Reports say cyber security threats are skyrocketing during this shutdown. Even when the US government is fully staffed and “on it,” cyber threats persist on a moment-by-moment basis.
A news report over the weekend described the parking lot last week at the Department of Homeland Security (DHS) as being nearly empty. In a shutdown where only non-essential parts of the government were supposed to be closed, it begs the question of what the criteria is that makes something essential or not.
“According to the MIT Technology Review, approximately 45 percent of employees at the Cybersecurity and Infrastructure Protection Agency, a part of the Department of Homeland Security (DHS), and 85 percent of staffers at the National Institute of Standards and Technology (NIST), the department in charge of maintaining cybersecurity standards, are on furlough.”
While the DHS and other agencies are side-lined, ill-intentioned nation states and attackers who have repeatedly targeted us in the past (Russia, China, North Korea, Iran) see this as an open door to take advantage of until we get our act together. They already have activities in motion and now they can hit the accelerator. Maybe we won’t see effects right away – often what we have seen from these nation states is missions of reconnaissance, including invading US electric grids and utilities (see recent articles)*. But those invasions are widely viewed as preliminary steps to possible takeovers or shutdowns.
Significant breaches are also a threat, having happened before and they rack up costs on multiple fronts, including monetary. The cost of breaches to corporations on average is $4 million. The cost to the government for breaches is far more. In its shutdown considerations, or lack thereof, the government hasn’t factored in that a data breach that would target itself during a shutdown could cost taxpayers millions. And without regular staff on duty for weeks on end as the shutdown sludges on, future damages could be far worse.
Ray DeMeo, co-founder and COO of cyber-defense firm Virsec, is concerned that the government shutdown could have negative long-term consequences on government staffing and recruiting for important cybersecurity jobs in the future. These jobs, DeMeo says, keep Americans safe.
"Even at full capacity, resources are at a bare minimum for the mountain of work at hand just to get the government's IT infrastructure up to minimum levels of resiliency, all while working against the nonstop firehose of hour-by-hour attacker assaults," DeMeo said. "Attempting to parse critical and non-critical cyber personnel is not possible. It's quite literally dismissing the people who are building your fort while you are in the middle of fighting a war."
Sometime in the summer of 2016, a group called The Shadow Brokers broke into The Equation Group, a division within the government’s National Security Agency (NSA), and stole the largest treasure trove of sophisticated hacking tools (Double Pulsar, Eternal Blue behind WannaCry, Not Petya, etc.), the world has ever seen. Since then, repeated cyber attacks using those tools have continued to plague organizations around the globe. That theft happened with our government fully staffed, open and up and running. What might bad actors be doing now while no one’s at the wheel for weeks on end?
Read full Shutdown starting to hurt contractor staff and Government shutdown lays out hacker “welcome mat” articles
Recent articles about Russia attacking US electric grids:
1. Despite US defenses, Russian hackers are still trying to break in to America’s power grid (12/6/18)
2. Could Russia Shut Down US Electric Grids? (8/20/16)
4. Russian Hackers Breach US Utility Networks via Trusted Vendors (July 25, 2018)
5. US-CERT Finds Russian Hackers Spent Months Inside Targeted Systems (March 22, 2018)