The Cybersecurity and Infrastructure Security Agency is preparing to furlough more than 80% of its workforce under a government shutdown, potentially leaving the lead U.S. cyber agency with a skeleton crew to initially respond to attacks on the networks of federal agencies and critical infrastructure.
The Department of Homeland Security’s plan for a “lapse in appropriations,” updated today, shows CISA estimates it would retain 571 employees out of the 3,117 it had onboard as of mid-June. Those “excepted” staff would be required to work during a government shutdown, while the rest would be furloughed.
Unless Congress acts in the coming days, funding for DHS and most other agencies expires at 12:01 a.m. Sunday, shutting down the government.
The plan to furlough the majority of CISA’s staff stands in stark contrast to how most other DHS employees, such as airport screeners, Federal Emergency Management Agency staff and border patrol agents, will continue working through the shutdown.
“I don’t think we’ve really thought through as a country what it means to have your cyber agency at such a low level of activity, when the cyber incidents and attack vectors are just increasing,” Chris Cummiskey, a former senior DHS official, said regarding the shutdown plans.
DHS’s plan does not include a breakdown of the specific employees CISA would retain or the activities it would continue to carry out during a government shutdown. CISA and DHS declined to comment on specific plans, deferring questions to the White House.
Budget documents show CISA has the equivalent of about 1,100 full-time employees working specifically on cybersecurity programs, including operations to help secure federal networks and major cyber services like the Continuous Diagnostics and Mitigation (CDM) program.
The agency also has employees devoted to issues ranging from infrastructure security and emergency communications to internal mission support staff.
Matt Hayden, a former senior DHS and CISA official, said the cyber agency will keep its most critical staff onboard during a shutdown, but CISA’s expanding portfolio of “collaboration” work will likely be curtailed. Hayden is now vice president of cyber client engagement at General Dynamics Information Technology.
“The good news is the operational footprint of CISA, the operational scanning and the true cyber warriors on keyboard, that isn’t going to miss a beat,” Hayden said. “The bad news is there’s a lot of engagement with industry, exercises that are done with sector leadership, there are efforts that just due to the nature of a shutdown don’t get flagged as critical, and they get paused for however long the shutdown takes.”
Bryan Ware, a former senior DHS official and now chief development officer at ZeroFox, said a reduced staff at CISA means “nothing proactive happens” in the cybersecurity space. Much of CISA’s work on cybersecurity is focused on analyzing cybersecurity threats, writing guidance, and communicating with other agencies, the private sector and the public about cyber risks.
“It’s only reactive and so it makes a real dent to our operational capacity,” Ware said. “We’re really leaving ourselves vulnerable to foreign adversaries.”
Agencies are able to call personnel back to the office in case of an emergency, Cummiskey pointed out. But the shutdown puts CISA and the broader federal government “on their heels” if a major cyber incident were to occur, he added.
“The normal definitions of who doesn’t need to show up for work because of the lapse in appropriation I think needs to be examined more closely going forward, based on the growing responsibilities that CISA has in this space,” Cummiskey said.
While it’s one of the youngest federal agencies, a government shutdown would not be entirely new to CISA: the 2018-2019 shutdown, the longest in history, started a little more than one month after CISA was established as a standalone agency at DHS.
At the time, Hayden was serving as a senior advisor at CISA. After he was initially furloughed, Hayden was called back into work in the middle of a shutdown to work on a major priority of then-Homeland Security Secretary Kirstjen Nielsen.
“There was definitely a feeling of, I’m in here, I should make sure that anything I can do, I should do,” he said. “But that was actually a challenge, because you were given a list of critical work activities that you could do. And you weren’t to stray outside of it while you were there.”
“That was a change in morale and change in mentality that we were very glad to be done with when the shutdown was over,” Hayden added.
CISA has grown rapidly in recent years as both the White House and Congress have turned to the agency to respond to rising cyber attacks on the government and critical infrastructure. In the past two years, the agency has hired nearly 1,400 people, CISA Director Jen Easterly said during the Billington Cyber Summit earlier this month.
CISA and other federal agencies have used new hiring and pay authorities in recent years to better compete with the private sector for scarce technical talent. Ware pointed out that the typical stability of a government job may have held more appeal after mass layoffs in the technology and cybersecurity sectors over the past year.
“When we head into something like this shutdown, that appeal instantly goes away,” Ware said. “We should expect it will have not only a morale impact, but also an attrition impact in that some employees who say, ‘I just don’t want to go through this kind of uncertainty. I’d rather work for a private sector company.’”