What the government shutdown means for our nation’s cybersecurity

What the government shutdown means for our nation’s cybersecurity
© iStock

The partial government shutdown is entering its nineteenth day. The shutdown has impacted government employees, contractors and organizations, as well as everyday citizens. The full breadth of its ramifications is not well understood — particularly its impact on the cybersecurity of our nation’s critical infrastructure.

I served as the under secretary for cybersecurity and infrastructure protection at the Department of Homeland Security (DHS) during the 2013 shutdown. While DHS learned a lot from the 2013 shutdown that it’s likely putting into practice today, it’s important to remember that the scope of our nation’s cybersecurity policies and procedures have grown significantly over the past six years, which means that the impact in this area is greater.

The partial shutdown is affecting how various government organizations are able to operate. The longer the shutdown continues, the more our concern should grow for our country’s cybersecurity protections — it’s natural for adversaries and nation states to see this as an opportunity for cyber mischief.

I’m confident DHS has done its best to identify which workers are essential to protect human life and property from imminent threat, but one thing needs to be made clear. When we talk about the percentage of the workforce that is exempt — for example, let’s say 55 percent of government “Organization A” is exempt — that doesn’t mean that 55 percent of the work is getting done. Those exempt cyber workers are only cleared to do the essential duties that protect against imminent threats.

Our federal networks are likely still being monitored for malicious activity, primarily by the technical tools that are already deployed. We can assume there are some workers on-hand to do incident response, if necessary. And the operational floor that takes calls from the private sector when incidents occur is likely still staffed, although at a reduced level. But that leaves a lot that is not getting done. For example, with a fully operational government, the U.S. government cyber workforce is responsible for helping assess vulnerabilities in critical infrastructure like stadiums, shopping malls, and the electric grid. But during a government shutdown, if there is no imminent threat related to that infrastructure, it does not fall under the purview of exempt duties.

On top of this, with a slew of deadlines stemming from recently passed cybersecurity legislation, the timing of the shutdown could not be worse. Congress just recently established the new Cybersecurity and Infrastructure Security Agency (CISA) at DHS. Getting this agency fully operational requires a lot of work — it’s like repairing an airplane while you’re flying it. It would have been a challenge to avoid disrupting the critical operational activity even if the government were operating at full capacity. According to shutdown guidance released by DHS, nearly 40 percent of CISA’s staff is furloughed. This shutdown is a disruption CISA can ill afford.

Additionally, on December 21, President TrumpDonald John TrumpTrump directed Cohen to lie to Congress about plans to build Trump Tower in Moscow during 2016 campaign: report DC train system losing 0k per day during government shutdown Senate Republicans eye rules change to speed Trump nominees MORE signed the SECURE Technology Act, which included several important cybersecurity provisions, including a supply chain measure from Senators Claire McCaskillClaire Conner McCaskillThe Hill’s 12:30 Report: Trump AG pick Barr grilled at hearing | Judge rules against census citizenship question | McConnell blocks second House bill to reopen government Ex-Sen. McCaskill joins NBC, MSNBC Some Senate Dems see Ocasio-Cortez as weak spokeswoman for party MORE and James LankfordJames Paul LankfordWhat the government shutdown means for our nation’s cybersecurity GOP senators challenge Trump on shutdown strategy GOP senator: No border security plan without a wall MORE and two provisions expanding the DHS vulnerability remediation program. There are several deadlines for DHS to accomplish key tasks outlined in this new law to strengthen cybersecurity. These deadlines will simply be missed, and important protections and policies will be delayed.

With the government at a standstill, there are also more subtle ramifications to innovation. One of the government’s largest cyber research and development conferences was scheduled to kick off this week. Nearly one thousand attendees were expected to attend DHS’s 2019 Cybersecurity and Innovation Showcase, which was cancelled due to the ongoing lapse of appropriations for DHS.

There are also long-term considerations for morale and potential consequences for recruitment and retention. After the 2013 shutdown, we lost some valuable talent to the private sector, and prospective candidates became more hesitant to accept federal jobs. For those workers who are furloughed, it’s not difficult to take the message that they are “not exempt” to mean that their work isn’t important. Cybersecurity and critical infrastructure workers, in particular, take these jobs because they believe in the mission and are passionate about the work. It’s inevitable that the morale of furloughed employees will be affected. And for the workers who are exempt, it’s hard to go in every day and not get paid while they struggle to do their jobs without the help of the furloughed coworkers and contractors with whom they normally work on a daily basis.

The longer the shutdown continues, the more the lines will blur between what is and is not considered essential work. Staffing decisions should be constantly reassessed. Any activity or program deemed nonessential in the context of a two- or three-day shutdown may not be viewed the same way in a prolonged shutdown. Many contractors cannot continue their work without federal supervision. Monitoring of government systems and responding to significant incidents will likely continue, but other important activities, for which demand already exceeds capacity, such as working with departments and agencies to identify and secure their high-value assets, with states to improve election security, and with businesses, including critical infrastructure, to strengthen their resilience to cyberattacks, are almost certainly not exempt and are therefore not happening.

Cybersecurity is hard enough with a full team. It’s a daily battle just to keep up with our adversaries, never mind staying ahead of them. Operating at less than half strength means that we are losing ground; meanwhile, our adversaries are not missing a beat and the daily attacks on our systems continue.

With each passing day, the impact on our nation’s security grows. While I have no doubt that DHS leadership has a good plan in place to keep essential systems and functions running, there is only so much that can be done.

Suzanne Spaulding is an adviser to Nozomi Networks and King & Union. She served as Under Secretary for the National Protection and Programs Directorate (NPPD) at the US Department of Homeland Security (DHS), where she managed a $3 billion budget and a workforce of 18,000 charged with strengthening cyber security and protecting the nation’s critical infrastructure. Spaulding currently is Senior Advisor for Homeland Security at the Center for Strategic and International Studies; a Commissioner on the Cyberspace Solarium; on the Advisory Board of Harvard University’s Defending Digital Democracy project; a Member of the Aspen Institute’s Homeland Security Group; former Chair of the American Bar Association’s Standing Committee on Law and National Security; and founder of the Cybersecurity Legal Task Force. Throughout her career, she has advised CEOs, boards, and policymakers on complex security risks across all industry sectors.