As the impasse threatens to drag on indefinitely, private sector impacts are increasingly likely in the cyber area. Companies need to assess how their cyber vulnerability has been affected with the absence of key Department of Homeland Security resources, especially in areas involving Critical Infrastructure Systems, as well as federal regulatory watchdogs in the financial and health care spaces.
Robert Cattanach is a partner at the international law firm Dorsey & Whitney. He has previously worked as a trial attorney for the United States Department of Justice and was also special counsel to the Secretary of the Navy. Today he practices in the areas of regulatory litigation, including cybersecurity and data breaches, privacy and telecommunications, civil and criminal enforcement proceedings and international Regulatory Compliance. He has some advice for companies during the shutdown when it comes to their cybersecurity.
"The adage “you don’t know what you don’t know” has never been more true," Cattanach says.
"Frequently, companies with cyber vulnerability are shocked to learn that their systems have been compromised – not from their own IT departments, but from one of the many federal technology resources responsible for cyber vigilance on a broader scale. That safety net is gone, certainly today, but also likely for some time to come as the void created by the shutdown likely will be felt for some time to come even after federal cyber sleuths are called back to work," Cattanach says.
"So what is a company concerned about its increased cyber vulnerability to do?
- "First, assess your cyber vulnerability with a fresh set of eyes. Cyber thieves thrive when environments that rely on careful cyber maintenance and monitoring from different sectors suddenly are denied that critical set of second eyes. Consider another resource, perhaps outside consultants or industry-specific subject matter experts, to role-play what federal cyber regulators might otherwise have been doing," Cattanach says.
- "Second, double down on internal processes and controls. Ultimately, we are only as good as the monitoring that we can do, which is never perfect. Yes, IT is always clamoring for more resources, and mission-creep is a common problem, but temporary enhancements in the areas of system monitoring and access controls may be well worth the temporary pain on the balance sheet, especially when compared to the alternative," Cattanach says.
- "Third, remember not only that: “it ain’t until it’s over”, but almost certainly sometime well after that. Cyber criminals are a patient lot. Most intrusions occur well before the intruder actually executes on them. Long after the shutdown has ended, and of course it will, companies will face the risk of ‘cyber sleeper cells’ embedded in their systems during a time when those systems were marginally more vulnerable, and then activated weeks and months from now when vigilance may have subsided," Cattanach says.
"These are not one-size fits all suggestions. Each company can, and should, do a fresh assessment of how the shutdown might be increasing their cyber cyber vulnerability exposure, document that assessment and what was done about what was learned, and be ready to use that assessment as evidence of good faith and due diligence in the event that cyber criminals or nation states used this time to advance their causes, potentially at your expense," Cattanach says.