US Federal shutdown averted (or postponed): effects on cybersecurity.

The US Congress avoided a government shutdown Saturday with the eleventh hour passage of a continuing resolution that will keep the government operating for another forty-five days, by which time Congress hopes to have passed the budget for Fiscal Year 2024. Fiscal Year 2024 begins on October 1st. The government would face another shutdown in the middle of November if a budget isn’t passed by then, so it’s worth keeping the implications of the continuing resolution in mind over the coming weeks.

What a government shutdown would have meant.

Briefly, a shutdown would entail suspension of all Federal government operations (and this is a Federal problem–state and local governments aren’t directly affected) except those deemed legally to be “essential.” Most Federal employees would be furloughed, and their jobs would not be performed until Congress provided funding. Federal employees whose work is essential (and this includes active duty military personnel) would report as usual and continue to carry out their mission. (Before the continuing resolution passed, Breaking Defense ran an overview of a shutdown’s implications.)

In an official document, Deputy Secretary of Defense Hicks explained, in a memo she issued Friday to all Department of Defense personnel, what a shutdown would mean to people who work for the Federal government. Her memo is worth quoting at length:

“In consultation with our Office of General Counsel, we have reviewed our contingency plan and made the necessary updates to our determinations of the activities that may continue under these legal requirements. Similarly, we are making the necessary updates to our determinations of civilian employees who would continue to report to work to support excepted operations activities in the event of a lapse in funding, and civilian employees who would be furloughed. Pursuant to the Government Employee Fair Treatment Act of 2019 (31 U.S.C. 1341(c)), both furloughed Federal civilian employees and employees who are required to perform work during a lapse in support of excepted activities will be paid for the period of the lapse once Congress provides funding. During a Federal government shutdown, all active duty military personnel would continue in a normal duty status; however, they would not be paid until Congress provides funding. As we saw in 2013 , should a shutdown occur, and depending on the length of the shutdown, the determinations of which employees are required to perform work may change over time as circumstances evolve. Importantly, the categorization of employees and whether or not someone is furloughed are not a reflection on the quality of an employee's work, nor of his or her importance to the Department. It is merely a reflection of the legal requirements under which we must operate should a lapse in appropriations occur.”

The shutdown’s implications for CISA.

Most discussion of a shutdown’s implications for cybersecurity centered on the effect it would have on the US Cybersecurity and Infrastructure Security Agency (CISA). CISA, Federal News Network wrote, expected to furlough 80% of its staff had the government shut down. The Department of Homeland Security published plans on September 22nd (updated on September 26th) for handling a Congressional failure to pass a budget. It offered an account of the what the laws require when Congress hasn’t appropriated funds for government operations:

“During a federal funding hiatus, or lapse in appropriations, the Department of Homeland Security (DHS) must be able to cease its government operations in an orderly fashion. Only those functions and activities that are exempt or excepted from the work restrictions specified in the Anti-Deficiency Act (ADA) may continue during a lapse in appropriations.

“The ADA essentially codifies the Constitutional requirement that ’“No Money shall be drawn from the Treasury, but in consequence of appropriations made by Law.’ Federal officials are prohibited from incurring obligations, to include entering into contracts or grants, or performing activities in the absence of a currently available appropriation, unless authorized by law. The Act further restricts acceptance of voluntary services or personal services beyond authorized levels ‘except for emergencies involving the safety of human life or the protection of property.’ As a result, only activities that are exempt or qualify as excepted may continue to operate during a lapse in appropriations.

CISA, as an agency of the Department of Homeland Security, would fall under this guidance.

Short- and long-term effects on CISA.

Tom Marsland, VP of Technology, Cloud Range, and Board Chairman of VetSec, points out that no organization will continue to operate at anything approaching normal effectiveness when funding is abruptly curtailed. “Anytime funding is reduced or cut off, like in the case here, our national security, which includes cybersecurity and critical infrastructure security, is placed at risk,” Marsland wrote in emailed comments. 

And the effects on the workforce would be pronounced. “While the executive branch can decide to make certain employees essential so they can continue working, that does not necessarily mean that all of them will continue to collect a paycheck. Take all of the cyber operators who wear a military uniform, for instance – they will be working without pay. Those who are getting paid will still be dealing with a significant amount of uncertainty, as well as extra work from the reduced staffing they will be facing. Pair this with the mental health discussions that are always discussed amongst IT and cyber professionals – pay inequality, burnout, high stress, overworked, etc. – and this only places our nation more at risk because the legislative branch is refusing to govern.”

Avishai Avivi, CISO at SafeBreach, thinks that a government shutdown would have both short- and long-term effects. The short-term effect is the obvious impairment organizations like CISA will experience in their ability to accomplish their mission. It’s naive, Avivi thinks, to assume that CISA would be exempted from a shutdown. 

“The myopic view that CISA and DHS will get the White House to designate some essential personnel to ’keep the lights on’ is ignoring the tremendous role that CISA and other agencies have in supporting the cybersecurity posture in the private sector and with our international allies. Malicious actors and hostile nation-states are not limiting their attacks to only federal institutions. They use ransomware and advanced capabilities to attack and hobble critical infrastructure outside the government. Without the active work of CISA to prevent, detect, protect, and thwart these attacks, the risk to the American people and the populations of our allies grows exponentially.

The other issue is the effect on the workforce itself. “It is a known fact that there is a significant talent shortage in the cybersecurity field,” Avivi writes. “ With this imminent shutdown, the government risks losing the talented cyber experts who will be furloughed. Government cybersecurity jobs, in general, are lower paid than equivalent jobs in the private market. The remarkable individuals who work in these positions in the government do so not just for pay but also out of a sense of mission and dedication to the country.”

But it would be rash to assume that this motivation will keep them in the Federal workforce. You can contribute in the private sector as well. “Different from the essential federal flight control employees, their roles and skills are immediately transferrable and needed outside the government. If and when this talent drain happens, it will result in a long-lasting shortage of qualified cybersecurity experts in the government. It will also translate to higher expenditures as the government will be forced to turn to contractors to fill these roles.”

How the private sector should respond to a shutdown.

A number of cybersecurity industry leaders offered perspective and suggestions for how private-sector organizations should respond to a severely limited CISA.

Martin Jartelius, CISO at Outpost24, began his comments with a quick overview of what CISA does. “CISA fills many important functions - one of those is getting information across to organizations on what vulnerabilities and sectors are currently targeted by threat actors, and their new methods of operations,” Jartelius wrote in emailed comments. It won’t increase the threat, but it would increase vulnerabilities. “CISA ceasing to function as normal will not lead to new attacks, it will lead to organizations being less prepared to respond to the same ones we would see with or without them in operations.”

The organizations who rely on CISA can and should make alternative arrangements. Jartelius said, “What organizations can do is relatively simple – If the government cannot keep you provided by actionable, accurate threat intelligence, get other sources. For many organizations, CISA is just one of several sources to turn to for information and support, many start by finding a trusted provider and as they grow and mature tap into several sources to get a good insight.

“Backing this with solid inventory of your attack surface so you can prepare to defend, and a mature solution for vulnerability identification which you can merge with your threat intelligence for priority, should replace those bits many rely on CISA for with something more tangible and hands-on. Overall a good idea, government supported or not."

Tim Helming, security evangelist with Internet intelligence provider DomainTools, introduced his comments with informed speculation about how CISA is deploying its remaining assets. "The US government doesn’t say a lot publicly about the workforce keeping its cyber assets secure, but like any large organization, it’s likely that their blue teams are at maximum capacity most of the time. That means that any reduction in forces may affect their ability to carry out the same level of intelligence gathering and analysis, detection engineering, incident response, threat hunting, etc., that they usually do. This doesn’t mean that we’re going to see new, successful incursions, but it may mean that at minimum, the staff remaining available after the shutdown will be stretched thin and overtaxed.”

He thought it likely that a shutdown would interrupt some communications the security community has grown accustomed to, and that’s a reason to increase vigilance. “Of course, CISA has been quite prolific with advisories and other guidance, and it’s likely that the pace of those could slow during the shutdown. None of this means that the community in general is going to see an uptick in successful attacks, because the effects of the government shutdown on a) threat actors and b) private sector organizations may be limited, especially if the shutdown does not continue for an extended amount of time. As always, we need to be highly vigilant; there have been several high-profile breaches in the last couple of weeks unrelated to the shutdown, and those certainly warrant a lot of care and tight operations.”

And the culture CISA has helped inculcate should survive a shutdown.”Given CISA's track record of enabling better communication and leadership across public and private sectors, this culture shift will continue to keep us secure, even if CISA does slow down during a shutdown."

Others recommend a similar level of alert during a shutdown. Colin Little, security engineer with cybersecurity firm Centripetal advised, “A federal government shutdown can weaken the cybersecurity posture of a nation, leaving it more vulnerable to cyberattacks and potentially harming national security, public trust, and international cooperation in the realm of cybersecurity. Maintaining robust cybersecurity practices during a shutdown should be a top priority to mitigate these risks and ensure the continued protection of critical systems and sensitive data. Think of it in terms of an active warzone; if the government shut down and 80% of front line units stopped receiving troop pay, reinforcements, and supplies, the result would be disastrous, especially over a protracted period of time.”

Little summarized some of the more important effects he foresaw from a shutdown “Here are some key effects to consider:

• “Reduced Cybersecurity Workforce: During a government shutdown, many federal agencies furlough or reduce their workforce, including cybersecurity professionals. This decrease in staffing can hamper the government's ability to monitor and respond to cyber threats effectively. It may also lead to delays in implementing security updates and patches, leaving systems vulnerable to known vulnerabilities.
• “Increased Vulnerabilities: With limited resources and personnel available to maintain and update critical systems and networks, vulnerabilities may persist or go unaddressed. Cybercriminals often take advantage of such opportunities to launch attacks on government infrastructure, steal sensitive data, or disrupt services.
• “Delayed Incident Response: A shutdown can hinder the government's ability to respond swiftly to cybersecurity incidents. This delay can allow attackers to maintain access to compromised systems for longer periods, potentially causing more damage and increasing the cost of recovery.
• “Economic Impact: The economic costs of a government shutdown can indirectly impact cybersecurity. Reduced funding for cybersecurity initiatives and research may limit the development of advanced security measures and technologies. This can leave the government and critical infrastructure sectors more susceptible to evolving cyber threats.
•  “Supply Chain Risks: Many federal agencies rely on contractors and vendors for cybersecurity services and products. A shutdown can disrupt supply chains, delaying the acquisition and implementation of essential cybersecurity tools and services.
• “Erosion of Public Trust: Prolonged government shutdowns can erode public trust in the government's ability to protect sensitive data and critical infrastructure. This lack of trust can have long-lasting implications for national security and public-private cooperation on cybersecurity efforts.
• “International Implications: Cybersecurity is a global concern, and a government shutdown in one country can affect international cybersecurity efforts. It may disrupt information sharing and collaboration between nations, making it harder to address global cyber threats effectively.”

(Added 11:15 AM ET, October 2nd, 2023.) Since the shutdown remains a possibility once the continuing resolution expires in mid-November, we share some advice received this morning from Gary Barlet, Federal Field CTO at Illumio. He offered some questions organizations should be asking themselves between now and then, and suggested what their answers might look like:

• "What’s the biggest threat we should be considering in this situation? Federal agencies need to consider that times of turmoil like this create a perfect opportunity for threat actors to carry out attacks more successfully. The combination of limited people-power and having a split focus will make agency systems prime targets while their defenses are down.
• "What should organizations be thinking about, but probably aren’t? Agencies need to be thinking about how prepared they are to defend their organizations with limited people-power. This is critical, especially if they rely heavily on contractors that they may not be able to have on board during the shutdown. Unfortunately, in many cases, this is not subject to adequate scrutiny. All agencies should have plans in place but, if they haven't reviewed and practiced them, risks could remain high since they must also examine how they will monitor access from employees who could be spoofed while they remain offline and unable to see potential warning indicators.
• "What steps should companies take to prepare? It's essential for companies to understand what they can do to limit access to any systems that need to be monitored in order to narrow the focus of a limited workforce. They must remain vigilant for unauthorized access from employees who should be offline during a shutdown and could turn out to be spoofed users."

 Round one ends with a continuing resolution. Round two will end in mid-November.

These concerns persist. The continuing resolution will expire in mid-November. Congress will continue to grapple with the FY 2024 budget, and we may see a reprise of Constitutional brinksmanship.