Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

Federal shutdown and expiration of key laws weaken America’s cybersecurity defenses

(Architect of the Capitol)

By Ilona Cohen

As the federal government shutdown persists with no immediate end in sight, the news coverage echoes that of prior shutdowns, highlighting unpaid federal employees, delayed flyers, and tourists without access to national parks and museums. This year’s shutdown is different and more dangerous, however, because it coincides with reduced cybersecurity staffing in key federal agencies and the expiration of key cybersecurity laws that are critical to our nation’s cyber defenses. This perfect storm of events has weakened America’s cybersecurity defenses when they are most needed.

Prior to the shutdown, the Cybersecurity and Infrastructure Security Agency (CISA) had significantly reduced its workforce by about a third, with over 1,000 taking buyouts or early retirements, or being laid off. During the shutdown, CISA has furloughed two-thirds of its remaining employees. This has been accompanied by reductions in critical cyber positions at other federal agencies. The federal government was already working to address a cybersecurity workforce and skills shortage to meet the demands of escalating cyber threats. The absence of security personnel working to protect the country creates a security gap and an opportunity for malicious actors to exploit weaknesses.

With limited staffing, agencies are unlikely to process vulnerability reports submitted through their Vulnerability Disclosure Policies (VDPs). As part of sustaining a risk-aware enterprise cybersecurity program, government agencies are required to maintain VDPs and manage and remediate vulnerabilities identified through these programs. Agencies’ inability to process and address reported vulnerability information will increase the risk of exploitation. In addition to reduced resources to defend federal IT systems, there are now fewer federal resources available to help the private sector identify vulnerabilities, investigate incidents and respond to attacks.

These reductions occur as foreign adversaries and other bad actors wait patiently to exploit vulnerabilities. On Oct. 15, CISA issued a directive stating that a “nation-state affiliated cyber threat actor” has penetrated the systems of a federal security vendor and “presents an imminent threat to federal networks.” The compromised software is used by all 15 executive departments of the U.S. Cabinet. CISA’s directive gave agency personnel a week to implement security fixes. The attackers reportedly accessed the supplier’s systems in late 2023 and were not discovered by the company until August of this year.

This year’s shutdown also coincided with the expiration of the Cybersecurity Information Sharing Act of 2015 (CISA 2015) on Sept. 30. The act guides information sharing about cyber threats within the private sector and between the private sector and government. When the legal protections of CISA 2015 were in place, cybersecurity teams were empowered to quickly and securely relay time-sensitive threat intelligence to the government and share with other companies. This speed and urgency is particularly critical in fast-moving situations where threats can escalate across the internet in hours or even minutes. With the law expired, companies must now evaluate whether they have contracts in place to ensure appropriate protections for information shared with other companies. They also have to assess whether information shared with the government could be disclosed through federal or state public records laws.

Recent attacks on our critical infrastructure – whether it be energy grids, transportation systems or healthcare facilities – should be a call to strengthen cybersecurity in these critical sectors and prevent destructive attacks. Instead, a shutdown heightens the risk of attack in these areas as resources dry up and government expertise becomes inaccessible. A shutdown also disrupts the momentum and implementation of new strategies designed to strengthen resilience in these areas.

The State and Local Cybersecurity Grant Program provided $1 billion in funding over four years to help state and local governments strengthen their cyber defenses and protect critical infrastructure. This law also expired on Sept. 30, reducing the resources available to defend our country at state and local levels.

As elected officials weigh the potential consequences of a shutdown against the benefits of reopening the government, they should put national security concerns and protections for sensitive data held by the government at the forefront of their considerations. While Congress does not seem to agree on much these days, cybersecurity has always been a bipartisan issue. To keep our nation safe, the federal government should bring cybersecurity staff back to work and Congress should renew both CISA 2015 and cybersecurity funding for state and local governments to protect critical infrastructure.

Click to listen highlighted text!