Companies are on guard for a potential spike in cyberattacks as the lingering government shutdown exacerbates weaknesses in security defenses and further disrupts coordination.
Since the US government ran out of funding on Oct. 1, businesses say key security guidance from agencies is missing and they lack guarantees that federal workers will pick up the phone in the event of a cyberattack.
One of their main points of contact, the Cybersecurity and Infrastructure Security Agency, has been nearly stripped of its workforce since the Trump administration took office, with swaths of workers transferred to other roles and more layoffs announced since the shutdown began. Partnerships between the private and public sectors were canceled. Visibility into threats across industry sectors is limited.
Businesses are also operating without the Cybersecurity Information Sharing Act of 2015, a law that enabled them to safely share cyber intelligence with other companies and the government, which expired on Sept. 30.
Now with much of a federal safety net peeled away, some companies are aiming to compensate by upping their cybersecurity, swapping updates from the government for industry sources, and mitigating legal risks.
“All the good hygiene around security that you have in place, it needs an extra push right now to say, it’s really important that we’re not deviating from our expectations when it comes to policies, procedures, and security controls,” said Heather Kuhn, senior privacy counsel at BigID, a compliance software provider. “Security hygiene needs to be at an A-plus level right now, because there is a lost layer of defense putting companies at a bigger risk.”
Stress on Private Sector
In interviews, companies and cyber professionals said government shutdowns open the door for increased attacks against the private sector, which includes a majority of US critical infrastructure, such as water systems or health-care entities.
“It is especially concerning that we have less resources, that the government is working with approximately 35% less resources, especially with cybersecurity,” said Aparna Williams, chief legal officer at Sophos, a cybersecurity services provider.
She added, “We’re just managing. And what this does is put a lot of stress on the private sector. We have to be vigilant. We basically have to fill the gaps.”
Some are fine-tuning how they monitor their networks to over-alert any suspicious activity to their cyber teams to investigate. Others are checking compliance with certain policies—like rules around passwords—to patch any vulnerability.
“Anything that doesn’t seem right even a little bit, you want to double check it, just to be proactive,” Kuhn said.
But with government officials pulling out of industry conferences—which offer unique opportunities for businesses to hear directly from federal personnel on ongoing cyber issues—and guidance from cyber agencies trickling, companies still worry about missing key alerts from federal sources.
“The problem with having such a small number of staff at CISA is you don’t necessarily have people who are able to respond to attacks in the same way,” said Ilona Cohen, chief legal officer at HackerOne and former general counsel at the Office of Management and Budget in the Obama administration. “You’re not able to provide information at the same speed.”
Two weeks into this shutdown, CISA issued an emergency directive on Oct. 15 after a breach in
“If CISA was fully functioning, you would expect a good, comprehensive analysis of the incident, which I could then apply to what’s going on to me and my customers,” said Stephen Fridakis, field chief information security officer at Cyderes.
CISA said it remains dedicated to protecting critical infrastructure during the shutdown and is “sustaining essential functions” to provide “timely guidance.”
The shutdown is “forcing many of our frontline cybersecurity experts to work without pay, even as nation-states intensify their efforts to exploit Americans and critical systems,” Marci McCarthy, CISA’s public affairs director, said in a statement. “This is an unacceptable and unnecessary strain on our national defenses.”
Chilling Effect
The most tangible shutdown effect on the private sector so far is the expiration of the cybersecurity information sharing law, in-house professionals say.
The end of liability protections for companies disclosing threat information to businesses and government is forcing executives to re-assess what they want to share going forward.
“This has gotten the legal teams’ attention,” said Justine Phillips, partner in Baker McKenzie’s data and cyber practice group. “Issues around antitrust protection and collusion and sharing information with other competitors has certainly got companies reconsidering where their CISOs and information security teams may share information.”
As a result, legal teams are figuring out the scope of intelligence their company had been sharing and with whom. Some are updating playbooks to change how threat information is being disclosed and reviewing or drafting agreements to govern company-to-company information sharing. Others are looking for where cyber intel had been shared automatically, such as through interfaces that allow different applications to communicate with each other.
“The private sector has just come out and said, ‘You know what? We’re going to be really reluctant to share information with the federal government without the insulation from regulatory and civil action that was there as part of the CISA 2015 Act,’” said Mike Hamilton, field chief information security officer at Lumifi Cyber and former CISO of Seattle.
Legal teams that block sharing risk significantly slowing the spread of key details about threats and vulnerabilities in US networks at a time when speed is central to incident response, cyber professionals said.
“While all that deliberating is happening, you better believe that the adversaries are emboldened,” Cohen said. “They’re not waiting for anyone. They don’t care how long it takes you to decide. They’re just going to keep pressing on, because that’s what they do well. So it’s really a disservice to the whole cyber ecosystem.”
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.