A shutdown would sideline federal cyber defenders just as a bedrock cybersecurity data-sharing law expires, leaving the government unusually vulnerable, cybersecurity experts warn.
“The absence of security personnel working to protect the nation from these threats can create a security gap and an opportunity for malicious actors to exploit weaknesses,” said Ilona Cohen, chief legal and policy officer at HackerOne and former general counsel at the Office of Management and Budget.
Cohen said infrastructure owners and operators would be less able to reach officials and data, and the government’s cyber workforce would suffer if no funding bill is passed by Oct. 1.
Only an estimated 889 of 2,540 employees would continue to work at the Cybersecurity and Infrastructure Security Agency, the nation’s main cyber defense office tasked with defending government networks, according to a planning document posted Saturday.
Among them would be people confronting an emerging cyber threat group, believed linked to China, exploiting vulnerabilities in Cisco devices, Chris Butera, CISA’s acting deputy executive assistant director for cybersecurity, told reporters last week.
There are risky domino effects of having a diminished federal cyber workforce, said one former U.S. official who requested anonymity because they weren’t authorized to publicly speak about the impact of a shutdown. Specifically, younger cyber staffers can’t learn from their more experienced peers because they will not be able to come into work.
“They’re losing time to upskill, to get trained and to get on-the-job training because they’re not there. It hurts not only the current workforce but the future workforce as well,” the former official said.
Gary Barlet, the public-sector chief technology officer at Illumio, echoed those concerns.
“This year, the challenge is sharper because agencies are already stretched thin,” Barlet told Nextgov/FCW in a written statement. “Many of the employees who guided past shutdowns aren’t there anymore, leaving fewer people who know how to manage through the disruption — exposing critical gaps and reducing the ability to respond quickly.”
The 2015 Cybersecurity Information Sharing Act, which lets private-sector providers transmit cyber threat intelligence with government partners while receiving key legal protections, is also set to lapse on Tuesday evening unless renewed by Congress.
House appropriators earlier this month unveiled a temporary funding plan that would keep the law alive through Nov. 21 and fund the government until the same date. That would have given Congress simultaneous time to work out funding snags and reconcile any debate about changes needed for the cyber law that was first enacted 10 years ago. But that continuing resolution failed to pass in the Senate.
The agreement etched between the public and private sectors for information-sharing is “really important,” Tim Brennan, the VP for technology policy and government relations at the Professional Services Council, told reporters Monday.
“You’re going to get less information-sharing, which means delayed response times,” he said, adding that it would impact mission functions inside agencies like the Department of Homeland Security, which houses CISA.
The liability coverage provided by the data-sharing law is critically important to the private sector because it makes companies more comfortable with transmitting cyber threat data, Morgan Adamski, the former executive director of U.S. Cyber Command, told Nextgov/FCW in an interview.
“When you have a tool like CISA 2015 that’s valuable in contributing to information-sharing between the public sector and the private sector, why wouldn’t you want to have it in place to really encourage that collaboration?” added Adamski, now U.S. leader in PwC’s Cyber, Data & Technology Risk business.
“Something has to be put in place to enable that collaboration, or you’re potentially going to see an impact on information sharing, which collectively hurts us from better understanding what’s happening in the cyberspace domain,” she said.
On Monday, congressional Democrats said they were unable to reach an agreement with Republican counterparts and the White House, upping the odds of a shutdown occurring.
Last week, OMB told agencies to consider issuing reduction notices to employees whose work is funded by regular appropriations and doesn’t align with President Donald Trump’s priorities if annual spending lapses Tuesday evening. The Office of Personnel Management issued new guidance Sunday, telling agencies that it can tweak those plans once the government reopens.
Nextgov/FCW Staff Reporter Natalie Alms contributed to this report.
The post Shutdown could erode cyber defenses by sidelining critical staff, experts warn appeared first on Defense One.
