More than a month into a partial federal government shutdown, questions are starting to arise whether states and local governments, which rely on the U.S. Department of Homeland Security for monitoring and intelligence about potential cyberattacks against their networks, are still getting those crucial updates. State governments get routine alerts from DHS’s Cybersecurity and Infrastructure Security Agency, or CISA, about threats against systems related to elections, the energy grid and other critical government functions.
With DHS currently unfunded, CISA is currently staffed only by unpaid “essential” employees, but little is known about what parts of the cybersecurity mission are being carried out, including information sharing with state and local governments.
“We don’t know,” which cybersecurity activities are being conducted during the shutdown, Suzanne Spaulding, a homeland security adviser at the Center for Strategic and International Studies and a top DHS cybersecurity official in the Obama administration, wrote Tuesday. Spaulding listed several functions that she believes are not being addressed currently, including work on election security and critical infrastructure.
State and local officials say they are still getting updates for now.
“We have not seen much impact in cybersecurity coordination with [the] federal shutdown,” Suneel Cherukuri, the chief information security officer for Washington, D.C., told StateScoop. “We have been receiving all reports and cybersecurity intelligence data as usual.”
But, Cherukuri added, “I am not sure how long that will continue considering we are up to 33 days with this shutdown.”
Spaulding, who led CISA’s predecessor, wrote that while essential cybersecurity work necessary to prevent danger to lives and property is ongoing, the agency is likely short-staffed.
“There is some capacity for responding to a cyber incident, although probably not at full strength,” she wrote.
State and local officials have nongovernmental intermediaries for cybersecurity assistance, though, including the Multi-State and Election Infrastructure Information Sharing and Analysis Centers, both of which are run out of the nonprofit Center for Internet Security in East Greenbush, New York. Both the MS-ISAC, which includes all 50 states plus hundreds of local governments, and the EI-ISAC, which includes more than 1,000 state and local entities responsible for conducting elections, have continued to push out security updates to their memberships over the course of the shutdown.
Still, Spaulding’s assessment, particularly regarding voting security efforts, lands at a time when many states are boosting how much money they spend on cybersecurity assets to protect elections. Some states, including New Jersey, California and New York, are building new offices dedicated explicitly to election cybersecurity. Other states, like Idaho, are recruiting full-time cybersecurity specialists to their boards of elections or offices of their secretaries of state.
In many cases, the new offices and positions are funded in large part by grants states received last year from the federal Elections Assistance Commission. The EAC, which is responsible for helping states improve their election systems, is also closed during the shutdown.