Posted: January 15, 2019 by

As of this writing, the government shutdown of 2019 is the longest ever in America. Will the government's stable of cybersecurity talent be the next casualty—now and in the long run?

As of this writing, the government shutdown of 2019 is the longest ever in America. The only good news about this situation is that, with each passing day, a new group of people in the country seems to rediscover just how essential government services are, now that they’re unavailable.

The next likely casualty is the government’s stable of cybersecurity talent. Here’s why—and what it might mean for us in the long run.

How much government talent is furloughed?

Some of us might be surprised to learn the federal government has a workforce dedicated solely to cybersecurity. Many of these completely essential institutions and teams are now reduced to skeleton crews. This has the potential for long-lasting harm when it comes to the government’s ability to retain these specialists.

At time of writing, the Department of Homeland Security has furloughed 20 percent of its staff dedicated to “main cyber operations,” as well as administrative and supporting roles. But when you look at the entire cybersecurity apparatus of the federal government, the total potential loss of talent is far greater than the DHS alone. According to a planning document, 43 percent of the entire US cybersecurity workforce is currently furloughed.

Taking the top spot, however, is the National Institute of Standards and Technology, or NIST, with 85 percent of its staff furloughed.

This represents a danger today on a number of levels. But there’s a longer-lasting kind of harm, too, that few are talking about right now.

Will federal employees flock to the private sector?

Some of the more important staff and talent initiatives taken on during the Obama administration concerned the treatment, compensation, and benefits of federal employees and contractors. The goal was to make the public sector (the government) more competitive with the private sector. That’s how corporations retain talent, and it’s how the government can do so as well.

It’s no secret that job prospects for computer scientists, and cybersecurity specialists in particular, are rather cushy right now. Software developers enjoy a median income of more than $100,000 per year.

But now that the government is shut down, Washington, D.C. (and all of our state governments) will struggle even more not only to win talent over from the private sector, but keep it. With paychecks potentially off the table for a while, it’s becoming more likely that this already fragile situation will be pushed to the breaking point.

In an interview with the Washington Post, a former DHS cyber official named Greg Garcia explained the situation: “There’s unpredictability and uncertainty and instability [for DHS cyber employees],” he said. “Add on top of all that not getting paid, and I do not envy them.”

The problem here is one of morale. We have not been trying hard enough in recent years to maintain the government’s competitiveness with industry, and now we’re paying the price.

What does the future hold for cybersecurity talent at the federal level?

The bottom line with this government shutdown, just like with any other, is that sending your employees home without pay, and without a timetable for when their jobs and offices will be back up and running, is a bad way to do business.

What we’re likely to see is a “chilling effect” on the next generation or two of potential government employees. Holding these positions hostage in budget negotiations, positions for which applicants earned degrees and accreditation, is the equivalent of telling them the government isn’t an honorable employer and their talent isn’t valued—and that we don’t care if they take it elsewhere.

And there’s plenty of “elsewhere” for them out there, it turns out. In 2017, there were nearly 300,000 jobs available in the “cyber sciences.” That sounds like a lot of opportunities—but it will actually blossom into a full-blown talent shortage of 1.8 million jobs by 2022.

We don’t really want to be turning people off from this line of work—especially not when the stakes are so high. Moreover, it’s clear the government can’t afford to lose the talent it’s already brought together. There’s not going to be enough of it to go around before too long—and the priorities, arguably, should rest with national security.

Remembering the stakes

Barely a day goes by where we’re not reminded that, just as it has brought us closer together, Internet connectivity has also provided new tools for potential disruptive influences.

Reports are available now detailing the degree to which critical national infrastructure—such as our nuclear and other power plants, water treatment facilities, and electrical grids—are surprisingly vulnerable to domestic as well as foreign hacking attempts. This is a bright and wonderful age, but it’s clear that many of the systems we rely on for civilized living aren’t as safe as they’re supposed to be.

We should remember that even our voting machines are outdated and stand a good chance of being hacked or otherwise tampered with. But while public awareness of these issues has increased, furloughing and devaluing cyber talent at the federal and state levels is not a good way to drum up attention and support for such important issues.

Are there any foreseeable solutions to this problem?

The first solution involves remembering that the US Defense Department, even before the government was shut down, was already losing some 4,000 employees to the private sector every year, a sign that our government was already a dissatisfactory place to work. In point of fact, “dissatisfied” or “very dissatisfied” was how 20 percent of DHS employees described their jobs in a survey that made the rounds in 2018.

Even some of the most critical resources on the Internet have been taken offline by this shutdown. NIST maintains catalogs of government cybersecurity standards that are essential for maintaining webpage uptime and HTTPS certificates. With 85 percent of their staff sitting at home, security certificates will expire and websites will be taken down.

When resources like these are unavailable, the Internet becomes a manifestly less safe place to spend time. And that’s the last thing we want.