The US Federal government is in the midst of the longest gap in funding for many of its agencies in history. As the "shutdown" extends into a second month, the economic impact is mounting for federal workers—including civil servants and government contractors working in IT and information security roles for the government—as well as the communities they work and live in.

Furloughs have had a real impact on the government's security posture as well. Work at the National Institutes of Standards and Technology on a number of initiatives, including work on encryption, has been suspended. Some "non-essential" agencies have had to furlough security teams, leaving them with no way to respond to incidents during the shutdown. Routine maintenance on IT systems, such as patches and updates to websites and server operating systems, are being deferred. And those still at work at agencies operating without a budget are doing so without pay and under financial duress—not exactly an ideal situation for maintaining a top security posture.

"I saw something a few days ago where 100-odd government SSL certs were expiring," said Chris Eng, Vice President of Research at the software security firm Veracode. "There's a lot of this sort of ongoing work that's not even the high-pressure instant response stuff that's not being done. Imagine if something like a Heartbleed came out tomorrow—what is going to be the capability of government agencies to respond to that when they're operating on a skeleton crew?"

But the real damage to the government may be waiting in the wings. Several furloughed federal workers in information security who spoke to Ars this week said that they are now actively seeking jobs in the private sector out of necessity. A number of private companies recruiting talent in the field have seen a spike in job applications from people in government service. And even if the shutdown were to end this week—which doesn't seem likely—some government IT leaders expressed concern that workers would come back to collect their back pay and then resign. And for contractors who have no guarantee of regaining lost wages, the math is even more vicious.

"Government salaries and benefits for technical employees are already no match for those offered by private-sector firms," said Justin Sherman, Cybersecurity Policy Fellow at New America, a Washington, DC, think tank. "As the shutdown continues and employees are left without pay for a longer and longer period of time, private-sector jobs are going to be more appealing to technology-focused government workers and will undoubtedly cause some to leave the government for industry work, even if just due to a temporary need for income." And since pay in the private sector is better in general, recruiting new talent to replace departing workers will likely be more difficult, Sherman added.

There are some numbers to back up these concerns. A recent survey by ZipRecruiter of 2,000 furloughed federal workers found that 67 percent were considering leaving their government jobs to seek work in the private sector. Fewer than 30 percent felt that the shutdown would end within the next 30 days, and 90 percent expected significant financial hardship.

Talent shortage

The government already has a major talent shortage in information security. After decades of contracting out central information technology roles, much of the expertise in some agencies comes from outside contractors. Internal positions have gone unfilled at many agencies over the past few years—a trend that didn't get any help from President Donald Trump's 2017 federal hiring freeze.

As a result of both the constant demand for new information-security staff and the uncertainties of government employment over the past two years, some of the open information-security positions at the Department of Homeland Security have been posted for over a year. And many of the jobs in information security (and nearly all at DHS) require security clearances of Secret or Top Secret—significantly narrowing the potential recruit pool and lengthening the pipeline for filling them.

The demographics of the government service are not exactly stacked in the government's favor, either. The median age of government employees across all agencies is 48 years, with a quarter of federal employees over the age of 55 and poised for retirement. Many within range of retirement may opt to leave early for the private sector, sacrificing bigger pensions for larger current paychecks—creating an even bigger vacuum to fill.

One federal IT professional said in a tweet, "We already have a ton of open spots... those won't get filled either. If you think things are bad now, it'll be catastrophic by June. Add to the list anybody near or at retirement or those who are in service and have vested retirement (3 years)."

For those who don't jump ship, there's cruel irony: crimping the finances of information-security professionals in government could put them in debt positions that threaten their security clearances.