In the midst of a federal government shutdown, it’s easy to get caught up in the short-term consequences: the federal workers going without pay, the long lines at airport security, the overflowing toilets at national parks. But the long-term effects may be even more devastating, at least when it comes to cybersecurity—and the problems could affect more than just the government.
At the moment, many of the Department of Homeland Security employees responsible for civilian cybersecurity efforts, including threat analysis and sharing information with private industry, have been furloughed. But even if the shutdown ends soon, it may scare talented people away from taking government cybersecurity jobs—which are already a struggle to fill. According to a report published on Dec. 31 by Duo Security’s newsletter Decipher, the shutdown could affect more than just the government’s own online security posture. It could, and perhaps already has, weaken private enterprise security as well, argues report author Fahmida Rashid. Rashid points out that nearly 85 percent of the National Institute of Standards and Technology’s staff members are furloughed during the shutdown, a terrifying number given the central importance of NIST security and privacy standards for not just government agencies but also many private companies.
NIST develops, publishes, and updates several important documents that give guidelines for securing computer systems. Most are available through its Computer Security Resource Center, which is currently offline (though, interestingly, it is still possible to access their cybersecurity framework). NIST standards cover everything from what kind of encryption you should use to how you should authenticate user accounts, store sensitive data, monitor network intrusions, and respond to security incidents. By law, only federal agencies are required to follow the security guidelines issued by NIST, but many other organizations also rely on them as reputable, comprehensive, and well-vetted recommendations for best practices in computer security.
Several of those standards can still be located on other websites that have published PDFs of the popular documents, but some of them aren’t up to date. (Also, with the NIST website down, it can be tough to remember which versions are actually the most recent ones.) And while the website outages are (hopefully!) temporary, for organizations making decisions about security or encryption during this shutdown, not having access to NIST standards could have long-lasting consequences.
Meanwhile, over at the Department of Homeland Security—the branch of government responsible for governing all civilian cybersecurity efforts—45 percent of employees at the Cybersecurity and Infrastructure Security Agency are furloughed, as are 45 percent of DHS’s analysis and operations staff, Rashid reports. That’s a blow to companies that rely on DHS for threat intelligence and information sharing, but it’s also a problem for the department, which has worked hard to try to build relationships with industry and persuade the private sector that it is a useful and knowledgeable partner when it comes to cybersecurity. That was a hard sell even before DHS was forced to put a large portion of its cyber operations and analysis teams on furlough—the shutdown will just reinforce many firms’ sense that DHS is too slow, bureaucratic, and inept to be an effective resource when it comes to cybersecurity.
Depressingly, the shutdown probably will make the federal government less effective when it comes to securing its own networks and helping others secure theirs—not just because skilled workers are home on furlough right now but also because many of those workers are probably (understandably) looking for other jobs. And, as Joseph Marks points out in the Washington Post, they will probably find other jobs. There’s no shortage of openings for cybersecurity workers in the private sector, and those jobs often come with better pay, more flexibility, and more perks (unlimited vacation time! free snacks! in-house laundry! ping-pong tables in the office!) than federal government jobs.
It’s already a challenge for the U.S. government to recruit cybersecurity talent. In February, the Government Accountability Office published a report titled “Cybersecurity Workforce: Urgent Need for DHS to Take Actions to Identify Its Position and Critical Skill Requirements” that revealed that DHS had not even identified all of its vacant cybersecurity positions, much less filled them.
How much worse could the situation get after an extended shutdown? At the very best, the federal government will almost certainly lose some of its most talented and experienced workers in this area, many of whom were only working for the government in the first place because they believed that the work they were doing there was important and worthwhile. Once they are forced to stop doing that work, why stay? At worst, the shutdown will deter younger professionals and students finishing school from looking at entry-level positions in the federal government for fear of dysfunction and instability and it will be years and years before government agencies are able to recruit highly skilled teams of cybersecurity professionals.
Stability and the opportunity to do work that really matters have always been the strongest draws of federal cybersecurity jobs for people who could find more highly paid work in the private sector. The shutdown undermines both of those appeals and discourages those people who are in government primarily because of their sense of national loyalty and desire to make a difference.
Less than a year ago, DHS and the Department of Commerce presented a report to President Donald Trump on the cybersecurity workforce shortage (a report I can’t link you to at the moment because it was hosted—you guessed it—on the NIST website) per his 2017 executive order on cybersecurity. The report highlighted the shortage of cybersecurity workers in the country and especially cautioned that the government would face challenges recruiting talent in this area due to its pay scale, arguing, “The seriousness of the Nation’s cybersecurity workforce gaps merits a high-level initiative to raise awareness and create a sense of urgency about the importance of growing and sustaining a world-class cybersecurity workforce.” But so far, at least, the government seems determined to make its problem worse, not better.