COMMENTARY | Bad actors will be aware of a government shutdown and work to exploit any new vulnerabilities, so it’s critical for the government to have a plan for damage control.
On September 30, Congress narrowly avoided a government shutdown by passing a bill that extended government funding for another 45 days. While this was a sigh of relief for many in the government, question marks still remain. Congress now has until November 17 to pass another bill to prevent a government shutdown.
For those not working in the government, it’s difficult to understand all the time and resources that go into the planning process when there is a potential government shutdown. For many, it’s all-consuming, especially as it gets closer to the deadline. Agencies are scrambling to finalize their plans, oftentimes without much clarity about how long a shutdown is going to last. As part of those plans, they need to determine which activities will continue during the shutdown and which activities will come to a halt. They also must determine which employees will continue working and which employees will be furloughed. Ahead of the end of September deadline, a Government Executive analysis found that the Biden administration had planned to furlough about 737,000, or 34%, of civilian federal employees. The remaining 1.4 million workers would continue to report for duty on only the promise of back pay.
One agency of particular note is the Cybersecurity and Infrastructure Agency). According to the Department of Homeland Security’s plan for a lapse in appropriations on September 22, they revealed that CISA was planning to furlough 2,546 employees in the event of a government shutdown — more than 80% of its workforce. It’s not clear at this stage if those plans will remain in place should the November 17 deadline pass without a resolution. However, it is unlikely that those numbers will change drastically one way or the other.
A government shutdown would be a cybersecurity nightmare for employees
From a cybersecurity standpoint, a government shutdown, or even the possibility of one, can create a whole host of problems. Firstly, with all the uncertainty looming, government employees are sure to be distracted. This can impact their performance, at least to some extent. When guards are down, phishing attacks rise, so it’s critical that all government employees are extra vigilant with messages they open and links they click on. The number of phishing attacks is also up in general with AI tools like ChatGPT able to generate more fraudulent emails in a fraction of the time, so separating the real messages from the fake ones does require a higher level of concentration. The same goes for vishing attacks — phone calls and voice messages that are used to convince individuals to reveal sensitive information.
Additionally, regular patches and vulnerability management can be a step or two behind when staff is trimmed. In some cases, these can be axed completely. While I wouldn’t expect that to be the case in this instance, it is impossible to avoid a natural drop-off considering the potential shortage of personnel. Bad actors would be aware of this and will aim to exploit any new vulnerabilities, so it’s critical for the government to have a plan for handling this and limiting any damage that may occur. Over the long term, there’s a strong likelihood the government will look to further consolidate its cybersecurity tools, so that when staff is not at 100%, it’s easier for everyone else to manage things effectively.
Furloughed employees and government agency workers are critical
Furthermore, the government needs to consider the near-term and long-term impacts of furloughing so many cybersecurity employees, as well as effects that a shutdown can have on government agency workers. Both of these groups will be impacted financially, whether it’s not receiving the full amount they normally get or having their payments delayed. In a market where cyber skills are already in short supply; this can negatively impact long-term retention and even short-term performance. Cybersecurity is often about getting all the small details right - and when employees are disenfranchised, even the best employees can be prone to mistakes. And the retention of employees is a vital consideration. If personnel continue to move out of the government sector, it will further compound the challenges we are already facing and put our nation’s security at greater risk. As someone who was personally affected by a furlough when I worked for the government, I know how frustrating it can be and how it negatively affected not just me and my co-workers, but also our families.
While there is some more time before anyone needs to panic about a government shutdown, it’s important for everyone that may be impacted to seriously prepare for that possibility. Since preparations were already in place at the end of September, it should serve the government and its agencies well this time around. Hopefully, though, this extra time gives everyone a chance to re-evaluate their original plans and fill any weak spots that may have been overlooked the first time. Regardless of where things shake out, cybersecurity needs to be a major priority across all agencies, as threat actors are too clever, too skilled, and too armed with tools to be an afterthought. Ideally, everything gets resolved well in advance of the deadline and none of this is an issue for much longer. The sooner everyone can focus on business as usual, the stronger our national cyber defense will be.