The 35-day partial government shutdown that ended on Jan. 25 cost the U.S. economy $11 billion, according to an estimate from the Congressional Budget Office. Now, Congress, federal agencies and the wider government IT community are trying to determine how federal cybersecurity efforts were impacted.
Critical cybersecurity initiatives were put on pause during the shutdown, especially at the Department of Homeland Security, according to lawmakers and government officials. DHS’ Cybersecurity and Infrastructure Security Agency, which only became operational in mid-November, lost ground as it was unable to spin up its operations. The shutdown could also make it more difficult for agencies to hire cybersecurity workers needed to fill crucial roles, something that was already a challenge.
House Homeland Security Committee Chairman Bennie Thompson said in January that DHS and Congress “will be dealing with the consequences of [the shutdown] for months — or even years — to come,” according to FCW.
Federal Cybersecurity Efforts Were Put on Hold
At the Jan. 29 State of the Net conference in Washington, D.C., Moira Bergin, director for the House Homeland Security subcommittee on Cybersecurity and Infrastructure Protection, noted that a number of cybersecurity activities at DHS — from pipeline security to botnets to election security and activities at the new National Risk Management Center — were suspended during the shutdown, according to FCW.
The shutdown also came a little more than a month after Congress passed a long-awaited law authorizing the creation of CISA, the main cybersecurity agency within DHS, and it “couldn't have happened at a less opportune time.”
“I think there’s concern among our members about cascading effects of the lost time and strategic planning,” Bergin said. “We learned yesterday that there’s a cost to the shutdown, but really the loss is the month we can't get back.”
FCW separately reported that CISA did not have a contingency plan for a shutdown that lasted more than a week or two. About half of CISA’s employees were furloughed during the shutdown. Further, the organizational changes that CISA Director Christopher Krebs likely wanted to put in place to stand up the agency were delayed. “All of those forward-looking activities were put on hold,” Bergin said.
Megan Stifel, cybersecurity policy director of the public interest group Public Knowledge, agreed with Bergin’s assessment and emphasized the “cumulative effect” of the shutdown. As MeriTalk reports, she explained “that even before the shutdown, cybersecurity professionals were having to play catch up in terms of starting, continuing, and finishing cybersecurity investigations.”
Now, those cybersecurity pros are playing catch up even more, and Stifel said the lost investigative time has a “deleterious” effect on national security. The shutdown also hampered U.S. officials from working with allied counterparts on cybersecurity investigations.
Some Aspects of Government Cybersecurity Improved, Report Says
However, it was not a total loss for federal cybersecurity during the shutdown. According to a report from Security Scorecard, an organization that tests cybersecurity, some aspects of cybersecurity actually improved during the shutdown, including endpoint security and patching. Essentially, because there were so many fewer government workers using their computers during the shutdown, the level of risk decreased.
“The most secure computer is one that is turned off, and there were a lot of turned-off computers during the shutdown,” Alex Heid, chief research officer at Security Scorecard, told Fifth Domain. “We saw a drop in internet traffic coming from .gov during the shutdown,” which made the federal government “less of an exploitable attack vector.”
For those who were at work using computers, patching actually increased 1.38 percent during the shutdown, according to the firm. Many cybersecurity pros were still working, even without pay, and less traffic on networks made patching easier. “A lot of the more critical functions of the federal government continued to operate and it seems that patching exploitable conditions was one of them,” Heid told Fifth Domain.
The report also found that there was a 9.16 percent increase in endpoint security during the shutdown, which is correlated to the total amount of internet traffic. “Since the U.S. federal government was shut down, so were many of the workstations and endpoints,” the report said. “There was a noticeable drop in internet browsing traffic coming from the U.S. federal government.”
However, network security decreased by 1.58 percent during the shutdown, which was mainly due to the expiration of TLS certificates for government websites, which ensure encryption between a computer and a website.
How Will Cyber Hiring Be Impacted?
According to CyberSeek.org, a National Initiative for Cybersecurity Education online tool that collects employment data, the current D.C. metro workforce is composed of 6,226 cybersecurity public sector workers and 3,709 positions remain unfilled. Lawmakers are concerned the shutdown will make it more difficult for agencies to retain and hire qualified cybersecurity pros.
“Needless shutdowns like this one have the effect of discouraging talented individuals from joining the federal workforce, and pushes some of our best towards alluring careers in the private sector,” Sen. Mark Warner, the ranking member of the Senate Intelligence Committee, wrote in a Jan. 29 letter to DHS Secretary Kirstjen Nielsen. “What is being done to address the likely effects of the shutdown on employee morale, and what additional efforts will [DHS] take, if any, to retain and recruit cyber talent?”
Sen. Ron Johnson, chairman of the Senate Homeland Security Committee, is also worried about the shutdown’s effect on cybersecurity hiring. “This is not helping the federal government’s ability to attract and retain people in some very important positions that require a fair amount of sacrifice,” Johnson told the Washington Post.
Johnson said he wants the Senate to consider “a wide range of incentives for government cyber workers including raised pay and more flexibility to move from agency to agency to share their expertise and gain new skills,” the Post reports.