At the last moment on Sept. 30, Congress passed a bipartisan bill to fund the federal government for another 45 days, avoiding a government shutdown for now. Given the uncertainty regarding funding, the Office of Management and Budget has instructed agency leaders to prepare for a potential shutdown, and those plans must remain in motion until longer-term spending bills are approved. If the government does shut down in mid-November, hundreds of thousands of federal employees will be furloughed. Many more will continue working, with or without pay. With so many variables at play, what could a shutdown in November mean for the nation’s cybersecurity?
The Potential for Insider Threats and Disgruntled Employees
The potential shutdown sends a powerful message to government employees — either that they are not essential, or that their work is but paying them is not. This could create insider threats, as employees feel their work is devalued at the same time that they lack the funds to pay their own bills at home. It’s not hard to imagine some upset people trying to find another way to get paid, even if that involves working with — or for — a cybercriminal.
Nation-State Opportunities
A shutdown might motivate nation-state actors to conduct an attack, taking advantage of the uncertainty to increase the chance of further disruption. Reportedly, the Cybersecurity and Infrastructure Security Agency (CISA) was already preparing to furlough more than 80% of its workforce.
Given that a significant portion of CISA’s mission involves proactively monitoring threats and educating public and private sector stakeholders about emerging dangers, the ability to effectively communicate and raise awareness among stakeholders may become constrained. The question remains: Can we afford to operate our cyber agency at such a reduced level — and could malicious actors take advantage of its impact? If nation-state actors weren’t already prepared for this possibility, the 45-day extension provides more opportunity to put such plans in place.
Meeting Regulatory Requirements
It’s not just the public sector and critical infrastructure that will be affected, either. If malicious actors seize this opportunity, how will public companies handle material incident disclosure? The Securities and Exchange Commission (SEC) recently adopted new rules (PDF) to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.” But if a serious cybersecurity incident occurs, how will public companies report it within the allotted four-day time frame? Who will help these entities respond to, analyze, and investigate those incidents if most of CISA is furloughed, along with other government agencies that assist in incident response? Will every organization, public or private, have to turn to incident response companies, and just hope that they can get the support they need?
Are Understaffed Agencies Prepared?
Despite the looming possibility of a government shutdown, various other governmental policies and decisions persist in their progression. Take, for instance, the resumption of student loan repayments in October, which have been on a three-year hiatus due to the COVID-19 pandemic. It is imperative that the system continues to anticipate a surge in new activity but also bolsters its defenses against potential cyberattacks. During the last government shutdown in 2019, .gov websites also became inaccessible because of expired TLS certificates, which can put personal information at risk of man-in-the-middle attacks and users susceptible to fraud and identity theft.
Prepare for Disruption
There have been 14 shutdowns since 1981, according to the Congressional Research Service, many lasting only a day or two, so it’s hard to know what to expect. Many of the government agencies have not updated their contingency plans in 2023 (just 39 out of 114 have updated plans). While the government continues to urge public and private sectors to improve cybersecurity readiness, it’s easier said than done.
As the government agencies continue preparations for a potential shutdown, the private sector must prepare for the potential fallout. Regardless of whether a significant attack occurs during a government shutdown — in November or sometime in the future, it’s certainly a risk to be considered. All organizations would be best served by doing their best to protect their complex networks now, regardless of whether long-term government funding is in place.