For federal cyber-security workers, the options at this time are bleak. A few are being told that they’re required to continue to work during the current government shutdown that began on Dec. 21, 2018, but they won’t be paid for that work until the government resumes operation and maybe not even then.
Meanwhile, the majority of federal workers involved with cyber-security have been told that their work isn’t essential and they’ve been furloughed without pay. Contractors supporting federal cyber-security functions aren’t being paid either, and in many cases their employers have had layoffs, and in other cases they’ve simply been fired.
All of this is happening because of a dysfunctional relationship between Congress and the White House in which the president is holding nearly 1 million workers hostage because of a funding dispute over a wall on the U.S. southern border that would be built in areas where a wall already exists.
As you might expect, the impact of this fight is devastating for federal IT workers. Already a group that receives relatively low pay in the IT field, those workers are now being punished for something over which they have no control, in a fight that has nothing to do with them. As you might expect, morale in the federal IT and cyber-security fields is already low, and as the fight drags on, it’s getting lower.
Opportunity for the Private Sector
This is where there’s opportunity for the private sector. Considering the difficulty private industry has had recruiting skilled, experienced workers for IT and security jobs, there’s suddenly a pool of thousands of those who meet the experience, training and work requirements nearly every company would want. As a bonus, many of them have very high—and very hard-to-get—top-level security clearances. In addition, their salary histories are somewhat depressed and their benefits packages haven’t kept pace with current practices.
While some of those workers may not want to leave the government right now, the longer the shutdown goes on, the more likely they are to be interested. Ultimately, even if they’ve saved for the possibility of a shutdown, they’re now experiencing the longest one in history. They need to pay their mortgages, and they need to buy groceries. Even after the shutdown is over, they will have been damaged by it.
But the risks are there, too. The way the law is written regarding shutdowns, the only activities that the government can conduct without appropriated funding are those that are necessary for the preservation of life and property. This means that the federal security employees that are still working, albeit without pay, are the bare minimum to protect existing federal data systems.
For example, about half of the cyber-security workers at the new Cybersecurity and Infrastructure Security Agency (CISA) that started up in November 2018 have been furloughed. About 85 percent of those at NIST, the national standards organization, have been furloughed. Nearly half of the Department of Homeland Security intelligence and security teams have been furloughed. About 85 percent of the National Protection and Programs Directorate, which includes US CERT, are furloughed.
This means that you won’t be getting alerts about pending cyber-attacks, and federally sponsored information sharing won’t be taking place. In short, most of the functions in which the federal cyber-security infrastructure provides help to private industry and critical infrastructure are currently either closed or operating on such a reduced level that it might as well be.
Contractors May Be Worse Off Than Employees
If you think this sounds bad, the reality is worse. Much of the day-to-day operations of these federal agencies are actually performed by government contractors rather than government employees. Those contractors are frequently the people with very high skill levels in specific areas, but because of some arcane rules of federal employment, they can’t easily be hired as employees.
Those contractors are mostly already out of work, unless their employer has other non-federal contracts that require staffing. Either way, they’re not available to the federal government even when the current fight is over and funding is restored. Those workers who have been laid off or fired are in possession of the skills (and the security clearances I mentioned earlier) and probably didn’t have to wait long at all to find other employment.
Here in the Washington, D.C., area, the situation is particularly troubling if you’re a federal manager who wants to hang on to your IT employees. With the new Amazon HQ2 going in directly across the Potomac River from Washington, the demand for skilled IT and security workers will only grow, and the attractiveness of federal employment will only shrink.
Worse, without the critical information previously provided by the federal government, the problem for IT departments will get dangerous. In addition, bad actors are already aware of the new levels of weakness in the federal cyber-security infrastructure and are already doing everything they can to take advantage of it.
What Enterprises Should Consider
While federal agencies can’t really do anything about the growing security risks as their elected officials founder, private industry can. This means it’s important that your organization do what it can to protect itself and where possible to replace the functions formerly provided by federal agencies with private ones. The first step is to find and hire the best of those furloughed and unpaid federal cyber-security workers, put them in a position where they don’t have to worry about being furloughed on a whim, and allow them to use their talents to the best of their abilities.
Many of those people are the very best in their fields. They should be recognized and compensated accordingly. You’d be doing a public service while helping your own organization.