A shutdown of the Department of Homeland Security (DHS) could leave federal and private networks more vulnerable to cyberattacks, former officials say.
With Congress at a stalemate over DHS funding, the odds are growing that the department and its affiliated agencies will be without funding after Feb. 27 and forced to furlough thousands of employees who aren’t deemed “essential.”
“This is no way to run anything,” said Jane Holl Lutte, who was DHS deputy secretary from 2009 to 2013. “DHS cannot play the leadership role it needs to play if it’s wondering where the next dollar is coming from.”
The DHS was the only agency not included in an overarching “cromnibus” budget passed in December. The department is being funded through a continuing resolution that runs out at the end of the month.
Former department officials say the uncertainty over funding is hurting programs that monitor federal networks, provide cybersecurity tools to federal agencies and share information with companies to bolster private sector cyber defenses. A shutdown would only exacerbate the situation, they say.
The role of DHS in cybersecurity has grown steadily in recent years, with the White House and lawmakers pushing the department to the center of the government’s domestic response.
Several bills passed late last year codified and bolstered the agency’s cyber jurisdiction. The White House is also planning to reveal an executive action on Feb. 13 that will give the DHS a greater role in protecting private networks.
“I think the department is in as strong a position as it has been in a long time to actually occupy the space with authority,” said Christopher Cummiskey, a former acting under secretary for management at DHS in 2014 who oversaw a number of the agency’s cyber efforts. “Now it’s time to deliver.”
But it will be hard to deliver without stable funding, Cummiskey said. The DHS, like much of the government, has struggled with budget certainty since the 2013 government shutdown, with Congress opting to provide funding in a series of continuing resolutions that leave spending on autopilot.
“You’re going month-by-month,” said Michael Brown, a former director of cybersecurity coordination for DHS. “You can’t really add strategically.”
For years, former officials said lawmakers viewed the DHS budget as a “must pass” item, similar to the bill that funds the Defense Department.
“People thought this is an important national security mission and we shouldn’t play games with the budget or with the authorization,” said Stewart Baker, a former DHS assistant secretary for policy.
But this year’s DHS funding measure has been swept up in the clash over President Obama’s executive actions on immigration.
Republicans are trying to use the DHS bill to block funding for Obama’s immigration programs. Democrats, meanwhile, are demanding a “clean” bill without policy changes, and have repeatedly blocked DHS legislation in the Senate.
“There’s no clear path to a budget resolution at this point,” Cummiskey said. “It makes me nervous about hitting on performance and schedule” for cyber efforts.
While the DHS cyber programs would continue to operate in a shutdown, the funding lapse could have long-term ramifications, former officials said. Even another stopgap funding measure could hurt the programs’ effectiveness, they argue.
“Even if nothing happens, you’ve lost a month, a month-and-a-half of skilled budgeters’ time that puts you back even further,” said Chet Lunner, a former deputy undersecretary in the DHS Office of Intelligence and Analysis.
Homeland Security has spent a decade working on a real-time government network intrusion detection system, dubbed “Einstein.” But the agency has struggled to stick to a long-term strategy for expanding that system to monitor all government network traffic.
“We’re distracting the department, we’re disabling its efforts at the very moment when we should be strengthening them,” Lutte said.
Another program, Continuous Diagnostics and Mitigation (CDM), is meant to help agencies assess the security of their own networks and provide cybersecurity tools to help patch flaws.
Cummiskey estimates that the CDM program is already a few months behind schedule because of the last continuing resolution. Another temporary funding bill or shutdown could push back CDM’s schedule another six to nine months, he said.
“When you have the kind of uncertainty that’s brought out by either one or a series of resolutions, that makes it tough over time,” Cummiskey said.
Delays in either programs mean agencies will have to wait longer for cybersecurity tools, network monitoring and network security analysis, leaving them more exposed to cyberattacks in the meantime.
An array of government agencies, ranging from the U.S. Postal Service to the State Department to the White House, suffered hacks in 2014. Lawmakers have pushed to take action, but are divided on the path forward for a cybersecurity bill.
The White House has stepped into the fray, issuing a slate of cybersecurity legislative proposals. One of the administration’s offerings would put the DHS cybersecurity information-sharing hub — the National Cybersecurity Communications Integration Center (NCCIC) — at the center of a public-private cyber threat data exchange program.
Perhaps in an attempt to make the proposal more attractive, the White House is set to unveil on Friday an executive action to streamline the complex process through which the private sector can share cybersecurity information with the NCCIC.
If DHS is forced to shutter or continues to rely on short-term funding, the White House executive action could be difficult to carry out.
“That’s going to take people, that’s going to take funding, that’s going to take resources at the top level,” Brown said. “Without an approved budget, without approval from the Hill to be able to conduct those missions, they’re going to be hampered from being fully effective.”
And NCCIC itself would be diminished in a shutdown.
“What [a shutdown] does is limit the people you would have on the floor in the event an incident takes place,” said Howard Schmidt, a former White House cybersecurity coordinator.
The result is a government and nation more exposed to cyberattacks, former officials argue.
“Of course we’re increasing our vulnerability,” Lutte said. “The funding environment that DHS is being forced to operate in . . . it’s simply unacceptable.”