The government shutdown is a cybersecurity time bomb

Central government The US Congressional Budget Office said on Thursday that it had suffered a recent breach and had moved to contain the breach, which had lasted for more than five weeks. The Congressional Budget Office provides nonpartisan financial and economic data to lawmakers, and the Washington Post reported that the agency was hacked by a “suspected foreign actor.”

CBO spokeswoman Caitlin Emma told WIRED in a statement that it has “implemented additional monitoring and new security controls to further protect the agency’s systems” and that “CBO occasionally encounters threats to its network and continually monitors to address those threats.” Emma did not respond to WIRED’s questions about whether the government shutdown has affected technical staff or cybersecurity-related work at the CBO.

With growing instability in the Supplemental Nutrition Assistance Program (SNAP) leaving Americans hungry, air traffic control staff shortages disrupting flights, financial devastation for federal workers, and growing operational shortages at the Social Security Administration, the shutdown is increasingly affecting every corner of the United States. But researchers, former and current government workers and federal technology experts warn that lapses in basic activities during the shutdown — things like system patching, activity monitoring and device management — could have real implications for federal defenses, now and for years to come.

“A lot of federal digital systems are still running in the cloud throughout the shutdown, even if the office is empty,” says Safi Majidi, a longtime cybersecurity researcher who previously worked for NASA and as a federal security contractor. “If everything is set up right, the cloud provides an important security baseline, but it’s hard to feel comfortable shutting down knowing that even in the best of times, there are issues with getting security right.”

Even before the shutdown, federal cybersecurity workers were being impacted by force reductions at agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which could hinder direction and coordination in digital defense across the government. CISA continued to reduce staff during the shutdown period as well.

In a statement, spokeswoman Marcy McCarthy said “CISA continues to execute its mission” but did not answer WIRED’s specific questions about how its work and digital defenses at other agencies were affected by the government shutdown, which she blamed on Democrats.

The government’s shift to the cloud over the past decade, as well as the growing interest in cybersecurity in recent years, provides important support for any disruption such as a shutdown. However, experts stress that the federal landscape is not homogeneous, and that some agencies have made more progress and are better equipped than others. Additionally, lost and neglected digital security work that accumulates during a shutdown will create a backlog when workers return, which can be difficult to overcome.