Worries mount as cybersecurity agency struggles amid shutdown

The partial government shutdown has furloughed nearly half the staff of a new cybersecurity agency, dealing a major setback to protecting vulnerabilities in federal infrastructure.

Former Department of Homeland Security (DHS) officials and lawmakers fear the shutdown, now in its 20th day, could have both short- and long-term effects, hurting the new Cybersecurity and Infrastructure Security Agency’s (CISA) efforts to get off the ground and potentially pushing existing talent out the door.

{mosads}Cyber experts say foreign adversaries could try to take advantage of the shutdown now that fewer resources are working to thwart them.

The administration officially launched the new agency, which replaced the department’s National Protection and Programs Directorate (NPPD), late last year. Cyber officials had celebrated in November when President Trump signed a bill renaming the cybersecurity division after the legislation lagged in Congress for months.

But now former DHS officials say efforts to get the agency to full capability are stalled, with about 43 percent of CISA staff currently furloughed, according to planning documents, and the remaining staff likely focused on keeping basic security programs up and running.

“There’s so much work behind the scenes that still needs to be done to really fulfill the promise of this new agency,” Suzanne Spaulding, the former head of the NPPD, told The Hill.

Spaulding, an adviser for cybersecurity firm Nozomi Networks, said one of the goals of establishing the CISA was to find ways to better address both cyber and physical threats to infrastructure, and that work is likely still in its beginning stages. 

While she believes that staff remains in place to deal with the most pressing security concerns — such as preparing for the upcoming Super Bowl and being on standby in case of a major cyberattack.

However, she warned that enemies of the U.S might take advantage of the shutdown: “If I were a bad actor, this would be a very tempting time to do some mischief.”

Christopher Krebs, the head of the CISA, said at an event in November after Trump signed the bill into law that officials would create a two-year plan called “CISA 2020,” which he described as a “two-year roadmap that’s going to get this organization … to full operating capability.”

“This is more of a groundbreaking than a ribbon-cutting,” he said at the time, signaling that a good amount of work needed to be done to get the agency fully operational.

But all signs point to that plan being put on the back burner, until Trump signs a new bill to fully fund DHS.

The official spokespeople for the agency were unable to comment for this story. When contacted, CISA’s chief spokesman sent an automatic email saying he would “not be able to return or emails or telephone calls until I return to duty upon conclusion of the funding hiatus.”

{mosads}DHS spokesman Tyler Houlton said in an email that the “dedicated men and women of DHS are fully prepared to protect the homeland and keep Americans safe during this lapse in government funding.”

He did not answer specific questions on how the shutdown is affecting the CISA rollout.

Danny Toler, the former acting assistant secretary for DHS’s cybersecurity and communications office, said CISA is losing “critical momentum” during the shutdown to get its initiatives up and running.

“You don’t just pick up immediately necessarily right where you left off, you have to catch back up to that point and move on from there,” Toler said.

He also described this as a “critical juncture” for the CISA as it determines what kinds of responsibilities it takes on within DHS. “So it’s not just a matter of the day-to-day operations which continue to operate, but those more strategic initiatives which are more core to the long-term cyber health are impacted through periods like this,” Toler said.

The shutdown’s impact on cybersecurity has also caught the eye of lawmakers. House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) questioned in a statement Tuesday whether the CISA is still monitoring federal networks to guard against potential attacks.

Rep. Robin Kelly (D-Ill.), the chairwoman of the House Oversight and Reform Committee’s IT subcommittee, said Wednesday that the shutdown is hurting the federal government’s ability to attract and retain top cyber and information technology staff.

“How can we ever hope to recruit or maintain IT talent when hardworking government workers are told: ‘sorry, you aren’t getting paid, but you still need to come to work’ or ‘sorry, but no paycheck this week because of politics?’ ” she said in a statement. “Large private sector companies never say this to their employees and these are our competitors when it comes to IT talent recruitment.”

Stewart Baker, the assistant secretary for policy at DHS under former President George W. Bush, pushed back on how big of an impact the shutdown is having on the agency’s start, saying several of the CISA’s programs were already operating under the NPPD.

He also noted the administration could begin redefining what kind of staff is considered essential over time, allowing them to bring back more employees to carry out more of the longer-term work if the shutdown does continue to drag out.

But Baker said the lack of pay could be the final push for cybersecurity staffers at the department, who could likely earn larger salaries and benefits working in the private sector.

Trying to attract cybersecurity talent has been a major struggle for the federal government, and a report issued in October found that the gap in the cybersecurity workforce is at 498,000 for the U.S. alone.

“It cements people who are thinking about leaving,” Baker said. “They say, ‘Well this may be a good time to leave because I may not get paid and nobody cares.’ ”