The government shutdown is catastrophic for US cybersecurity
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

The government shutdown is catastrophic for US cybersecurity

While the short-term impact is jarring, the long-term effects could prove even more harmful

The current US government shut down is doing serious damage to the US cybersecurity apparatus, but the longer-term impact could be even worse.

If you’ve paid any attention to the news in the US lately it’s hard to ignore the massive government shutdown currently taking place. Case in point, last night all of the American networks paused whatever they were carrying to air a presidential address about said shutdown. Then an opposition response about the shutdown.

It’s kind of a big deal.

The government shutdown is catastrophic for US cybersecurity

My job isn’t to wax philosophic about politics, so I’ll just stick to the facts. The dispute is over immigration, specifically securing the United States’ southern border with Mexico. The president, in keeping with a campaign promise, wants $5 billion to pay for a physical barrier, a wall, and has refused to sign any legislation to continue funding the government until he gets it. In the meantime, the US government is effectively shut down – including the State department, Justice Department, Treasury, Transportation Department, Department of the Interior, of Agriculture and of Homeland Security – and about 800,000 federal employees are currently furloughed or working without pay to carry out “essential” operations like air traffic control.

So today we’re going to talk about what the shut down is doing to the United States’ cyber defenses, and what impact this could have in the future.

Let’s hash it out.

Who is still at work?

As we discussed in November, the US recently created a new agency, the Cybersecurity and Infrastructure Security Agency (CISA), under the umbrella of the Department of Homeland Security.

“Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms,” said NPPD Under Secretary Christopher Krebs. “The changes will also improve the Department’s ability to engage with industry and government stakeholders and recruit top cybersecurity talent.”

Now, not even two months later, CISA has effectively been knee-capped by the shutdown. As has the National Institute for Standards in Technology (NIST).

The government shutdown is catastrophic for US cybersecurity

The Cybersecurity and Infrastructure Security Agency

Let’s start with CISA, the agency that has been created specifically to help with US cybersecurity.

What the federal government considers “essential” is a bit opaque, and purposefully so. But that does mean some of the federal security apparatus is exempt.

Per the Office of Management and Budget in a January 2018 memo offering guidance on a previous government shutdown:

“At a minimum, agencies must avoid any threat to the security, confidentiality and integrity of the agency information and information systems maintained by or on behalf of the government… Agencies should maintain appropriate cybersecurity functions across all agency information technology systems, including patch management and security operations center (SOC) and incident response capabilities.”

But, as reassuring as that may sound, it forgets two very important facts:

  1. Roughly half of the federal workforce (estimates range from 345,000 to 400,000) is furloughed, so these departments are not functioning at anything even close to full strength.
  2. The employees that are working, currently are not being paid for that work. They’re working for free. And this happened right in the middle of the holidays. So morale is probably great.

Now, the Senate did pass a bill that should give these employees backpay, but that doesn’t change the fact that these people haven’t been paid in at least 18 days and this shutdown could continue for weeks.

And beyond that, even at full strength the US cyber defense apparatus is being pushed to the brink by foreign, state-sponsored hackers and cyber cells. So weakening it puts the whole country at greater risk.

“Cyber threats don’t operate on Washington’s political timetable, and they don’t stop because of a shutdown,” Lisa Monaco, former assistant to the president for homeland security and counterterrorism, told Axios.

Or, as a report from Duo Security said:

“Trying to keep networks and data safe and thwarting attacks when not at full-strength is risky, especially when no one can predict how long this state of affairs will last.”

Right now, 45% of the Cybersecurity and Infrastructure Security Agency is furloughed. 45% is also the percentage of employees on the DHS’ analysis and operations teams – comprised of the Office of Intelligence & Analysis, and the Office of Operations Coordination – that are furloughed, too.

The National Protection and Programs Directorate – which handles a range of functions like the US-CERT (US – Computer Emergency Readiness Team) Continuous Diagnostics (CDM) and Automated Indicator Sharing (AIS) programs – has a whopping 85% of its workforce furloughed.

And depending on how long this shutdown continues, we could see a lot of these agencies that are currently operating on short-term reserves run out of money and be forced to shutter even more of their operations.

The government shutdown is catastrophic for US cybersecurity

The National Institute of Standards in Technology

NIST is the agency responsible for setting standards. For instance, it’s issued extensive guidance on encryption standards that has helped inform the industry standards set forth by the CA/B Forum. It’s an exceedingly useful agency and it has been thoroughly depleted by this shutdown.

85% of NIST is furloughed.

That means a number of new standards that have been under review – standards that businesses rely on to set a baseline for their own security programs – are now on indefinite hold.

That includes:

Currently, clicking any of those links effectively leads you to a dead end courtesy of this shutdown.

There are a few NIST services that will stay open, but to say they are lightly staffed would be a profound understatement.

  • A computer scientist and an IT specialist will manage the National Vulnerability Database
  • 16 employees will manage NIST’s time servers
  • And an IT specialist will be present at the National Cybersecurity Center of Excellence

That’s one of those tidbits of information that is supposed to make you feel better but actually just makes everything seem worse. That’s less than 20 people handling critical functions for a country of nearly 300,000,000.

The real damage this shutdown may cause is long-term

Eventually, possibly as soon as today, this shutdown will end. But it’s also quite possible that it stretches on days or even weeks longer. With every passing day, more and more long-term damage to the US national cybersecurity apparatus is being done.

Here’s why: If you’re a talented cybersecurity professional, why would you ever work for the US government?

That may sound silly or unpatriotic, but ask any of the nearly 400,000 federal employees that didn’t get paid over the holidays if their patriotism took care of their power bill or put food on their family’s table?

No, patriotism is going to give way to pragmatism, and let’s look at the facts:

The government shutdown is catastrophic for US cybersecurity
  • You could go to the private sector where you’ll be better compensated with more opportunities for advancement.
  • You could work for the government where your ability to work and be paid are subject to the partisan whims of elected officials.

And here’s the real match in the powder barrel, all of those government officials whose whims have cost you pay and potentially even caused you to have to work for free – they’re all getting paid.

Congress and the Executive Branch have already been funded via a previous spending bill.

And while historically the federal employees that are currently affected – both furloughed and working without pay – have been given backpay to compensate, the timing of that backpay is contingent upon the shutdown ending and Congress passing a bill (oh, and the wheels of bureaucracy churning) before you actually see that money.

Already, they’ve missed an entire pay period (December 23-January 5).

None of that is going to attract the best and brightest. And why should it? The average American couldn’t scrape together $400 in an emergency, try taking away an entire paycheck. That’s the type of uncertainty you’d do well to avoid.

And this is not without precedent, the NSA got hammered following the 2013 shutdown. For one, it caused management to divide employees into “essential” and “non-essential” categories – not exactly a shot in the arm for morale – and the 16 days out of work threw many lives into disarray.

“I was paying money out of my pocket… The guys were sitting at home, they couldn’t go work with the shutdown because they had to work from government spaces, so they really could not go,” one former NSA employee who left following the 2013 shutdown told Buzzfeed. “I can say anecdotally, because I do know several guys who worked there who went off on their own around 2013, 2014. There was a bigger exodus than normal, and you’ve gotta [sic] figure at least some of that was due to the shutdown and guys going ‘screw this.’”

The current shutdown has already gone on two days longer and if a morning conference between the president and the two leaders of the congressional democrats doesn’t solve things—it could go on much longer.

UPDATE: It didn’t solve things.

In the meantime – and possibly for the foreseeable future – our national cyber defenses will suffer.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.
  • If what you say is true and I am assuming it is, then your article should be about the fact that cyber security should be at work like Homeland Security is and the laws need changing. Instead you sound like you are discretely jumping on the anti-wall bandwagon. If that is true you discredit yourself and you join the mad mob but have little effect. Let’s be objective. Both parties have used this ploy so to condemn a president no matter what side he is on is just hypocrisy. The problem today is that many Americans are unable to evaluate the situation correctly and they don’t mind being hypocritical.

    • Your bias is notable. Instead of saying, “The president, in keeping with a campaign promise, wants $5 billion to pay for a physical barrier, a wall, and has refused to sign any legislation to continue funding the government until he gets it”, you could have easily said, “The president, in keeping with a campaign promise, wants $5 billion to pay for a physical barrier. As long as Pelosi and Schumer refuse to send any legislation for Trump to sign that includes such funding the government shutdown will continue.” Pretty obvious which side of the fence you are on.

  • Catastrophic?? How alarmist and silly.

    Thats just not true. Thousands of public and private cybersecurity pros are still doing the job. Every day. Around the clock. A delayed NIST paper and an infant cybersecurity org who doesn’t even know where the coffee machine is does qualify as a “catastrophe”.

    Almost no Americans outside of overpaid DC drones are affected – and everyone will get back pay. But if we don’t secure our perimeter/border it doesn’t matter how well the interior is protected.


  • Wow! Jay, a physical wall is as important or MORE important than US cybersecurity? You have to be kidding? The proposed border wall is a trumped up policy built on fake news and fabricated statistics. Our nation’s cyber infrastructure faces enormous perils with everything from elections to commerce to energy to transportation being at catastrophic risk. If your think a steel fence is more important than our government’s cybersecurity readiness, then you should start learning Chinese and hanging pictures of Putin in your house.

  • Great article, thanks, Patrick. Didn’t realize what large percentages of employees were furloughed… hope they reach an agreement and get everything up and running soon.

  • The most profound war on the US is that of the cyber-war being conducted 24x7x365 days of the year. Nation States have large funds and huge staffs devoted to take down US cyber infrastructure. And why not. The return on that investment is tremendous – just look at all the American intellectual property already stolen and used by China to grow their economy. Cyber Security IS vitally important to this nations long-term viability in the modern world. But so is physical security on our borders. To argue it’s not is to deny the very nature of what is already there and what continues to be useful in thwarting illegal immigration into our country – WALLS. Whether they are natural walls like the oceans on two of our borders or natural barriers like those on the Northern border, a physical wall is appropriate and necessary on our Southern border to help curb the flow of illegal immigration into our country.

    The problem that we have now is that the wall has become the political battlefield – shame on all of our politicians who are charged with helping the American people, take an oath to such and are completely failing – and the losers are the American people. Not just the government workers who are unable to earn a living but all Americans who are suffering and will suffer more and more as this ludicrous stalemate becomes more and more protracted. It’s not a Democratic problem, it’s not a Republican problem, it’s an American citizen problem. Tell your representatives to stop playing with the lives of American citizens and start doing their jobs!

  • My problem with follow through on our president’s campaign promise is.. Mexico is not paying for the wall. We Americans will… And we already have begun paying with this disaster of politics.

    Trump said we’re building a wall. And Mexico would pay for it. He said this over and over and over.

    This can’t be back pedaled. Why are any Americans believing in this con artist?

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.