With scant information coming from the Department of Homeland Security, it’s difficult to say how the ongoing shutdown is impacting its ability to carry out cyber security missions, according to a former senior department official.

It’s unknown how many staff and contractors and the specific activities they perform are affected by the shutdown, Suzanne Spaulding, who ran what is now the Cybersecurity and Infrastructure Protection Agency (CISA) during part of the Obama administration, said in answers to questions posed by the Center for Strategic and International Studies think tank released on Tuesday.

Suzanne Spaulding, senior advisor for Homeland Security and International Programs at CSIS. Photo: CSIS

In December, just before funding for DHS lapsed, the department issued furlough guidance. For CISA, which used to be known as the National Protection and Programs Directorate (NPPD), about 43 percent of its workforce was slated for furlough, Spaulding pointed out.

CISA is responsible for cyber security and physical security missions for DHS, and it also hires contractors to help with operations. Spaulding believes the furloughs are hitting non-cyber positions harder.

“Based on my experience as the under secretary for CISA’s predecessor entity during previous shutdowns, it’s likely that a greater percentage of non-cyber experts were furloughed because their work, while vitally important, is less clearly tied to imminent threats,” she said in CSIS’ “Critical Questions.” Spaulding is a senior adviser with CSIS.

She highlights that CISA also uses contractors for its cyber mission but that the DHS guidance on the shutdown doesn’t mention the impact of the funding lapse on the contractor workforce.

“So, it’s possible that significantly more than 43 percent of the overall cyber workforce is furloughed once you account for the contract workers,” she said. “We don’t know.”

Spaulding also said, “We don’t know,” in response to a question about the activities that aren’t being performed during the shutdown.

Programs that monitor federal information technology networks are probably “still being monitored” to meet legal requirements, but there is likely diminished capacity to respond to cyber incidents, she said.

What’s not getting done?

Spaulding said work related to operationalizing CISA, securing elections with state and local officials, helping owners and operators patch vulnerabilities in critical infrastructures, work with international partners to prepare for incidents, interagency coordination, work to secure the federal IT supply chain, recruitment of personnel for cyber work, and “work to identify and help secure much of the most critical functions in the private sector and government,” is some of what isn’t being done.

Routine work such as ensuring security certificates are up to date and government agencies is also not being done, Spaulding said.

Once DHS begins to received appropriations again, Spaulding said it will take time for cyber operations to get back to normal. The blow to morale is significant and it will take time to restart suspended contracts, she said.

For smaller contractors that may have had to lay off workers during the shutdown, it could be weeks or months before they are back on their feet in terms of supporting DHS, she said.

“And that assumes the smaller contractors were able to survive without income for the duration of the shutdown,” she said.