The Government Shutdown Is a Ticking Cybersecurity Time Bomb

In the middle of a government shutdown that has lasted more than five weeks, the U.S. Congressional Budget Office said Thursday that it recently suffered a hack and has taken steps to contain the breach. The CBO provides nonpartisan financial and economic data to lawmakers, and the Washington Post reported that the agency had been infiltrated by a “suspected foreign actor.”

CBO spokesperson Caitlin Emma told WIRED in a statement that it has “implemented additional monitoring and new security controls to further protect the agency’s systems” and that “CBO occasionally experiences threats to its network and continually monitors to respond to these threats.” Emma did not respond to WIRED’s questions about whether the government shutdown has impacted technical staff or cybersecurity-related work at the CBO.

With increasing instability in the Supplemental Nutrition Assistance Program (SNAP) leaving Americans hungry, air traffic control personnel shortages disrupting flights, financial devastation for federal workers, and growing operational shortages within the Social Security Administration, the shutdown is increasingly affecting every corner of the United States. But researchers, current and former officials and federal technology experts warn that gaps in core activities during the shutdown — things like system patching, activity monitoring and device management — could have real effects on federal defense, now and in years to come.

“Many federal digital systems are still running in the cloud during the shutdown, even if the office is empty,” says Safi Mojidi, a longtime cybersecurity researcher who previously worked for NASA and as a federal security contractor. “If everything was set up correctly, the cloud provides an important foundation of security, but it’s difficult to rest easy in the event of a downtime, knowing that even in the best of times there are problems in ensuring good security.

Even before the shutdown, federal cybersecurity workers were impacted by staff reductions at agencies such as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, potentially hindering digital defense guidance and coordination across the government. And CISA also continued to reduce its workforce during the shutdown.

In a statement, spokesperson Marci McCarthy said “CISA continues to fulfill its mission” but did not respond to WIRED’s specific questions about how its work and other agencies’ digital defenses were affected by the government shutdown, which she blamed on Democrats.

The government’s transition to the cloud over the past decade, along with the increased focus on cybersecurity in recent years, provides an important safety net in the event of a disruption such as a shutdown. Experts emphasize, however, that the federal landscape is not homogeneous and that some agencies have made more progress and are better equipped than others. Additionally, missed and neglected digital security work that accumulates during the shutdown will create a delay in workers returning that could be difficult to overcome.