MARK R. WARNER, a ‘whos FINANCE BANKING, HOUSING. AND) URBAN APPAIAS Wnited States Senate suvcer ULES AND ADMINISTRATION January 29, 2019 The Honorable Kirstjen M. Nielsen Secretary of Homeland Security U.S. Department of Homeland Security 3801 Nebraska Avenue, NW Washington, DC 20016 Dear Secretary Nielsen, I write today, after our government was needlessly shut down for 35 days, to express my deep concem over the impact it had on our nation’s ability to defend itself against cyber-based threats. As the Vice Chairman of the Senate Select Committee on Intelligence, I am reminded on a daily basis of the threats that our nation faces. I have repeatedly emphasized, including in hearings where you have testified before our committee, that the most significant threats we face as a nation emanate from the digital domain, I have time and again sought to sound the alarm about our nation’s lack of a coordinated cyber strategy, and about our being unprepared to fully protect, against and deter these attacks. That is true today more than ever. One of the many areas where this unnecessary shutdown had dramatic consequences is on our nation’s ability to defend against eyber-based threats. These threats come from a range of malicious actors, are constantly evolving, and are unrelenting, Perhaps no one understands that better than the professionals you lead. According to your department's Cybersecurity Strategy published last year, “the number of cy‘er incidents on federal systems reported to DHS increased more than ten-fold between 2006 and 2015.”! That strategy document outlines the critical role that your department plays in protecting our nation against these daily threats. Within the Department, the Cybersecurity and Infrastructure Security Agency (CISA) plays an incredibly important role in this mission. According to their website, CISA “leads the national effort to defend critical infrastructure against the threats of today, while working with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow.”* I am very concerned about CISA’s ability to carry out that mission over the past month, in light of a statement by the agency’s spokesman that, due to the shutdown, it had “ceased a variety of critical cybersecurity and infrastructure protection eapabilities.”® The same spokesman indicated that an estimated 43 percent of the agency's employees had been sent home US. Department of Homeland Security Cybersecurity Strategy,” Department of Homeland Security (May 15, 2018), available at: https./www.dhs.gov sites/default/fles/publications/ DHS-Cybersecurity-Strate 2 Cybersecurity and Infrastructure Security Agency,” Department of Homeland Security, available ai hhps/www.dhs.gov/ciswabout-cisa » Sinead Baker, “The record-breaking government shutdown is putting the US at risk of a major cyberattack,” Business Insider (Jan 17, 2019), available at itp: www businessinsider,com/government-siutdown-us-tisk: [2utm_source=twitter&utm_medium=referral@utm_content-topbar@utm_term=mobile@referrer~twitteruring the shutdown.* Certainly for employees who continued to work without pay, the shutdown inevitably had a negative effect on morale. ‘The gravity of this situation — and of the information security risk across federal agencies resulting from the government shutdown — was exemplified by an Emergency Directive issued by CISA just last week. On January 22 CISA contacted nearly all federal executive branch departments and agencies, providing notice of “a series of incidents involving Domain Name System (DNS) infrastructure tampering,” which had impacted multiple executive branch domains, allowing attackers to intercept and redirect web and mail traffic.° Guidance issued by CISA directed agencies to confront the “significant and imminent risks” to information systems by taking a series of actions, urgent enough that they must be completed within 10 business days.* Left unmentioned was how federal agencies, already understaffed as a result of this reckless shutdown, could successfully accomplish this task while managing a range of other essential functions. ‘Though outside of your department's jurisdiction, other reports have shed light on how far reaching these impacts are on our nation’s cybersecurity. According to the Federal Bureau of Investigation Agents Association, our nation’s ability to conduct cyber investigations was greatly hindered. As outlined in their report Voices from the Field: FBI Agent Accounts of the Real Consequences of the Government Shutdown, one impact was that agents in some cases lacked funds to pay confidential human sources. The loss of intelligence from these suspended interactions is described as “immeasurable.”? The shutdown also affected Americans’ ability to access critical information and services provided by their government. On top of agencies’ websites whose content was no longer being updated as a result of the shutdown, it was reported that the security certificates for more than 130 government websites had expired.* These security certificates, which expired absent manual renewal during the shutdown, render a number of these government sites unreachable to the public, as popular browsers treat the expired certificates as a security risk. Long term, the effect, is an undermining of public trust in the competence and security of federal websites and web- based government services. ‘These data points are but examples, which taken together paint a troubling picture of the state of our nation’s cyber defenses through the shutdown. The troubling reality however, is that with our federal employees just returning to work, we can only now begin a full accounting of the impact it has had on our nation’s security. * toi * Christopher C. Krebs, “Emergency Directive 19-01,” Cybersccurty and Infrastructure Security Ageney (Jan 22, 2019), avaitabie at: https:/evberdhs.2ov'assets/eportied-19-01 pdf « tid. Voices from the Field: FBI Agent Accouns ofthe Real Consequences ofthe Government Shutdown,” FBI Agents Association (Jan 2019), availabe a: ‘hups/Avonw fia, org/sites/default/fles/downloadable/FBIAA%20V oices*20from®%20the™420Field.pdf * Brian Fung, “The shutdown is breaking government websites, one by one,” The Washington Post (Jan 17, 2019), available a: bitps/www. washingtonpost,com/technology/2019/0/1/shutdown-is-steadily-devouring-us- government-websites/2utm_term=,bd6687500b52Our nation’s last extended shutdown took place in October 2013. Just weeks after its conclusion, and after federal employees would have returned to work, is when forensic investigators determined hackers first breached the networks of the Office of Personnel Management (OPM).° In two breaches that followed, more than 21 million current and former federal workers had their personal data, and in some cases background investigation records, compromised. In the years since the breaches were made public, my office, as well as those of a number of my colleagues in the Senate, applied significant pressure to OPM to get to the bottom of the situation, and address vulnerabilities going forward. It's my sincere hope that we will not come to learn that malicious actors opportunely chose to exploit our defenses while hundreds of thousands of government employees were needlessly pulled away from their jobs. | respectfully request that you respond to the following questions: 1. Did your department notice an uptick in attempted attacks, intrusions, and/or other incidents during the shutdown? If so, to what extent? 2. Accounting for contract workers, what percentage of the Department's overall cyber workforce was furloughed? 3. Have you estimated the impacts of the shutdown on compliance with Emergency Directive 19-01? 4, What work had the Department done in planning for the resumption of work upon the reopening of the government? Had the Department calculated, for example, how long it will take personnel to work through the backlog of work that had accumulated during the shutdown? 5. How long will it take cybersecurity-related contracts that were suspended under the shutdown, to get back up and running? © What has the security impact been of the delay on initiation of these projects? © Has the Department developed a plan for addressing contracts provided by firms, especially those of a smaller size, which had to layoff needed workers during the shutdown? 6. The Federal government faces well-documented challenges recruiting and retaining top cyber talent at levels needed to keep us safe, Needless shutdowns like this one have the effect of discouraging talented individuals from joining the Federal workforce, and pushes some of our best towards alluring careers in the private sector. This is acknowledged by all five individuals who preceded you as Secretary — spanning each the Bush, Obama, and Trump administrations — who on January 23 wrote that “the Department is facing a real crisis in retaining this [high-tech] workforce week after week.”'? Their letter describes the hardships that Department employees and their families had to endure as “unconscionable.” ° Josh Frublinger, “The OPM hack explained: Bad security practices meet China’s Captain America,” CSO (Nov 6, 2018), available at: https://www csoonline.comvarticle/3318238/data-breach/the-opm-hack-explained-bad-security- practices-meet-chinas-captain-america.html ‘© Tom Ridge, Michael Chertoff, Janet Napolitano, Jeh Johnson, John Kelly, Letter to “President Trump and ‘Members of Congress,” (Jan 23, 2019), available at: hips: /iwitier,com/NBCNews'status/ 108824 14864944