Feds Face Infosec Challenges in ShutdownDetails of the Impact on IT Security is Shrouded in Secrecy
As many as 800,000 federal employees could be furloughed, according to a White House estimate, but no one knows the number of IT systems and websites to be suspended at federal healthcare agencies and other governmental units should Congress fail to fund the government after midnight Friday. The government said many public-facing government websites would be shuttered if a shutdown occurs. And, many furloughed employees would be asked to surrender their government-issued BlackBerries and other devices. But the Office of Management and Budget has indicated that Medicare and Medicaid would continue to operate, at least for the time being, according to media reports.
Each cabinet department and agency, including HHS, has its own contingency plan on what personnel and systems to maintain and which employees to furlough and computer systems to suspend during a government shutdown.
Government overseers of information technology and cybersecurity provided few details as to the impact of a government shutdown on IT security. The Office of Management and Budget didn't respond to requests to be interviewed on the subject. The Department of Homeland Security, the agency responsible for civilian agency cybersecurity, declined to offer an official to be interviewed on the shutdown, but earlier in the week issued the following statement:
"As a matter of course, DHS plans for contingencies. In fact, since 1980, all agencies and departments have had to have a plan in case of a government shutdown, and these plans are updated routinely. All of this is beside the point since, as the bipartisan congressional leadership has said on a number of occasions and as the president has made clear, no one anticipates or wants a government shutdown." In concert, other government agencies issued nearly identically worded statements.
Despite the optimistic wording of the statements that no one anticipates or wants a shutdown, as the weekend approached, no deal had been struck between the White House and Congress and Democrats and Republicans on a spending plan to keep government functioning for the remainder of fiscal year 2011, which ends Sept. 30.
Karen Evans, who served as the top IT official in the George W. Bush White House, understands the reluctance of the government in providing details on the IT impact of a government shutdown. The fact that the world knows of a potential shutdown alerts the government's adversaries that the defense of federal IT systems might be weakened as fewer employees would be on hand to defend government computers and networks. "Because there are not enough people watching as there was before, the risk profile will be higher if there's a government shutdown," says Evans, national director of U.S. Cyberchallenge.
Evans, who in the last government shutdown in 1995 served as an IT director at the Justice Department, recalls that non-furloughed employees had to perform not only their jobs by those of furloughed employees. "You had to multitask because you had a skeleton staff," she says.
Former Interior Department Chief Information Officer W Hord Tipton also believes a government shutdown could weaken IT defenses. He cites recent cyber incidents such as breaches at security maker RSA (see 'Tricked' RSA Worker Opened Backdoor to APT Attack)and online marketer Epsilon (see Epsilon: Biggest Breach Ever?) that occurred when their IT security operations were fully staffed. "When we put ourselves in state of chaos like this, and this is what it will be, think of the opportunities for striking through the APTs (advanced persistent threats), they can pick and choose the targets with much less security behind them," says Tipton, executive director of the IT certification and education organization (ISC)2.
Tipton recalls that during the 1995 government shutdown, only 15 percent of Interior's workforce was deemed essential. "It was almost like a ghost town in many places," he says. Today, he guesses that percentage could climb to 25 percent or more because of the critical role IT plays in government operations.
Many government workers see their work as vital, and the challenge many government managers face is informing subordinates that their positions are deemed as nonessential. "The technology is the easy part; policy is hard," Evans says.
Technically, shutting down a computer system isn't hard. Tipton estimates it should take about two days, on average, to turn off computer systems deemed nonessential. That was his experience in 2002, when as an Interior Department IT leader, he oversaw the powering down of some computer systems ordered closed by a judge.
But unlike 2002 - and especially 1995 - IT is much more pervasive and crucial to the functioning of government in 2011. And, Tipton says, systems and websites deemed nonessential might contain components that are vital for government operations. Many government systems are interconnected, and taking computers down that are deemed nonessential could have an impact on those that are judged crucial.
And both former government CIOs say powering up computers after a shutdown will take longer than powering them down.