Governments globally need to focus on the unintended consequences of across the board attempts to deal with deficit spending. Saving pennies is important, but we need to make certain those savings do not cause large consequences for security that will cost much more in the long run.
Cyber data breaches are a prominent topic this week at the Aspen Institute’s Aspen Security Forum in Aspen Meadows, CO, particularly given the recent series of high-profile data breaches in government. Both FBI Director James Comey and Homeland Secretary Jeh Johnson pointedly mentioned during their interviews that the great efforts of their respective organizations would be severely diminished should sequestration occur again due to a Congressional failure to reach a budget.
“Decapitating the budget” is the exact phrase Secretary Johnson used to refer to the potential impact of sequestration. A 2013 Office of Management and Budget memo called out the cancellation of $85 billion of budget across the US federal government and further uncertainty from the expiration of continuing resolution during the last sequestration.
This budget elimination severely hampered ongoing operations and personnel, producing a terrible effect upon every government organization. But the 2013 sequestration also produced an unintended result that could have inadvertently provided assistance to state-sponsored adversaries.
Many security experts agree that the first noteworthy activity performed by cyber criminals, state-sponsored adversaries, and activists alike is reconnaissance against their potential victim organization. This reconnaissance gathers information on key individuals within the organization. This information fuels the social engineering needed to effectively target specifically identified individuals and systems through tactics such as spear phishing. Information on personnel with credentials and access to critical mission or business systems is therefore intelligence of the highest order. The possession of such intelligence significantly increases chances for success for the state-sponsored or criminal cyber-attack.
During the 2013 sequestration, the specific guidance from federal organizations was to identify personnel who were exempt from being furloughed during the government shutdown. For example, DHS guidelines required the following, creating a focus group for adversaries:
“Retaining minimal personnel to maintain telecommunications as they relate to exempt activities.”
These exempt activities included counter-terrorism efforts and protective Secret Service functions, and the information technology and security personnel required to ensure their success. Government-wide guidance of this kind prioritized the most essential personnel as it related to supporting essential government missions – department by department, agency by agency. By identifying ‘essential’ personnel and excluding non-essential personnel from government facilities through furloughs, state-sponsored adversaries were given a reconnaissance gold mine in which to drill.
The physical foot traffic in and out of government buildings during sequestration were in many cases the essential information technology and security personnel required to keep the electronic presence of a department or agency functioning – the same people that adversaries are desperately trying to identify in order to compromise credentials that give them the ability to operate with impunity on government networks. The reduced number of people entering and exiting federal buildings directly correlated with a reduced amount of effort to identify and prioritize targets of opportunity.
In the TJ Maxx information security and privacy debacle in the early 2000s, cyber criminals were ‘war driving’ and ‘war parking,’ literally setting up shop in the parking lots of the TJ Maxx stores to capture the unencrypted wireless traffic which included millions of credit card records. Is it really so difficult to believe that state-sponsored adversaries would utilize this same technique, parking outside public federal buildings in order to perform physical reconnaissance such as high resolution photography to begin to identify and capture information about the reduced number of personnel entering and exiting public federal buildings during sequestration-driven furloughs?
High-deficit government spending makes budgetary issues such as sequestration a constant and ongoing threat to federal operations. If sequestration is to occur again, federal guidance needs to include how to protect organizations from giving adversaries reduced barriers to gaining valuable reconnaissance intelligence.