The Government Shutdown Is a Ticking Cybersecurity Time Bomb

Amid a government shutdown that has dragged on for more than five weeks, the United States Congressional Budget Office said on Thursday that it recently suffered a hack and moved to contain the breach. CBO provides nonpartisan financial and economic data to lawmakers, and The Washington Post reported that the agency was infiltrated by a “suspected foreign actor.”

CBO spokesperson Caitlin Emma told WIRED in a statement that it has “implemented additional monitoring and new security controls to further protect the agency’s systems” and that “CBO occasionally faces threats to its network and continually monitors to address those threats.” Emma did not address questions from WIRED about whether the government shutdown has impacted technical personnel or cybersecurity-related work at CBO.

With increasing instability in the Supplemental Nutrition Assistance Program (SNAP) leaving Americans hungry, air traffic control personnel shortages disrupting flights, financial devastation for federal workers, and mounting operational shortages at the Social Security Administration, the shutdown is increasingly impacting every corner of the US. But researchers, former and current government workers, and federal technology experts warn that gaps in foundational activities during the shutdown—things like system patching, activity monitoring, and device management—could have real effects on federal defenses, both now and for years to come.

“A lot of federal digital systems are still just running in the cloud throughout the shutdown, even if the office is empty,” says Safi Mojidi, a longtime cybersecurity researcher who previously worked for NASA and as a federal security contractor. “If everything was set up properly, then the cloud offers an important baseline of security, but it's hard to rest easy during a shutdown knowing that even in the best of times there are problems getting security right.”

Even before the shutdown, federal cybersecurity workers were being impacted by reductions in force at agencies like the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency—potentially hindering digital defense guidance and coordination across the government. And CISA has continued cutting staff during the shutdown as well.

In a statement, spokesperson Marci McCarthy said “CISA continues to execute on its mission” but did not answer WIRED's specific questions about how its work and digital defenses at other agencies have been impacted by the government shutdown, which she blamed on Democrats.

The government's transition to the cloud over the last decade, as well as increased attention to cybersecurity in recent years, does provide an important backstop for a disruption like a shutdown. Experts emphasize, though, that the federal landscape is not homogenous, and some agencies have made more progress and are better equipped than others. Additionally, missed and overlooked digital security work that accumulates during the shutdown will create a backlog when workers return that could be difficult to surmount.

“It makes things worse and adds even more work down the road, because then they have to catch up,” one former national security official, who requested anonymity because they are not authorized to speak to the press, told WIRED. “The people who are left right now are working on the most critical stuff, which is great and necessary. But even so, I think there should be some worry from the public. When you hear about a hack at a government agency and you think, ‘Why didn’t they patch this moderate severity vulnerability for three years?’ Well, this is how that happens.”