They did what?
During the government shutdown, which has now gone on for over two weeks, the clever folks at the National Institute of Standards and Technology (NIST) took down many of the resources that the cybersecurity community relies on to help protect society.
The NIST Cybersecurity department has indispensable
frameworks and other tools that cybersecurity professionals use every day. These
resources have been created over the years by some of the best minds in
cybersecurity. Many volunteers have assisted in heroic efforts to help us improve
our cybersecurity positioning in a world where hackers, digital pirates and
malware operators always seem to be just around the corner.
The government shutdown obviously does not fund all ongoing
operations – but even during this “partial shutdown,” the NIST website is up.
So, the government is not saving any money by taking the site down. NIST just
crippled portions of the website so that we could not access the documentation
that taxpayers have spent millions of dollars on.
Other government departments have put up a notice that says,
“Due to the lapse in federal funding this website will not be actively
managed.” Why actually remove access to some of the already existing resources
that taxpayers use routinely? NIST Cybersecurity’s behavior is infuriating to
those who rely on having NIST around to help with cybersecurity progress – the
shutting down of these key resources seems arbitrary, and evokes a powerful
reaction from people who care about the state of our digital resources.
Stages of Shutdown Grief
If you’re like many of us frustrated by these capricious
changes, you may have gone through some of these “Five Stages of Shutdown Grief”
on the way to an understanding of the situation.
- Denial – No, they wouldn’t take down this content. This behavior will help the bad
guys, and it won’t save any money. It takes more effort to change the site than
to keep it as it was, anyway.
- Anger – I can’t believe that they did this! Their childish behavior is infuriating.
- Bargaining – Well, maybe we can get access to some of the resources despite the shutdown.
- Depression – There’s nothing that we can do. I might as well just leave the floodgates
open to hackers.
- Acceptance – Okay, the resources aren’t there, but the knowledge is still out there.
It is just harder to access it. Maybe we can make it easier to get the
information in one place.
NIST Cybersecurity resource availability
All NIST Cybersecurity sites are not down. The National Vulnerability Database (NVD) is
funded. It’s up and running. The NVD is the site that allows users to report
and receive vulnerability information.
That’s good – but the bad news is that most of the other NIST
Cybersecurity content is not available. This really puts a wrench in the spokes
when it comes to circling the wagons and keeping businesses and individuals
secure in a time when cybercrime and cyberattacks are rampant.
What We Should Do for Future Government Shutdowns
Given the current state of political discord, we should
expect future government shutdowns. This unfortunate fact should drive some
future decision-making. Here are some concrete recommendations for us to
follow, as a country and as individuals, to be able to deal with these kinds of
unfortunate situations more easily:
- Congress should prohibit NIST from
taking down static cybersecurity content from their website in the event of a
- The Secretary of Commerce should
fire the person who made the decision to take down this NIST cybersecurity content.
Cybersecurity is hard enough without having resources that we depend on being
yanked out of our hands. Undoubtedly, this person was not acting in the best
interest of the United States.
- All of us in the cybersecurity
profession should click “download” the next time we access content on the NIST
website. That way if the materials are suddenly taken down, we still have a
copy. I am kicking myself for not doing it for certain documents that I access
- A large company with good intentions
should scan and mirror the NIST Cybersecurity content onto one of their servers
and put it up in the event of a future government shutdown. They’ll be heroes!
NIST Cybersecurity content during the shutdown<
We at Fractional CISO decided to take matters into our own
hands. Using a bunch of NIST files from our archives, we started a GitHub
repository with NIST Cybersecurity PDFs. Here it is: https://github.com/fractional-ciso/NIST-Cybersecurity-Documents
We are betting that other folks in the cybersecurity
community have NIST Cybersecurity documentation as well. We are looking to populate the repository
with the most important NIST Cybersecurity files. Some have already
contributed. Thank you! If you have some of this content, then please do one of
- Contribute to the GitHub project. Here’s
how to do it.
- Ask to be a collaborator.
- Contact us and get us the files.
We appreciate everyone’s help in this effort.
If you would like help with your cybersecurity strategy or
program, give Fractional CISO a call for a
complimentary consultation. We can be reached at (617) 658- 3276 or by email
at [email protected].
This article originally appeared on the Fractional CISO