A government shutdown is a cybersecurity time bomb

Among a government The shutdown, which has lasted more than five weeks, the US Congressional Budget Office said on Thursday that it was recently hacked and was taking action to contain the breach. The CBO provides nonpartisan financial and economic data to lawmakers, and the Washington Post reported that the agency had been infiltrated by a “suspicious foreign actor.”

CBO spokeswoman Caitlin Emma told WIRED in a statement that it has “implemented additional monitoring and new security controls to further protect the agency’s systems” and that “CBO occasionally encounters threats to its network and continuously monitors to address these threats.” But it did not respond to WIRED’s questions about whether the government shutdown has affected technical personnel or cybersecurity-related work at the CBO.

With growing instability in the Supplemental Nutrition Assistance Program (SNAP) leaving Americans hungry, air traffic control personnel shortages disrupting flights, financial ruin for federal workers, and growing operational shortfalls at the Social Security Administration, the shutdown is increasingly affecting every corner of the United States. But researchers, current and former government employees, and federal technology experts warn that gaps in essential activities during a blackout — things like system patching, activity monitoring and device management — could have real impacts on federal defense, both now and for years to come.

“Many federal digital systems still run in the cloud throughout the blackout, even if the office is empty,” says Safi Majidi, a veteran cybersecurity researcher who previously worked for NASA and as a federal security contractor. “If everything is set up correctly, then the cloud provides an important foundation of security, but it’s hard to be comfortable during an outage, because even in the best of times there are problems getting security right.”

Even before the shutdown, federal cybersecurity workers were affected by cuts at agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency — potentially hampering the direction and coordination of digital defenses across the government. And CISA has continued to cut staff during the shutdown as well.

“CISA continues to carry out its mission,” spokeswoman Marcy McCarthy said in a statement, but did not respond to WIRED’s specific questions about how its digital defense work at other agencies has been affected by the government shutdown, which she blamed on Democrats.

Government’s move to the cloud over the past decade, as well as increased attention to cybersecurity in recent years, provide important support for a disruption such as a blackout. However, experts stress that the federal landscape is not uniform and that some agencies are more advanced and better equipped than others. In addition, the missed and neglected digital security work that accumulates during the shutdown creates a backlog that is difficult to overcome when workers return.