At midnight on Sept. 30, the US government shut down for the first time since 2018, when Donald Trump shuttered all but essential government functions for 35 days unless Congress agreed to fund his border wall.
This government shutdown holds even more serious ramifications for the cybersecurity health of the US federal government than the previous shutdown, coming as it does after significant cybersecurity spending cuts implemented by the administration.
As of July, Trump trimmed an estimated $1.23 billion in cyber spending across civilian agencies and fired around 1,000 employees at the Cybersecurity and Infrastructure Security Agency (CISA), weakening the ability of the federal government to identify and fend off cyber threats.
“We’re kind of hobbling ourselves in doing all of the functions that you would want to be going on,” Michael Daniel, president and CEO of the Cyber Threat Alliance (CTA), tells CSO. “And with a threat like cyber threats that evolve so quickly, that move so quickly, falling behind on that is just really not a terribly smart way to go.”
Even without diminished cybersecurity spending, a government shutdown never bodes well for national security. “We are shooting ourselves in the foot,” Jeffrey Wells, partner at risk services company Sigma7, tells CSO. “We are creating a self-inflicted situation where our resources will be extremely limited at the federal level,” he says.
How the furloughs are shaking out
In US government shutdowns, employees who are considered non-essential are typically furloughed, ordered to stay home and to refrain from work. Normally, these employees are paid for the time they did not work during the shutdown once a Congressional deal that ends it has been reached.
Employees who are considered essential, who are exempt or excepted from the work restrictions, are typically required to work. Like non-essential employees, they will also get paid for the time they worked during the shutdown once a deal has been reached to reopen the government.
This go-around, however, there is a wild card: The White House wants to fire government employees en masse during the shutdown, not merely furlough them, so that it can trim the ranks of government workers with less resistance. If the administration were to carry through on this threat, the impact of this government shutdown would have no parallels in US history.
Setting aside these firings, government agencies have issued contingency plans for how they will deal with the reduced workforce. CISA, for example, said it plans to retain only 889 exempt employees out of 2,540 on-board employees.
For the Department of Defense, or the Department of War as it has been rebranded by the Trump administration, its contingency plan designates intelligence work that directly supports active military operations, threat monitoring, or other national security emergencies as excepted and will continue uninterrupted if funding lapses.
“Command, control, communications, computer, intelligence, surveillance, and reconnaissance activities” remain excepted functions, the DoD says, including the use of spying capabilities tied to telecommunications infrastructure, which the National Security Agency often uses to intercept phone calls and other communications. Most intel agencies, such as the NSA, do not submit publicly available contingency plans.
The impact on cyber workers is hard to predict
Given that cybersecurity professionals are scattered throughout the government, the effect on their overall employment during a shutdown is hard to track or predict. CTA’s Daniel thinks that most cybersecurity workers will be exempt from furloughs.
“They will be considered exempt personnel, and the SOCs [security operations centers] will continue to be staffed,” he says. “In that sense, the shutdown won’t likely affect the government’s ability to protect its own networks or even respond to an emergency out in the private sector.”
However, government contractors who often do the bulk of work at federal agencies, including at CISA and in cybersecurity roles at other agencies, will be heavily affected.
“Contractors almost fall under the same bucket as government workers in the sense that if the funding runs out for those contracts, you’re going to have the same effects across the contractor space as you do with the government agencies that they’re supporting,” Max Shier, CISO at Amentum, tells CSO. “There will be critical support there, too.”
Threat actors are watching carefully
Even though it’s difficult to quantify the impact of the shutdown on cybersecurity workers and contractors throughout the government, experts assume that nation-state adversaries are likely drawing up contingency plans of their own to take advantage of any security weaknesses or deficiencies they identify.
“Certainly, our nation-state adversaries will recognize an opportunity, just because even the SOC staff and other things will be stretched a little bit thinner,” Daniel says. “They will be paying attention to other things, too.”
Nation-state adversaries will not be the only threat actors looking for gaps in federal security. Cybercriminals are undoubtedly also waiting for an opportunity to pounce on security weaknesses.
“Even some of the criminal actors will probably see if they can take advantage of us,” Daniel says. “They pay attention to things that are going on in the world, and they change and adapt accordingly.”
The longer the shutdown lasts, the more vulnerable the US will be. “There’s a cumulative effect,” Daniel says. “The longer the shutdown goes on, the longer it takes for people to get back up and running. The impact will go on even after funding is approved and things start to ramp back up. The longer the shutdown goes on, the longer it will take to recover. It will continue to have ripple effects way down the road, even after the shutdown is over.”
See also: CISA 2015 cyber threat info-sharing law lapses amid government shutdown
No Responses