The Department of Homeland Security's nascent cybersecurity agency is short-staffed during a key growth year.
The ongoing government shutdown comes at a sensitive time for the nascent Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security.
The new DHS component, built out of the National Protection and Programs Directorate into CISA, was looking to spend much of 2019 in transition mode as part of its CISA 2020 plan, but because of an ongoing lapse in appropriations, just 56 percent of the workforce is on the job.
"Almost half of the [CISA] workforce is furloughed, and the rest are working without pay," said House Homeland Security Committee Chair Rep. Bennie Thompson (D-Miss.) in a Jan. 3 statement. "In all, 87 percent of the DHS workforce is reporting to work … without knowing when their next paycheck will come."
According to shutdown guidance provided by DHS in December 2018, just over 2,000 of CISA's 3,531 staffers were designated as exempt from the shutdown. A substantial amount of work remains to be done to fully stand up the agency as it forges ahead on newer initiatives like the National Risk Management Center and the Supply Chain Security Task Force.
Chris Cummiskey served as deputy undersecretary for management and the lead DHS official during the 2013 federal government shutdown. He told FCW his experience then has left him with no doubt that the current shutdown is negatively impacting the ability of DHS and CISA to carry out their cybersecurity missions.
"The challenge is that you're trying to stand up a new entity amidst a government shutdown that is paralyzing your ability to do procurements, to hire people where there are fairly significant vacancy rates in [Continuous Diagnostics and Mitigation] and Einstein already," said Cummiskey.
The cyber policy portfolio at DHS has grown significantly since the 2013 shutdown, adding new responsibilities in election security, implementing new systems and programs like CDM and Automated Indicator Sharing. But during a lapse in appropriations, operations revert to an emergency-only stance.
"You can sustain that for a short amount of time, but the longer you get into this, the threat doesn't stop and probably adversaries and nation states see this as an opportunity," Cummiskey said.
FCW placed phone calls and emails to multiple press officials at DHS and CISA to obtain further detail about the impact of the shutdown and a deeper breakdown of furloughed employees. The calls were not returned, and two press officials sent back automatic email replies stating that due to the funding lapse, they are unable to answer or respond to press inquiries.
Suzanne Spaulding, former head of NPPD, told FCW that she while has no doubt that CISA's leadership has a good plan in place to keep essential systems and functions running, there is only so much that can be done.
Spaulding said deadlines stemming from recently passed legislation, such as CISA and the Secure Technology Act, will likely be missed. Many contractors cannot continue their work without federal supervision. Programs like Einstein and CDM should continue to be prioritized. Others initiatives, like bringing businesses on board for Automated Indicator Sharing and moving protection beyond Trusted Internet Connections, are likely stalled.
Federal officials have experience in shutdown planning, and in some respects, the agency may be better positioned to absorb and mitigate the impact of a shutdown than it was in 2013. Still, Spaulding believes that the longer the shutdown endures, the more the lines will blur between what is and is not considered essential work. An activity or program deemed nonessential in the context of a two or three-day shutdown may not be viewed the same way in a prolonged shutdown.
"It's hard enough to keep ahead or keep pace with our adversaries when you're operating at full strength with cybersecurity," said Spaulding. "To have weeks go by where we're operating at half-strength, every single day we are losing ground to our adversaries and becoming less safe and less secure."
There are other longer-term considerations at play, including an impact on recruitment and retention. Spaulding and Cummiskey said previous shutdowns have resulted in valuable and talented feds leaving for the private sector or prospective candidates pausing when offered federal jobs. If the current shutdown endures into next week, Jan. 11 will mark the first missed pay period for most furloughed employees, something that could exacerbate already existing morale problems.