Federal cyber operations face challenges as government shutdown looms

Federal cyber operations will face significant disruptions as government agencies are left exposed to a wide range of emerging threats if lawmakers fail to avert a looming government shutdown, according to security experts.

The shutdown contingency plans of Departments of Homeland Security, Health and Human Services and many other large agencies may be overdue for updates that address the evolving threat landscape and account for the post-COVID telework footprint.

Updated contingency plans from agencies like the Department of Defense meanwhile leave "a lot to be desired," David Berteau, president and CEO of the Professional Services Council, told reporters Tuesday. 

"The nature of the workforce and where they work has changed a lot in the last three, three-and-a-half years in ways that weren't anticipated and still are not anticipated in some of the guidance documents," Berteau said.

The Cybersecurity and Infrastructure Security Agency --- a DHS component --- performs critical work in maintaining the federal cyber posture, from conducting government-wide vulnerability assessments, to serving as a hub for information sharing initiatives and rapid response resources. But it remains unclear how the agency will be able to operate and continue performing its critical functions in the event of a shutdown, according to Berteau.

The DHS 2022 shutdown plan said that just 414 of CISA's workforce of 2,699 employees would be retained during a lapse in appropriations.

Cybersecurity experts also warned that the shutdown could leave federal networks open to digital intrusions from foreign adversaries. 

"Funding lapses or delays due to government shutdowns or continuing resolutions impact program continuity and ability to operate sustainably," Stephen Zakowicz, vice president of the IT service management company CGI Federal, told lawmakers. 

Zacowicz, who serves as the project manager on CGI Federal's contract with CISA for its Continuous Diagnostics and Mitigation program, described CDM as a "mission critical federal program" that helps agencies combat major cyber risks, and added that its success "depends heavily" on continued funding. 

It remains unclear whether DHS and other agencies will release updated guidance before Oct. 1, when Congress is required to reach an agreement on either the standard appropriations bills or a continuing resolution to keep the government fully operational. 

CISA and DHS did not respond to a request for comment. The Office of Management and Budget, which plays a key role in reviewing and assisting with the development of agency contingency plans, declined to provide a comment. 

Brian Gumbel, president of the cybersecurity firm Armis, testified to the House Homeland Security Cybersecurity and Infrastructure Protection that a shutdown "will obviously cause delays and some cyber projects will come to a halt."

"The longer we delay, the longer the adversaries will have a chance to get in front of us," Gumbel said Tuesday. "Delays are just terrible for this nation ... it's going to cause some major impacts."