A demonstrator holds a 'Stop The Shutdown' sign during a rally with union members and federal employees to end the partial government shutdown outside the White House in Washington, D.C. Andrew Harrer | Bloomberg | Getty Images

The partial government shutdown is quickly turning into a nightmare scenario for the country's cybersecurity functions, often in unexpected ways. Even after Congress ultimately reaches a deal to end the shutdown, these negative effects could last far into the future. Close to half of the employees within the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, or CISA — which works to help secure the nation's critical infrastructure industries, such as banking, water, energy and nuclear — are furloughed. Eighty-five percent of the National Institute of Standards and Technology workers have been furloughed as well, and these are the employees who help private- and public-sector companies stay up to date on the latest cyberattacks and mitigation techniques. The shutdown is also contributing to an already stark brain drain of cybersecurity talent, creating new, possibly disgruntled insider threats and ushering in a huge backlog of unchecked and needed security updates. Here are a few of the ways the lack of government funding is grinding down America's cybersecurity readiness.

Basic maintenance on hold

"CISA coordinates all cybersecurity efforts between the government and its private partners, ensuring both are properly trained and prepared to handle potential cyberattacks," explains Jon Murphy, leader of the cybersecurity practice at consulting firm Alliantgroup. "The absent employees could mean that various US government agency's computer systems might go without needed security updates and possibly lack the ability to detect newer intrusions/attacks timely." Even cybersecurity functions that are deemed "essential," including those that deal with active defense of nuclear systems and other critical functions, are suffering because of a lack of incoming information and assistance from other government agencies. "The government shutdown is raising new and alarming concerns as routine website maintenance is essentially furloughed," said Mike O'Malley, VP of strategy at Radware. "Because almost all 'routine' maintenance includes a level of security patching along with human touchpoints, we have laid out the welcome mat to any and all nefarious actors," he said. "Unfortunately, we know all too well from experience that hackers, especially nation-state sponsored, have a high level of patience and are willing to lie in wait for the most opportune moment." One basic maintenance task often filled by entry-level employees is monitoring websites for expired security certificates. Because of the shutdown, more than 80 such certificates have expired across agencies such as NASA and the Department of Justice, according to research from cybersecurity company Tripwire. The certificates in question are called "TLS" or "transport layer security," which provide security as part of securing websites using HTTPS. This is the protocol that encrypts data being transferred over the internet, including your emails, web browsing history and the secure documents you send. It's extremely important. When certificates expire, websites become more susceptible to having encryption broken, opening a way for hackers to read information in transit. The frequent pop-ups also provide another opportunity for fraudsters to create phony links that transmit malware. "In addition to expired HTTPS certificates, with federal workers furloughed, it is likely that computer systems of several government agencies did not receive the January 2019 Microsoft patches and will soon miss updates from Oracle and other vendors," said Craig Young, a security specialist with Tripwire's research team. Young said he expects these weaknesses could lead to attacks from nation-states such as Russia, which has developed malware that can be implanted on routers — malware that "is perfect for surreptitiously hijacking HTTPS connections to US government web sites." What this all means is that while the shutdown may only last weeks, malware may be implanted that lasts long past any time when a congressional deal is finally reached.

The people problem