Shutdown Threatens Fed InfoSec StaffingLong-Term Impact of Deeming Essential Personnel Nonessential
No one wants to think of themselves as nonessential, and that's especially true for information security experts who work for the federal government. After all, there are few jobs as essential in the federal government as those securing IT.
Yet, among the 800,000 federal government employees furloughed during the partial shutdown that started with the new fiscal year on Oct. 1 are hundreds, if not thousands, of IT and IT security personnel who federal Chief Information Officer Steven VanRoekel characterizes as vital. VanRoekel doesn't know the exact number of furloughed IT security staffers and managers because his aides who could calculate that figure have been furloughed.
The people who are essential are technically shutting down services.
VanRoekel, in an interview with the Wall Street Journal, says he advised agencies to exempt cybersecurity staffers from the furloughs. But it's up to each agency to decide which employees are essential, and many agencies decided to keep only skeleton staffs to monitor systems. In the event of an attack, VanRoekel says, cybersecurity specialists could be recalled. Still, he says, the loss of real-time response "is a little bit worrisome for me. I have fewer eyes out there."
Sense of Public Service
The furloughs also should be worrisome for those responsible for recruiting and retaining IT security personnel. Many cybersecurity staffers and managers could make more money working in the private sector, but they choose government work because they embrace a strong sense of loyalty to their country.
"They feel a sense of public service; they feel good about what they do," says Gene Spafford, the Purdue University computer science professor who over the years has advised Congress and the White House on IT security matters and has trained some of the top IT security practitioners in the country (see Will New Hires Impede Future Security?).
Besides, some of the hottest cybersecurity jobs can be found in the government. Plus, over the years, federal government jobs have proven to be among the most stable, at least until now.
But the failure of lawmakers to enact legislation to fund government operations that resulted in the partial shutdown could drive cybersecurity experts from government payrolls if the furloughs continue for much longer. "Congress does more damage than [terrorists]," says Jim Lewis, the cybersecurity expert at the Center for Strategic and International Studies, a think tank. "People self-select out and go to the private sector."
Karen Evans, who held VanRoekel's job in the George W. Bush White House, says the partial shutdown could have an adverse impact on recruitment. "One of the big benefits of government employment is stability, and that is not the case right now," says Evans, executive director of the U.S. Cyber Challenge, a not-for-profit group aimed at encouraging young people to enter the cybersecurity field (watch video Why Cyber Challenge is Needed).
Irony of 'Essential' Work
One irony of the partial shutdown is the role many IT and IT security employees performed in the early hours. "The people who are essential are technically shutting down services," Evans says.
That's what happened at the Commerce Department's Office of Oceanic and Atmospheric Research, where 18 computer staffers and 15 systems contractors worked for two days to shut down the office's IT system; the agency then furloughed them (see Shutdown's Impact on Federal IT Security). That scene was repeated hundreds of times throughout the federal government during the early days of the shutdown.
Being labeled as nonessential is only part of the problem.
Furloughed cybersecurity experts aren't being paid during the shutdown. "If I were in that position, it would certainly cause me grave doubts whether I would want to continue to work for the government, whether I was valued," Spafford says.
That lack of money - and appreciation - could drive dedicated workers to government contractors, many of whom have received millions upon millions of dollars from the government and are all but guaranteed more money once the shutdown is over.
[Updated Oct. 5: After this blog was posted, legislation - supported by President Obama - was working its way through Congress to give government workers back pay once the partial shutdown ends. The blog was revised from the original version to remove a statement about the uncertainty of federal employees being paid retroactively.]
"If we have government personnel who've got [security] clearances, who've got experience, who've got knowledge, with certifications and so on, and they start going too many weeks with no pay, they're more likely to take positions with some of these contractors and they won't be coming back to the government," Spafford says.
It's unlikely the vast majority of federal IT security personnel will abandon the government when the partial shutdown ends. But the lesson from a nearly three-week shutdown in Minnesota two years ago over a partisan budget dispute resulted in some of the state's "best and brightest" cybersecurity experts to quit "because they refused to be treated like a political marionette," says Chris Buse, the state government's chief information security officer (see CISO's Core Values Confront Life's Ugly Realities).
Will that "puppet show" have an encore on the bigger stage of the federal government? Stay tuned.