The partial shutdown of the US government may well end up damaging cybersecurity but perhaps not in the way most commonly thought. The most common and understandable concern is that the country’s current ability to respond to an emergency in the cyber domain is hampered. This line of thinking rests on the belief that the United States is not operating at full strength and, therefore, its present capacity to cope with an urgency is diminished. Admittedly, the challenge with multiple players down is not to be underestimated: It is far from ideal to take and defend the field with an incomplete roster. Moreover, bad actors may be plotting how to seize advantage during this self-inflicted window of vulnerability. Frankly, it is hard enough to ensure cybersecurity on a good day, when all hands are on deck. Having said that, there is some cause for confidence, despite prevailing circumstances. For example, from the standpoint of the Department of Homeland Security, over 80 percent of its flagship component responsible for cyber incidents — namely, the National Cybersecurity and Communications Integration Center, known as NCCIC — remains staffed. This should stand us in reasonably good (if imperfect) stead, should a crisis arise. For instance, US authorities engaged fully during the spate of DNS (domain name system) hijackings reported recently.
While that which is urgent may displace all else, by virtue of immediacy, it is critical to keep in mind the longer-term aspects of the shutdown: The tasks and consequences which are also truly important, but which are going undone or unaddressed. One such example would be vulnerability assessments, whose completion is suffering. Yet, leaving blind spots unidentified — and therefore unchecked — is obviously a suboptimal condition, which could have serious ramifications for our national security. By no means is this the only worry.
A relatively overlooked but deeply concerning knock-on effect of the shutdown, particularly as it wears on and multiple “paychecks” show a zero balance, is the potential thinning of the federal cybersecurity workforce.