In the event of a shutdown, the Cybersecurity and Infrastructure Security Agency (CISA) plans to furlough over 80% of its employees, with only 571 of the current 3,117 employees being retained, as described in the latest version of the DHS’ Procedures Relating to a Lapse in Appropriations. Unless Congress can come to an agreement on the spending budget, the government will shut down on Sunday, October 1st, as the funding for these federal agencies would run out at 12:01 am.
Apart from its operational duties, CISA has been proactive in several initiatives. In August 2023, they released a strategic plan for the next few years, and have been providing guidance and communication to the public and private sector about means of improving one’s cybersecurity. Just this month, (September 2023), they published the 2023 Cybersecurity Awareness Month Partner Toolkit, aimed at promoting cybersecurity awareness and best practices and released a new Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management.
Hayden recognizes this is part of the many drawbacks relating to a government shutdown: “...there’s a lot of engagement with industry, exercises that are done with sector leadership, there are efforts that just due to the nature of a shutdown don’t get flagged as critical, and they get paused for however long the shutdown takes.” For as long as the break would last, and for however long it would take the complete CISA to gain back its bearings, all these ventures would have to stop. It may be a long while before a new version of the Agency’s secure-by-design framework (announced to be already in the works) would be released.
This interruption could also delay important cybersecurity bills, like CIRCIA (the Cyber Incident Reporting for Critical Infrastructure Act). Harmonization recommendations on the reporting process, which were required before it could take place, were only recently issued by the DHS (Department of Homeland Security) and many other agencies in the Cyber Incident Reporting Council. Efforts to streamline the reporting process will likely have to take a backseat if less than a fifth of CISA employees are retained.
The instability caused by a government shutdown could also reduce the appeal of federal cybersecurity jobs. Bryan Ware, a former senior DHS official said that a government shutdown would diminish the appeal of a federal cybersecurity job. “We should expect it will have not only a morale impact, but also an attrition impact in that some employees who say, ‘I just don’t want to go through this kind of uncertainty. I’d rather work for a private sector company.’” Considering how the National Cybersecurity Strategy already acknowledges that “there are hundreds of thousands of unfilled vacancies in cybersecurity positions nationwide, and this gap is growing. Both private sector and public sector employers face challenges in recruiting, hiring, and retaining professionals to fill these vacancies, which negatively impacts our collective cybersecurity”, hopefully a shutdown can be avoided, for the future of cybersecurity.
Earlier this year, the United States General Accounting Office published a series of stark warnings about the increasing cyber threat targeting Federal agencies and critical infrastructure. There may never have been a worse time to go from “Shields Up!” to “shields down”. In light of the potential consequences, it is crucial to avoid a government shutdown to maintain our nation's cybersecurity and continue developing the cyber workforce.