Shutdown could erode cyber defenses by sidelining critical staff, experts warn

With a day to go before the government’s fiscal calendar resets, cybersecurity experts are cautioning that a shutdown could have significant consequences for the digital posture of the federal government.

At stake is a diminished workforce with less capability to analyze and track cyber threats, as well as a bedrock cybersecurity data-sharing law that would expire in tandem with that lapse in appropriations, they told Nextgov/FCW. 

A shutdown would exacerbate risks to critical infrastructure because staff and resources would be less available for infrastructure owners and operators to access, said Ilona Cohen, chief legal and policy officer at HackerOne and former general counsel at the Office of Management and Budget.

“The absence of security personnel working to protect the nation from these threats can create a security gap and an opportunity for malicious actors to exploit weaknesses,” she said, adding that the government’s cyber workforce would suffer under the resulting furloughs.

The Cybersecurity and Infrastructure Security Agency, the nation’s main cyber defense office tasked with defending government networks, estimates that 889 of its 2,540 employees will be retained in the event of a shutdown, according to a planning document posted Saturday.

Chris Butera, CISA’s acting deputy executive assistant director for cybersecurity, told reporters last week that the agency will still have employees on the payroll currently working to tackle an emerging cyber threat group exploiting vulnerabilities in Cisco devices. Those hackers have potential links to China.

There are risky domino effects of having a diminished federal cyber workforce, said one former U.S. official who requested anonymity because they weren’t authorized to publicly speak about the impact of a shutdown. Specifically, younger cyber staffers can’t learn from their more experienced peers because they will not be able to come into work.

“They’re losing time to upskill, to get trained and to get on-the-job training because they’re not there. It hurts not only the current workforce but the future workforce as well,” the former official said.

Gary Barlet, the public sector chief technology officer at Illumio, echoed those concerns. 

“This year, the challenge is sharper because agencies are already stretched thin,” he told Nextgov/FCW in a written statement. “Many of the employees who guided past shutdowns aren’t there anymore, leaving fewer people who know how to manage through the disruption — exposing critical gaps and reducing the ability to respond quickly.”

The 2015 Cybersecurity Information Sharing Act, which lets private sector providers transmit cyber threat intelligence with government partners while receiving key legal protections, is also set to lapse by end-of-day Tuesday unless renewed by Congress. 

House appropriators earlier this month unveiled a temporary funding plan that would keep the law alive through Nov. 21 and fund the government until the same date. That would have given Congress simultaneous time to work out funding snags and reconcile any debate about changes needed for the cyber law that was first enacted 10 years ago. But that continuing resolution failed to pass in the Senate.

The agreement etched between the public and private sectors for information-sharing is “really important,” Tim Brennan, the VP for technology policy and government relations at the Professional Services Council, told reporters Monday.

“You’re going to get less information-sharing, which means delayed response times,” he said, adding that it would impact mission functions inside agencies like the Department of Homeland Security, which houses CISA.

The liability coverage provided by the data-sharing law is critically important to the private sector because it makes companies more comfortable with transmitting cyber threat data, Morgan Adamski, the former executive director of U.S. Cyber Command, told Nextgov/FCW in an interview.

“When you have a tool like CISA 2015 that’s valuable in contributing to information-sharing between the public sector and the private sector, why wouldn’t you want to have it in place to really encourage that collaboration?” added Adamski, now U.S. leader in PwC’s Cyber, Data & Technology Risk business.

“Something has to be put in place to enable that collaboration, or you’re potentially going to see an impact on information sharing, which collectively hurts us from better understanding what’s happening in the cyberspace domain,” she said.

On Monday, congressional Democrats said they were unable to reach an agreement with Republican counterparts and the White House, upping the odds of a shutdown occurring.

Last week, OMB told agencies to consider issuing reduction notices to employees whose work is funded by regular appropriations and doesn’t align with President Donald Trump’s priorities if annual spending lapses Tuesday evening. The Office of Personnel Management issued new guidance Sunday, telling agencies that it can tweak those plans once the government reopens.

Nextgov/FCW Staff Reporter Natalie Alms contributed to this report.