Concerns are growing that federal cybersecurity in the United States is stagnating — or worse

A weeks-long government shutdown this fall heightened concerns about the state of federal cybersecurity, creating the potential for blind spots or gaps in oversight while many workers were furloughed and overall contributing to an IT backlog already accumulating at agencies across the government.

“Federal IT workers are so good at their jobs, there are not enough resources for the issues they have to deal with,” a former national security official, who requested anonymity because he was not authorized to speak to the press, told WIRED. “They are always underfunded. They always have to play catch-up.”

Amelie Curran, a cybersecurity consultant and former principal architect of enterprise security at the Home Office, notes that one of the most significant impacts of the lockdown was likely to include the disruption, or in some cases, termination of relationships with specialist government contractors who may have needed to take on other jobs in order to get paid but whose institutional knowledge was difficult to replace.

Curran also adds that given the limited scope of the continuing resolution passed by Congress to reopen the government, “it is unlikely that any new contracts, extensions or options will be concluded, which will extend into next year and beyond.”

While it is unclear whether the shutdown was a contributing factor, more than five weeks into the ordeal, the US Congressional Budget Office said it had been hacked and had taken steps to contain the breach. The Washington Post reported at the time that the agency had been hacked by a “suspected foreign actor.” And after years of incredibly consequential U.S. government data breaches — including the 2015 Office of Personnel Management hack perpetrated by China and the sprawling, multi-agency hack launched by Russia in 2020 often called the SolarWinds hack — experts warn that inconsistent hiring and declining staffing at key agencies like CISA could have dire consequences.

“When, rather than if, we have a major cybersecurity incident within the federal government, we can’t simply throw in additional cybersecurity resources after the fact and expect the same results we would from long-serving employees,” says Jake Williams, a former NSA hacker and current vice president of research and development at Hunter Strategy.

Williams says brain drain, and any loss of momentum in digital defense, is a serious concern for the United States.

“I worry daily that federal cybersecurity and critical infrastructure protection may be slipping away,” Williams says. “We must stay ahead of the curve.”