The current federal government shutdown, the longest in United States history, is in its fourth week, with no clear path to resolution. With 800,000 federal employees on full or partial leave as a result, cybersecurity experts raised an early alarm about how the shutdown would impact US cybersecurity. Those early concerns have since compounded and evolved into a mounting crisis.

Most intelligence and law enforcement work is continuing during the shutdown, because the Department of Defense already has its funding established for 2019. And a large number of critical federal employees outside of DoD are being asked to report to work uncompensated until they can receive backpay. But crucially, from a cybersecurity perspective, organizations within the Department of Homeland Security—including the new Cybersecurity and Infrastructure Security Agency, launched in November—are operating with a skeleton crew.

"The problems are growing as the shutdown continues." Carlos Perez, TrustedSec

The lack of resources has stoked fears that sophisticated hackers may use the shutdown as an opportunity to infiltrate inconspicuous, backwater federal networks, which they could then use as a launchpad to penetrate more valuable government targets. As the shutdown persists, attackers have had weeks, instead of just hours or days, to make their moves. They could be carrying out entire operations, or laying malicious infrastructure for future assaults.

That may sound extreme, but less so when you consider how many probes and attempted intrusions the US government defends against every day—and how many times motivated hackers have successfully penetrated those defenses. And that's when everything's operating at full capacity.

"The problems are growing as the shutdown continues," says Carlos Perez, head of research and development at the IT security firm TrustedSec. "My friends in the government say their biggest worry is that other states or other actors are going to up their tempo while there are fewer people to watch the systems. But what worries me the most is the loss of knowledge capital because of this shutdown—there are a lot of résumés going out right now."

Which leads to another unfortunate consequence of the shutdown. The federal government already struggles to compete with private industry on recruiting cybersecurity practitioners with diverse specialities. The shutdown could make government work an even tougher sell. "If it continues for much longer, it’ll create lots of problems," says Ang Cui, CEO of the embedded security firm Red Balloon. "Furloughs are great recruiting opportunities for companies like Red Balloon, though."

It's also not just law enforcement that's affected. Eighty-five percent of employees at the National Institute of Standards and Technology are also furloughed. And while NIST is a standards body, not a threat detection organization, it still plays a vital role in ensuring that developers all over the world implement encryption schemes correctly and securely. The shutdown interruption means that NIST's website is down, and by extension the documentation and other resources it provides are all unavailable.

"It means the private sector can’t get work done," says Matthew Green, a cryptographer at Johns Hopkins University. For example, many companies that implement encryption schemes for financial transactions need to have their systems evaluated under the Federal Information Processing Standard to ensure there aren't any errors in such high-stakes code. "If people can’t get standards, they could make mistakes," Green says.

LEARN MORE The WIRED Guide to Data Breaches

Meanwhile, daily security IT maintenance is breaking down. Many government websites have had their HTTPS encryption certificates expire during the shutdown, exposing them to potential snooping or even impersonator sites. And with most IT staff staying home, it seems unlikely that software patches and upgrades are being installed at their regular clip, potentially leaving them exposed to malware they'd otherwise be protected against. Events like DHS’s annual Cybersecurity and Innovation Showcase, where the agency examines new cybersecurity technologies for potential purchase, have also been canceled.

Whenever the shutdown ends, IT managers and cybersecurity analysts will have to dig out from weeks of systems logs and automated threat alert data while also attempting to resume full operations. The bigger the backlog, the harder it will be to catch up.