Forward-Looking Cyber Activities Halted During Shutdown

government shutdown government closed option-min

During the State of the Net 2019 Conference, cybersecurity experts zeroed in on how the shutdown impacted not only the United States’ cybersecurity posture but also the Federal government’s cybersecurity workforce.

Moira Bergin, director of the House Committee on Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, said the shutdown couldn’t have come at a worse time for cybersecurity. She noted that the Cybersecurity and Infrastructure Security Agency (CISA), a dedicated component agency focused on cybersecurity within the Department of Homeland Security (DHS), was operationalized in mid-November. Six weeks later, half of CISA’s employees were furloughed. She said that this meant all of the agency’s strategic planning on a wide range of topics, including botnets, election security, wasn’t happening.

Moreover, Bergin noted that the organization changes that needed to happen to maximize CISA’s potential weren’t happening. “All of those forward-looking activities were put on hold,” Bergin said. She also pointed to the National Risk Management Center, which DHS set up in July, explaining that six months after its creation, the majority of its activities were also put on hold for the shutdown. “There’s concern among our [subcommittee] members about the cascading effects of the lost time on strategic planning,” she noted. “Our adversaries weren’t taking a break, but we were.”

On top of losing planning time, Chris Boyer, assistant vice president of global public policy at AT&T, said he fears there will be a loss of momentum of a wide variety of government projects, including the National Risk Management Center. However, he did note that other projects may have the exact opposite issue. In initiatives where there is a public-private partnership, private companies are committed to meeting certain deadlines. However, the projects couldn’t be worked on when agency partners were furloughed and shutdown, meaning the private sector will have to work on much tighter deadlines, leaving the companies in a bind.

Megan Stifel, cybersecurity policy director of the public interest group Public Knowledge, concurred with Bergin’s initial comments and focused on the “cumulative effect” of the shutdown, explaining that even before the shutdown, cybersecurity professionals were having to play catch up in terms of starting, continuing, and finishing cybersecurity investigations. Post-shutdown, cybersecurity teams within the Federal government are left playing catchup to their original catchup. She pointed out that investigating digital evidence isn’t easy or quick, and losing a month’s worth of investigative time has a “deleterious” effect on national security. However, this isn’t a problem for the United States alone. Stifel pointed out that U.S. allies and partners rely on our investigative work, so the shutdown impacted more than just the American cybersecurity posture and safety.

Nathaniel Gleicher, the head of cybersecurity policy at Facebook, touched on the shutdown’s impact on the private sector. He referenced his team’s work at Facebook, explaining that they work collaboratively with Federal partners when working to ride the social media platform of both traditional cybersecurity threats, as well as emerging threats, such as attempts to manipulate public opinion. He said the major impact they felt during the shutdown was not having their Federal partners at DHS and other agencies so willing and able to work with them. “Having the whole team on the field is really important,” Gleicher said.

Bergin also touched on cybersecurity recruiting and retention, a longtime issue and priority for the Federal government. Bergin pointed out that a lengthy shutdown doesn’t help the Federal government attract and retain top talent. “It’s not as if cyber experts that CISA is looking to hire have nowhere else to hire,” she said. “They have plenty of places to go where they definitely are going to get a paycheck. In terms of recruitment and retention, questions of whether you’re going to get paid aren’t helpful.”

Recent