Feds Face Infosec Challenges in Shutdown Last-Minute Deal Among Obama, Congress Averts Shutdown
Defining essential federal information systems to keep operating during a partial government shutdown could have proved more complex than defining essential federal workers not to furlough.

But that challenge became moot as President Obama and Congress reached an 11th-hour budget deal shortly before midnight Friday to avert a government shutdown.

As many as 800,000 federal employees could have been furloughed, according to a White House estimate, but no one knew the number of IT systems and websites to be suspended should Congress have failed to fund the government after midnight Friday. The government said many public-facing government websites would have been shuttered if a shutdown occured. And, many furloughed employees would have been asked to surrender their government-issued BlackBerries and other devices.

Each cabinet department and agency has its own contingency plan on what personnel and systems to maintain and which employees to furlough and computer systems to suspend during a government shutdown.

Government overseers of information technology and cybersecurity provided few details as to the impact of a government shutdown on IT security as the deadline loomed The Office of Management and Budget didn't respond to requests to be interviewed on the subject. The Department of Homeland Security, the agency responsible for civilian agency cybersecurity, declined to offer an official to be interviewed on the shutdown, but earlier in the week issued the following statement:

"As a matter of course, DHS plans for contingencies. In fact, since 1980, all agencies and departments have had to have a plan in case of a government shutdown, and these plans are updated routinely. All of this is beside the point since, as the bipartisan congressional leadership has said on a number of occasions and as the president has made clear, no one anticipates or wants a government shutdown." In concert, other government agencies issued nearly identically worded statements.

Speaking before the deal was struck, Karen Evans, who served as the top IT official in the George W. Bush White House, understood the reluctance of the government in providing details on the IT impact of a government shutdown. The fact that the world knows of a potential shutdown alerts the government's adversaries that the defense of federal IT systems might be weakened as fewer employees would be on hand to defend government computers and networks. "Because there are not enough people watching as there was before, the risk profile will be higher if there's a government shutdown," says Evans, national director of U.S. Cyberchallenge.

Evans, who in the last government shutdown in 1995 served as an IT director at the Justice Department, recalls that non-furloughed employees had to perform not only their jobs by those of furloughed employees. "You had to multitask because you had a skeleton staff," she says.

Former Interior Department Chief Information Officer W Hord Tipton also believes a government shutdown would have weakened IT defenses. He cites recent cyber incidents such as breaches at security maker RSA (see 'Tricked' RSA Worker Opened Backdoor to APT Attack)and online marketer Epsilon (see Epsilon: Biggest Breach Ever?) that occurred when their IT security operations were fully staffed. "When we put ourselves in state of chaos like this, and this is what it will be, think of the opportunities for striking through the APTs (advanced persistent threats), they can pick and choose the targets with much less security behind them," says Tipton, executive director of the IT certification and education organization (ISC)2.

Tipton recalls that during the 1995 government shutdown, only 15 percent of Interior's workforce was deemed essential. "It was almost like a ghost town in many places," he says. Today, he guesses that percentage could climb to 25 percent or more because of the critical role IT plays in government operations.

Many government workers see their work as vital, and the challenge many government managers face is informing subordinates that their positions are deemed as nonessential. "The technology is the easy part; policy is hard," Evans says.

Technically, shutting down a computer system isn't hard. Tipton estimates it should take about two days, on average, to turn off computer systems deemed nonessential. That was his experience in 2002, when as an Interior Department IT leader, he oversaw the powering down of some computer systems ordered closed by a judge.

But unlike 2002 - and especially 1995 - IT is much more pervasive and crucial to the functioning of government in 2011. And, Tipton says, systems and websites deemed nonessential might contain components that are vital for government operations. Many government systems are interconnected, and taking computers down that are deemed nonessential could have an impact on those that are judged crucial.

And both former government CIOs say powering up computers after a shutdown will take longer than powering them down.


About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.




Around the Network