By Phil Reitinger
People like to say “no pain, no gain.” For cybersecurity and the partial U.S. government shutdown, however, the proper phrase is “pain, no gain.” There is no upside for government or the private sector.
I do not expect a cyber catastrophe. Operational, mission-critical employees are mostly designated as essential, and so we can expect that network monitoring will continue and cyber security incidents will get an appropriate response. Nevertheless, there are immediate and important consequences.
First, let’s note that the most critical parts of the U.S. government civilian cybersecurity are in agencies subject to the shutdown, especially the Cybersecurity and Infrastructure Security Agency and U.S. Secret Service at DHS, the FBI and computer crime prosecutors at DoJ, and Commerce agencies including NIST, NTIA, and the NCCoE. In other words, the shutdown affects the agencies responsible for protecting systems (DHS) and for investigation and deterrence (DoJ), as well as critical policy and technical work (often assigned to Commerce).
Second, while “essential” work will continue, even these services will operate with reduced staffing, especially including support personnel, and that means reduced effectiveness no matter what anyone says. On this point: “The Department of Homeland Security’s newly-established Cybersecurity and Infrastructure Security Agency has 45 percent of employees furloughed,” according to a recent article. Even if the NCCIC were fully-staffed, it won’t be as effective in an agency where about half of the total personnel are not legally allowed to work.
Third, these “essential” employees will be working without pay. I know these women and men – they are passionate and dedicated – but worrying about paying your rent and feeding your family is a distraction at the very minimum.
Fourth, these consequences impair not only U.S. government cybersecurity but that of the private sector as well. DHS shares information with and helps the private sector. The FBI and U.S. Secret Service investigate cyber crimes against the private sector. The effect is also international, as these agencies work with their counterparts around the world to protect allies and global businesses.
That said, these immediate consequences are not the greatest concern. What worries me most is the long-term effect of further limiting the pool of cybersecurity people who are willing to work for government. Cybersecurity is a very competitive field, with a significant shortage worldwide of qualified personnel. In most cases, government cybersecurity professionals could find a higher paying and more flexible job in the private sector. Federal cybersecurity employees often work longer hours for less money, and ask only that we let them do their jobs. In this shutdown these amazing people are being told not to do their jobs, or in some cases, to do it for free. They are also being told that their lives and their families are less important than an arbitrary political goal.
Faced with little respect, low and uncertain pay, arbitrary disruption, and an inability to accomplish the mission they love, people leave government, and in the future, never work for it in the first place.