The US Congress narrowly avoided a government shutdown on Saturday with the last-minute passage of a continuing resolution that will keep the government operating for another forty-five days. This temporary solution was reached in the hopes that a budget for Fiscal Year 2024 will be passed by that time. The potential shutdown created concerns over the implications it would have on the operations of the Federal government and specifically on cybersecurity measures.
In the event of a government shutdown, all Federal government operations, except those deemed essential, would be suspended. This would result in most Federal employees being furloughed until funding is provided by Congress. However, essential employees, including active duty military personnel, would continue their work as usual. In a memo issued by Deputy Secretary of Defense Hicks, she highlighted the importance of this distinction and assured employees that they would be paid for their work once funding is secured.
One of the major concerns surrounding a government shutdown was its impact on the US Cybersecurity and Infrastructure Security Agency (CISA). CISA expected to furlough 80% of its staff if the shutdown had occurred. The Department of Homeland Security, under which CISA falls, published plans outlining how they would handle a Congressional failure to pass a budget. The plans emphasized that during a funding hiatus, only functions and activities that are exempt or excepted from work restrictions specified in the Anti-Deficiency Act may continue to operate.
Experts in the cybersecurity industry warned that a shutdown would have short- and long-term effects on CISA and the nation’s cybersecurity posture. Tom Marsland, VP of Technology, Cloud Range, and Board Chairman of VetSec, emphasized the risk to national security when funding is abruptly cut off. He highlighted the additional stress and uncertainty faced by cybersecurity professionals, who may be working without pay or dealing with reduced staffing. Avishai Avivi, CISO at SafeBreach, echoed these concerns, noting that CISA plays a crucial role not only in protecting federal institutions but also in supporting the cybersecurity posture of the private sector and international allies.
Avivi also raised the issue of the potential talent drain in the government cybersecurity workforce. With lower pay compared to equivalent private sector jobs, government cybersecurity positions rely on talented individuals motivated by a sense of mission and dedication to the country. However, a government shutdown may push these individuals to seek opportunities in the private sector, exacerbating the existing talent shortage in the government and leading to increased reliance on contractors.
Given the possible limitations of CISA during a shutdown, private-sector organizations were advised to make alternative arrangements to ensure their cybersecurity needs are met. Martin Jartelius, CISO at Outpost24, emphasized the importance of getting information on vulnerabilities and threat actors’ methods of operation, which is one of the key functions of CISA. While a shutdown would not necessarily lead to new attacks, organizations would be less prepared to respond to existing threats.
In conclusion, the narrowly avoided government shutdown highlighted the potential impact on cybersecurity measures and the workforce dedicated to protecting critical infrastructure. The temporary resolution provides some breathing room, but it is crucial for Congress to pass a budget for Fiscal Year 2024 and avoid further disruptions to the government and cybersecurity efforts. The private sector should also take proactive measures to ensure their cybersecurity needs are adequately addressed, even in the event of limited operations by CISA.