The partial shutdown of the US government may well end up damaging cybersecurity but perhaps not in the way most commonly thought.
The most common and understandable concern is that the country’s current ability to respond to an emergency in the cyber domain is hampered. This line of thinking rests on the belief that the United States is not operating at full strength and, therefore, its present capacity to cope with an urgency is diminished. Admittedly, the challenge with multiple players down is not to be underestimated: It is far from ideal to take and defend the field with an incomplete roster. Moreover, bad actors may be plotting how to seize advantage during this self-inflicted window of vulnerability.
Frankly, it is hard enough to ensure cybersecurity on a good day, when all hands are on deck. Having said that, there is some cause for confidence, despite prevailing circumstances. For example, from the standpoint of the Department of Homeland Security, over 80 percent of its flagship component responsible for cyber incidents — namely, the National Cybersecurity and Communications Integration Center, known as NCCIC — remains staffed. This should stand us in reasonably good (if imperfect) stead, should a crisis arise. For instance, US authorities engaged fully during the spate of DNS (domain name system) hijackings reported recently.
While that which is urgent may displace all else, by virtue of immediacy, it is critical to keep in mind the longer-term aspects of the shutdown: The tasks and consequences which are also truly important, but which are going undone or unaddressed. One such example would be vulnerability assessments, whose completion is suffering. Yet, leaving blind spots unidentified — and therefore unchecked — is obviously a suboptimal condition, which could have serious ramifications for our national security. By no means is this the only worry.
A relatively overlooked but deeply concerning knock-on effect of the shutdown, particularly as it wears on and multiple “paychecks” show a zero balance, is the potential thinning of the federal cybersecurity workforce.
Recruiting and retaining the best and brightest in government service in the area of cybersecurity has long been difficult. Openings even for critical positions requiring key skills have gone unfilled in the public sector, and generated substantial and ongoing concern about how best to grow the workforce in this area quickly and well, so as to meet the needs of government — and industry — and thereby serve the ends of both national and economic security. The gap between supply and demand is striking: 320,000 U.S. cyber jobs are open (as underscored recently by former cybersecurity advisor to the President, Rob Joyce, now senior cybersecurity advisor to the director of the National Security Agency). The companion figure worldwide is projected to reach 1 million by 2020.
A substantial conundrum (but certainly not the only one) for government is that the public sector is not in a position to offer salaries that are commensurate with those in the private sector. The good news is that this is not the only motivating factor at play. To the contrary, the opportunity to contribute to the mission has profound appeal to prospective public servants and incumbents. Indeed, the mission has always been the strongest “selling” point for government, and has long drawn extraordinary talent into the ranks of public service. The ability to contribute to the national interest — to serve one’s country and people, and to make a real difference and impact — is not to be underestimated and, some would say, unparalleled.
However, those who have adopted this mindset are now faced with the reality that the custodians of the mission are placing it in question and jeopardy. With their animating factor held in check by others, and with no immediate end to the situation in sight, some of the very professionals that we should be valuing most are instead being given the opposite signal. Against this background, and caught in the bind of having (and wanting) to provide for themselves and their families in a stable way, some of the most highly skilled federal workers are now being given pause for thought. They are questioning the very thing that drew them into public service in the first place, and asking whether they may as well migrate into private industry with all that it has to offer in the way of tangible and concrete benefits.
The country can ill-afford this situation, especially at a time when adversary nation-states are ramping up their investments in science and technology, with an eye toward gaining strategic advantage and shifting the balance of global power. While the United States continues to possess an extraordinary capacity to innovate and a deep reservoir of talent in the STEM (science, technology, engineering, and math)-related disciplines, we also stand apart when it comes to government shutdowns. Neither our friends and allies nor our foes find themselves where we do now.
Protecting the sanctity of the mission is tantamount to protecting and serving the national interest — which is the essence of governance and the most sacred and fundamental responsibility of the federal government. Put another way, retention of the cybersecurity workforce in the public sector is so much more than an “HR” issue. It is past time to recognize the gravity of that fact and act accordingly.
Frank J. Cilluffo is director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. Sharon L. Cardash is deputy director of the Institute’s Center for Cyber and Homeland Security.