Is the Shutdown Weakening Cybersecurity?

As we conclude the fourth week of the government shutdown, there is much we don’t know about how operating at less than full strength over such a long period of time affects the security and safety of Americans and our critical infrastructure when it comes to cyber threats. When inquiries are made to the Public Affairs Office at the Department of Homeland Security (DHS), for example, they can’t provide details about who and what is affected by the shutdown because the Public Affairs Office is itself affected by the shutdown. And senior managers at DHS have indicated that some “critical” functions are impacted but provided no details. So, the public doesn’t really have any way of knowing how much of the work that is normally conducted each day to counter cyber threats is still going on. In the absence of definitive information from the government, we attempted to examine some critical questions that Americans should know about when it comes to the impact of the shutdown on cybersecurity.

Q1: How many cyber workers haven’t been on the job for the last four weeks?

A1: We don’t know. DHS did put out its plans in December just before the shutdown began, indicating how they would apply the legal requirement to furlough workers who are not either exempt (because they are funded through means other than annual appropriations or exhausted funds) or excepted (because imminent danger to life or property would result from their termination or diminution). That document indicated that within DHS’s Cybersecurity and Infrastructure Security Agency (CISA) roughly 43 percent of the workforce was to be furloughed. But not all those workers are involved in cybersecurity.

CISA is also responsible for physical security and resilience of critical infrastructure, so it’s hard to know what percentage of furloughed workers were involved in the cybersecurity mission specifically. Based on my experience as the under secretary for CISA’s predecessor entity during previous shutdowns, it’s likely that a greater percentage of non-cyber experts were furloughed because their work, while vitally important, is less clearly tied to imminent threats. Thus, it’s reasonable to conclude that fewer than 43 percent of cybersecurity-related federal workers are furloughed because many of them work on protecting government networks from ongoing, and thus “imminent,” malicious cyber activity.

On the other hand, the cyber mission is particularly dependent upon contractors. DHS’s plan tells us nothing about how many of those contractors are not working. So, it’s possible that significantly more than 43 percent of the overall cyber workforce is furloughed once you account for the contract workers. We don’t know.

Moreover, the number of exempt/excepted workers does not tell us what percentage of the normal work is being done. Even workers who are excepted can only do work that is necessary to prevent imminent danger to life or property. Many workers normally do a mix of excepted and non-excepted work, so the number of furloughed workers likely overstates the amount of work being done.

Q2: What specific cybersecurity activities are suspended during the shutdown?

A2: We don’t know. Based on the statutory requirement that the activity must be necessary to prevent imminent danger to life or property, and experience from past shutdowns, it’s likely that the tools deployed to actively protect federal IT networks from malicious cyber activity are still being monitored. There is some capacity for responding to a cyber incident, although probably not at full strength. That said, here are a few things that likely aren’t getting done:

  • work with state and local election officials to secure upcoming elections
  • work with critical infrastructure owners and operators to find and fix vulnerabilities in their systems
  • work to identify and help secure much of the most critical functions in the private sector and government
  • work with international partners on ways to make sure we can respond effectively to the next global attack like NotPetya or WannaCry
  • procurement of new tools and development of new innovations to keep up with our adversaries’ innovation and adaptation
  • essential work to develop or finalize policies and procedures to ensure coordinated cyber efforts across agencies, including cyber incident response
  • work required to make the newly established CISA fully operational
  • activities mandated in newly enacted legislation called the SECURE Technology Act, including work to secure the IT supply chain
  • recruitment to meet the urgent need for more cyber experts

Routine but important maintenance is apparently also affected. According to cybersecurity firm Tripwire, more than 80 security certificates were allowed to expire for websites across agencies like NASA, the Department of Justice, and federal appeals courts, making them more susceptible to malicious cyber activity. This raises questions about other basic cyber measures like routine patching of vulnerabilities, updating applications, and audits of logs to detect suspicious activity.

With a cyber workforce that is understaffed in the best of times, we are losing ground against our adversaries every day that we operate at less than full strength.

Q3: Will things go back to normal as soon as the shutdown ends?

A3: No. While there is much we don’t fully know at this time, we know for certain that things will not go back to normal anytime soon.

One of the most devastating and long-lasting impacts of this unprecedentedly long shutdown is the impact on our cyber workforce. Whether you are being asked to work with no pay or told to stay home with the message that your work is not “essential,” knowing that the backlog of work awaiting your return to the office builds each day, the impact on morale is huge. As under secretary, I worried every day about burnout among our workers, especially our cyber experts. The demand for their services far exceeds their number. They work around the clock for significantly less than they could make in the private sector. They do this because they are dedicated to the mission of protecting the United States. I have no doubt this prolonged shutdown is testing even the most committed.

Nor will all contracts that have been suspended immediately resume. Just as it took time and effort to wind those contracts down in preparation for the shutdown, it will again consume time and effort of both feds and contractors to get those activities up and running again. Particularly for smaller contractors who may not have been able to pay their employees during the shutdown because the government was not paying the company, they may have lost those workers and need to make new hires when the government reopens. That process can take weeks or even months. And that assumes the smaller contractors were able to survive without income for the duration of the shutdown.

The impact on retention and recruitment is inestimable but undoubtedly significant. At a time when we need to be filling jobs as quickly as possible, this is a disaster.

Suzanne Spaulding is a senior adviser for homeland security with the International Security Program at the Center for Strategic and International Studies in Washington, D.C.

Critical Questions is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2019 by the Center for Strategic and International Studies. All rights reserved.

Image
Suzanne Spaulding
Director, Defending Democratic Institutions, and Senior Adviser, Homeland Security, Defense and Security Department