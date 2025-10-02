Most CISA staff are furloughed and key information sharing authorities have expired, leading to an auspicious start to "Cybersecurity Awareness Month."

The cyber community is on edge as “Cybersecurity Awareness Month” begins, with many government staff furloughed under the ongoing shutdown and key authorities now lapsed amid the funding impasse.

The Cybersecurity and Infrastructure Security Agency typically marks October’s awareness month with a range of public engagements and outreach campaigns. But under the ongoing government shutdown, CISA has furloughed nearly two-thirds of its staff and curtailed most public communication.

CISA is not actively managing its website under the shutdown. But the agency did establish a landing webpage for cybersecurity awareness month prior to the shutdown, detailing the campaign’s theme and linking to a toolkit.

CISA Director of Public Affairs Marci McCarthy said, “CISA remains fully committed to safeguarding the nation’s critical infrastructure,” as part of a statement.

“While a government shutdown can disrupt federal operations, CISA will sustain essential functions and provide timely guidance to minimize disruptions,” she said. “Yet Democrats’ refusal to act is forcing many of our frontline cybersecurity experts to work without pay even as nation-states intensify efforts to exploit Americans and critical systems – an unacceptable and unnecessary strain on our national defenses.”

CISA staff, like other federal employees, will receive backpay when the shutdown ends.

Last week, CISA directed federal agencies to immediately patch a critical Cisco vulnerability. During a call with reporters, Chris Butera, CISA’s acting deputy executive assistant director for cybersecurity, spoke about the agency’s shutdown preparations.

“In terms of any lapse in funding for the government, CISA has many of our threat hunters and other folks who are supporting this work as excepted employees who will continue to work if that happens,” Butera said.

Chris Cummiskey, a former state chief information officer and former chief management officer at DHS, said CISA typically retains enough employees to staff the agency’s watch floor, maintain technology that monitors federal networks for cyber threats, and collaborate with cyber defenders at other federal organizations, like U.S. Cyber Command.

But if a major cyber incident were to occur, CISA may not have enough staff immediately on hand to manage the event.

“A key concern is, do you need to start recalling people?” Cummiskey said. “You probably wouldn’t have the onsite capacity to cover a major exploit without the additional help.”

In addition to the shutdown, key privacy and liability protections under the Cybersecurity Information Sharing Act of 2015 expired on Sept. 30. Those protections had been pivotal to encouraging the private companies to share cyber threat data with each other and with government agencies, including CISA.

Cyber experts say companies may be more hesitant to share information about new cyber threats and vulnerabilities without the statute’s protections.

Michael Daniel, former White House cyber coordinator and president and chief executive of the Cyber Threat Alliance, said companies are unlikely to change their information-sharing practices during a short-term lapse. “The real issues will emerge if the lapse becomes long term,” he said.

Still, Daniel said companies will recognize that sharing is riskier without CISA 2015’s protections.

“It increases the risk that a company might be sued and held liable for sharing information that should have been protected, that the government will have to disclose shared information under a FOIA request,” Daniel said. “The lapse removes the protection from anti-trust laws for companies sharing with each other, so it increases the risk that collaboration on cyber threat intelligence could someday be considered collusion.”

Even when companies decide to share information, it will likely be slowed down by legal reviews.

“Without those protections, decisions get routed back through legal bottlenecks, slowing or discouraging the very real-time collaboration that makes a difference in fast-moving cyberattacks,” Cassandra Maldini, vice president of privacy and AI governance at Securiti, explained.

Gary Barlet, former CIO at the U.S. Postal Service Office of the Inspector General, predicted there would be an uptick in cyber attacks due to the law’s expiration, as hackers exploit gaps in the sharing of both cyber threat indicators and defensive measures.

“They’re going to think that we can get away with it, because there’s not as many eyeballs watching, that are putting the picture together,” Barlet told Federal News Network.

In a blog, Venable experts provided points for organizations to consider in the absence of CISA 2015’s protections, including whether information shared with the government could be released under public records laws.

“Such sharing remains possible, and can and should continue to ensure visibility into emerging threats,” they wrote. “Doing so will require new agreements and additional legal review.”

The House passed a “clean” continuing resolution would have extended the CISA 2015 authorities until mid-November. But the Senate has yet to agree to any funding agreement or CISA 2015 extension.

Cynthia Kaiser, a former FBI cyber leader and now the senior vice president of Halcyon’s Ransomware Research Center, said the hope is that some sort of renewal of the law is part of a bill to reopen the government.

“This might mean a clean reauthorization to start, to give Congress time to make positive edits,” Kaiser said. “It could also mean a version that includes common sense edits, possibly ranging from clarifying the law’s liability and privilege protections, to protecting the civil liberties of people whose data may be shared under the law, to clarifying which federal agencies are accountable for receiving and actioning the information reported to the U.S. government under the law.”

