Thousands of federal cyber workers are returning to their posts after more than a month on furlough today. And they have a big to-do list.

The first priority: Looking for evidence of any major hacks that wormed through government defenses the past 35 days while agencies were working with a skeleton crew of security pros.

It will take them days or weeks to pore through security logs to assess how much damage the shutdown did to the security of government computer networks and the sensitive data they hold. The attacks did not abate because the government was closed: One cyber manager who worked without pay during the shutdown described an uptick in attacks on his agency — including phishing emails containing malware, attempts to reset employee passwords and attempts to trick users into downloading malicious software cloaked as a legitimate update.

Also on the docket: Figuring out how to adjust the multimillion-dollar contracts to upgrade and secure federal IT systems that have spent more than a month on ice.

Perhaps most dishearteningly, cyber and IT leaders across the government will need to figure out the smartest way to prepare for the possibility of another shutdown if Congress and the president can’t reach a new funding deal when the current one expires in three weeks. President Donald Trump has said congressional Democrats must give him new money for a U.S.-Mexico border wall or risk another shutdown when the temporary funding expires.

The best hope, former officials told me, is that agencies can learn from the shutdown just ended to prepare as smartly as possible for the next one – if and when it comes.


“In terms of preparing to shut down again, the agencies should look at any lessons they have learned from having to operate with a skeleton crew and make adjustments based on that very recent experience,” Michael Daniel, former White House cybersecurity coordinator, told me by email.

Already, the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency is gearing up to take on some big projects post-shutdown. CISA was operating with about half its staff furloughed and the remainder working without pay during the shutdown. But this week, one of its top goals will be implementing an emergency order , issued Jan. 22 during the shutdown, directing agencies to protect their Domain Name System from a cyber hijacking campaign that private-sector researchers have linked to Iran, an agency official told me.

Digital tampering stemming from that vulnerability affected “a number of agencies” during the shutdown, according to a tweet stream from CISA Director Chris Krebs:

“We are aware of a number of agencies affected by the tampering activities and have notified them. In part, by issuing the directive, CISA seeks to work with agencies to detect and prevent additional impacts on agencies and systems.

Yesterday, I issued an emergency directive to US civilian agencies requiring immediate actions to protect Federal information systems from ongoing DNS hijacking and tampering activities. This activity was first raised to CISA by partners in the internet security community.”

Other CISA priorities include cutting paychecks as quickly as possible to employees who have been furloughed or working without pay, relaunching stalled work on election cybersecurity and helping industries combat Chinese hacking, the official told me.


The agency also plans to relaunch efforts focused on supply chain cybersecurity and pipeline security, the official said.

“We are happy to be back at it, and look forward to getting the full force of CISA back up to speed,” the official said.

CISA and other agencies must also focus after the shutdown on restoring the morale of highly skilled workers who missed two successive paychecks and may be seriously considering leaving government for the private sector, former officials told me.

Those agencies should also move to restart the hiring process for new cyber pros as quickly as possible, Philip Reitinger, a former top DHS cyber official, told me.

“One piece of advice I’d offer agencies trying to hire cybersecurity talent is to start reaching out to prospective hires on Monday,” Reitinger said, “assuring them that they are valued and that the government needs them – please don’t be discouraged and decide to work elsewhere.”

Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.

filed under: