Government Shutdown Puts US Cybersecurity at Risk
gguy / Adobe Stock
Toggle Dark Mode
The US federal government shut down this past Wednesday, October 1, at 12:01 AM ET. During a government shutdown, essential services related to national security, such as law enforcement, medical care, air traffic control, and disaster aid, continue operating. However, even though they may be essential, these services are still subject to disruptions.
Some agencies furlough non-essential employees (meaning they don’t work or get paid) while essential employees must work without pay. Typically, Congress has approved retroactive pay for these employees upon reopening, but these situations certainly impact federal workers and their families.
Let’s take a look at the shutdown’s impact on CISA, the Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security (DHS).
CISA is responsible for protecting critical infrastructure from both cyber and physical threats. This includes things like power grids, transportation systems, financial systems, healthcare, and elections.
Sound important? CISA’s mission spans cybersecurity risk assessments, threat intelligence sharing with private companies and state and local governments, helping private companies secure their systems, and responding to major hacks when they do occur.
As of May 31, 2025, CISA had 2,540 employees. In a DHS document published only a couple of days before the shutdown titled Procedures Relating to a Lapse in Appropriations, CISA estimates that only 889 of these 2,540 will remain working during the shutdown. That’s only 35% of CISA’s workforce.
Making matters worse, the Cybersecurity Information Sharing Act of 2015 — the law that gave companies legal cover to share hacking threats with the government and with each other — hit its built-in expiration date at the end of September.
That protection mattered. It reassured companies that if they flagged an attack or swapped intelligence with CISA, they wouldn’t get sued for breaching contracts, privacy rules, or antitrust laws. With that shield gone, many corporate lawyers are now telling their security teams to keep quiet until Congress renews it.
Lawmakers on both sides of the aisle and the White House agreed it should be extended, and it was even baked into the budget bill meant to avoid the shutdown. However, when that larger deal collapsed, so did these liability protections. The law still covers anything companies shared before the deadline, but fresh cooperation is suddenly a lot riskier.
According to The Washington Post (Apple News+), some corporate legal departments are advising companies to refrain from continuing previous information-sharing practices given CISA 2015’s expiration. “The lapse of CISA 2015 could effectively turn the lights out on U.S. cyber intelligence from companies that have been, or are being, attacked, Hugh Thompson, executive chairman of the RSA security conference, told the Post. “This breakdown of ‘collective defense’ would weaken domestic cybersecurity.”
It’s no secret that critical US networks and businesses are continuously targeted by both private hackers and foreign governments like China, Russia, Iran, and North Korea. Just recently, the US Secret Service discovered a sophisticated network of equipment capable of jamming NYC cell towers at the time of the United Nations General Debate. Without CISA operating at capacity and the legal protections afforded to private companies by CISA 2015, the government and business alike are operating in the dark during a perilous time.
