The partial US government shutdown is the longest in modern history and continues to drag on as both political parties remain entrenched, refusing to budge from their respective positions. The inability to reach an agreement, or at least to open the government, may have lasting impacts on the effectiveness of cybersecurity in the federal government.
The near-term effects of the shutdown are more apparent than some of the downstream impacts. We regularly see or hear about the furloughed staff not receiving a paycheck, the growing list of .gov websites with expired Transport Layer Security (TLS) certificates, the unavailable National Institute of Standards and Technology (NIST) content, or bare bones staff left to perform system monitoring. Conversely, it is much harder to quantify the adverse long-term impact of the prolonged government shutdown. Let’s take a closer look at some affected elements, though the extent of the consequences will only be known at a later date.
NIST resources being affected by the shutdown hurts both the public and private sectors. Its guidance is heavily relied upon for compliance and security, regardless of industry. NIST is expected to release updates to major Special Publications in 2019 such as 800-53: Rev 5, 800-53A: Rev 5, 800-160: Rev 2, and 800-171: Rev 2. Updates to FIPS 199 and FIPS 200 are also on the horizon. The shutdown may cause delays to the completion of these efforts and thus push back adoption by the government and private industry.
The government already faces an incredible cybersecurity skills and resources gap. The shutdown is surely going to exacerbate this problem by making it more difficult to attract talented new employees and fill critical needs. University graduates are going to think twice before taking a job with the government compared to the private sector. It may get to the point where existing government employees possessing in-demand skills may start seeking new employment opportunities.
DHS’s new Cybersecurity and Infrastructure Security Agency suffers from a large percentage of its staff currently furloughed. The new agency “leads the national effort to defend critical infrastructure against the threats of today, while working with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow.” But with such a significant portion of its staff not working, the agency’s ability to meet its goals and objectives will be affected.
Some government projects that are not currently on hold may soon be reaching the point where they run out of funding and have to be stopped. This not only results in more furloughs, but will also cause delays to implementation schedules. An increase in contractor furloughs may cause them to seek new employment opportunities, leaving the government project short-staffed when the shutdown ends. The lost time will have to be made up through scope reduction or sliding the schedule to the right. Unfortunately, the end result is likely to be increased spending by the government and a final product delivered later than originally planned.
We are all hopeful that the government shutdown will conclude in the near future and agencies can get back on track quickly. Regardless of when it ends, the extent of the lasting impact on cybersecurity is daunting.
Author’s note: Jason's views are his own and do not necessarily represent IBM's positions, strategies or opinions.