The partial government shutdown has entered its fourth week with no end in sight. While the impact on the nation’s cybersecurity is calculable to a degree based on the number of workers furloughed, the longer the work outage persists the greater the risk hackers could hit critical infrastructure facilities.
“It’s natural for adversaries and nation states to see this as an opportunity for cyber mischief,” wrote Suzanne Spaulding, senior advisor for Homeland Security at the Center for Strategic and International Studies, in an op-ed posted on The Hill. Spaulding, who served as under secretary for cybersecurity and infrastructure protection at the Department of Homeland Security (DHS) during the 2013 government shutdown, said that in the ensuing five years the country’s cybersecurity profile has expanded, bringing with it more risk for disruption.
“When we talk about the percentage of the workforce that is exempt — for example, let’s say 55 percent of government ‘Organization A’ is exempt — that doesn’t mean that 55 percent of the work is getting done. Those exempt cyber workers are only cleared to do the essential duties that protect against imminent threats,” Spaulding wrote.
Here are some of Spaulding’s other main points:
- Federal networks are likely still being monitored for malicious activity. We can assume there are some workers on-hand to do incident response, if necessary.
- But during a government shutdown, if there is no imminent threat related to critical infrastructure such as stadiums, shopping malls and the electric grid, all of which go unattended.
- A 40 percent furlough of staffing at the new Cybersecurity and Infrastructure Security Agency (CISA) at DHS is bad timing to say the least. Getting the agency fully operational requires a lot of work, “it’s like repairing an airplane while you’re flying it.”
- DHS won’t be able to meet some deadlines in the new Secure Technology Act to strengthen cybersecurity, including a supply chain provision. Important protections and policies will be delayed.
- Nearly one thousand attendees were expected to attend DHS’s 2019 Cybersecurity and Innovation Showcase, which was cancelled due to the ongoing lapse of appropriations for DHS.
Putting aside the timing, deadlines and disrupted cyber coverage for the moment, there is the issue of morale, Spaulding said. “After the 2013 shutdown, we lost some valuable talent to the private sector, and prospective candidates became more hesitant to accept federal jobs,” she wrote. “It’s hard to go in every day and not get paid while they struggle to do their jobs without the help of the furloughed co-workers and contractors with whom they normally work on a daily basis.”
Ultimately, staying ahead (or at the very least abreast) of the country’s cyber enemies is a challenge no matter what the circumstances. But playing with one hand tied behind your back, as is CISA, makes for a losing battle, Spaulding said. “Meanwhile, our adversaries are not missing a beat and the daily attacks on our systems continue,” she wrote. “With each passing day, the impact on our nation’s security grows. While I have no doubt that DHS leadership has a good plan in place to keep essential systems and functions running, there is only so much that can be done.”