One US lawmaker has warned that the impending government shutdown will put critical cyber workers out of action, leaving Americans exposed to damaging cyber-attacks.
Democratic Congresswoman Rep. Shontel Brown made the remarks during a Joint Subcommittee Hearing on Ransomware on September 27, 2023, which discussed how to combat rising ransomware attacks on US infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA), the agency which leads federal cybersecurity initiatives, will be forced to lose 80% of its employees during the potential shutdown Brown noted.
This statistic was set out in a document released by the Department of Homeland Security (DHS) on September 22, which estimates CISA will only retain 571 out of its 3117 on-board employees during a shutdown.
The partial shutdown will commence at 12.01 ET on Sunday October 1 if the annual appropriation bills are not passed, which are required to fund the US government’s activities and associated bureaucracy. This would lead to thousands of federal employees being instructed not to report for work until the bills are passed.
Brown added that the unavailability of thousands of workers at the Department of Justice (DoJ) would curtail its work investigating and taking down cyber-criminal networks.
She argued this inactivity will leave people at much higher risk of harmful consequences from cyber-attacks, such as patients being turned away from hospitals and small businesses closing down.
Brown commented: “The Biden-Harris Administration has made defending against these kinds of attacks a top priority. Thanks to the Bipartisan Infrastructure Bill, the Administration is currently providing $1bn in cybersecurity grants to state, local, and territory governments to build the cyber capabilities they need. But on Sunday at 12:01 am, these dollars are at risk of not making it out at all.”
Republican Congresswoman Rep. Nancy Mace, who is Chairwoman Subcommittee on Cybersecurity, Information Technology, and Government Innovation, pushed back on these comments, stating that the White House can provide exceptions for essential CISA employees to reduce the impact of a shutdown on federal cybersecurity operations.
“In the event that there is a government shutdown, it is up to the President of the United States and his administration to prioritize who is and isn’t essential – they can make it as painful as they want, or as painless as they want,” said Mace.
What Will be the Impact on Government Security?
Industry experts have highlighted that the federal government shutdown could weaken security for individuals and organizations across the US, and even internationally.
Colin Little, Security Engineer at Centripetal said that decreased staffing levels in agencies like CISA will hamper the government’s ability to implement patches and updates across its digital infrastructure, leaving systems vulnerable to known vulnerabilities.
“Cyber-criminals often take advantage of such opportunities to launch attacks on government infrastructure, steal sensitive data or disrupt services,” outlined Little.
Additionally, a shutdown will reduce the ability of federal agencies to respond swiftly to any cybersecurity incidents. Little observed that this delay will allow attackers to maintain access to compromised systems for longer periods, potentially causing more damage and increasing the cost of recovery.
Jake Williams, faculty member at IANS Research, also believes that a shutdown period would increase the risk of insider threats at government level. He explained the small number of essential government employees still working during this period will be under extra pressure and face a shifting of duties – scenarios when staff are more likely to engage in insider activity.
“Insider threats on government networks are substantially harder to detect at exactly the time you should most be concerned about disgruntled employees,” he commented.
A shutdown could also have major effects outside of the government.
Martin Jartelius, CSO at Outpost24, highlighted CISA’s crucial role in getting information across to organizations on what vulnerabilities and sectors are currently targeted by threat actors, and their new methods of operations. If this function is not able to operate as normal, “it will lead to organizations being less prepared to respond to the same ones we would see with or without them in operations,” he outlined.
Shutdown Could Have Devastating Impact on Cybersecurity Funding
Little said that the enormous economic costs of a shutdown could lead to reduced funding for cybersecurity initiatives and research, limiting the development of advanced security measures and technologies.
“This can leave the government and critical infrastructure sectors more susceptible to evolving cyber threats,” he commented.
Little also argued that failure to find a resolution to the budget deadlock could even harm international cybersecurity efforts. “It may disrupt information sharing and collaboration between nations, making it harder to address global cyber threats effectively," he noted.
The last time a US government shutdown occurred, in 2018-19, experts highlighted its chilling effect on national cybersecurity, including 80 government web certificates expiring without being renewed.