The shutdown's cybersecurity costs
The government is on hiatus. Enemies of the U.S. are not.
Why it matters: During the government shutdown, essential personnel are exempt from the furlough — so in theory, anyone preventing cybersecurity calamities is still showing up for work. But experts believe the loss of support staff makes the cybersecurity effects of a shutdown bad in the short term and worse in the long term.
The fallout: Consider the difficulty of maintaining security in government networks before a government shutdown. Now try doing that with fewer people.
- "Defending federal networks is already an act of triage, due to personnel shortages, legacy IT overhang, uneven risk management practices and a hostile threat environment. Furloughs make a hard job even harder," said Andrew Grotto, a former White House cybersecurity adviser for Presidents Obama and Trump and a current employee of Stanford's Hoover Institution.
- While critical personnel are still on duty during a shutdown, he added, "What that means as a practical matter is that these people have to do even more than usual."
Those problems will stick around after the shutdown. It's likely, say multiple former federal employees Codebook spoke to, that federal networks will fall behind on basic hygiene tasks.
- "Government shutdowns tend to affect support activities disproportionately, such as hiring or vetting contracts. Thus, over time, personnel slots will go unfilled and contracts will expire, making it difficult to sustain the workforce or upgrade equipment," noted Michael Daniel, former White House cybersecurity coordinator and current president and CEO of the industry group Cyber Threat Alliance.
In the long term, this could do irreparable damage to the federal government's ability to hire cybersecurity talent.
- The unemployment rate for trained cybersecurity personnel is famously at 0%, the private sector pays better and the only advantage the government has in hiring is the importance of the work and the gratitude of a nation.
- Willingness to shutter the government doesn't speak too highly to the perceived value of the job or its employees.
- *Government people go to work because of the mission, and we’re kicking them in the teeth," said Phil Reitinger, president and CEO of the Global Cybersecurity Alliance.
Departments devoted to cybersecurity policies will grind to a halt.
- The National Institute of Standards and Technology, which is developing a widely awaited privacy framework, is seeing its staff reduce to 49 out of its normal cohort of roughly 3,000 employees.
- The Department of Homeland Security's newly christened Cybersecurity and Infrastructure Security Agency will be without a substantial amount of support staff. By DHS' tally, 43% of the workforce — over 1,500 employees — are furloughed.
Security-related investigations and prosecutions at the FBI and Department of Justice will continue with all employees carried over.
The bottom line: Furloughing cybersecurity staff creates both short-term and long-term vulnerabilities.
- "Cyber threats don’t operate on Washington’s political timetable, and they don’t stop because of a shutdown," said Lisa Monaco, former assistant to the president for homeland security and counterterrorism.
Go deeper: The fear of a painful shutdown is kicking in
Editor's note: This story has been updated with Phil Reitinger's statement.