Cyber takes on new prominence in shutdown government

Agencies got a sneak preview at the elevated importance cybersecurity programs and personnel can expect to receive during future government shutdowns.

 

Congress has until Feb. 8 to strike a funding deal before the continuing resolution currently funding the government runs out.

During the brief a just-concluded shutdown, agencies got a sneak preview from the Office of Management and Budget about how to prioritize resources and staff, and what has changed since the 2013 government shutdown.

Cybersecurity is more prominent in 2018. The Jan. 19 OMB memo providing guidance to agencies classified cybersecurity functions as necessary to avoid imminent threat to federal property, even during a shutdown.

"At a minimum, agencies must avoid any threat to the security, confidentiality and integrity of the agency information and information systems maintained by or on behalf of the government," the memo reads. "Agencies should maintain appropriate cybersecurity functions across all agency information technology systems, including patch management and security operations center (SOC) and incident response capabilities."

That guidance, while technically new, mostly falls in line with protocols carried out by agencies on a more informal basis during previous shutdown scares, according to Tony Scott, who served as federal CIO under the Obama administration. However, the new emphasis reflects how cybersecurity has elevated in importance since previous shutdowns.

Many of the federal government's crown jewel cybersecurity programs, like Continuous Diagnostics and Mitigation or the Automated Indicator Sharing program, didn't exist or were in their infancy the last time Congress allowed appropriations to lapse, meaning those programs have yet to be managed under a protracted shutdown.

A spokesperson for the Department of Homeland Security, which oversees both programs, referred FCW to OMB for all questions related to how the agency prepares for a shutdown. According to the latest DHS shutdown plan, the National Protection and Programs Directorate, which helps manage both CDM and AIS, would furlough approximately 45 percent of its total workforce and up to 80 percent of its cyber workforce in the event of a shutdown.

Retired Air Force Brig. Gen. Greg Touhill, who served as federal chief information officer in the Obama administration, told FCW he worried about the long-term ramifications of the federal government existing in a constant state of funding uncertainty. Specifically, Touhill said he fears that it convinces smart, capable IT security employees to flee for greener (and more stable) pastures in the private sector.

Even with the new guidance, Scott said it was not as simple as just targeting high-value software systems or programs for added scrutiny during a shutdown. Even if agencies feel they have freedom to dedicate more resources towards protecting or maintaining a particular piece of software, the highly interconnected nature of federal IT systems and websites could lead to unforeseen complexities.

"A lot of these federal systems, including the websites, are highly intertwined, and it's unknown what the effects of closing down one piece are while keeping the other pieces up and running," said Scott. "There are some circumstances where you could say maybe that introduces more threat than just keeping it running."

The OMB memo attempts to address this, specifying that "If the integration of [a] single system with other systems makes it infeasible to maintain operation…without maintaining others" an agency must "manage its information technology resources consistent with avoiding any imminent threat to Federal property."

However, it's unclear how this guidance may affect agency staffing plans or conflict with other resource priorities during a shutdown.

Touhill said that in past shutdowns, even as federal IT leaders did try to emphasize system and network security needs, the end result was still that far too many members of the cyber workforce, both feds and contractors, wound up getting furloughed. He wondered what the government would do if a major cyber attack or vulnerability, like the recent Meltdown and Spectre scare, were to happen during a shutdown.

Dave Wennergren, former CIO for the Navy, told FCW in an email that the federal government's patchwork funding strategy may be the bigger story, as the lack of financial certainty and appropriations precludes new investments, effective planning and delays the start of new programs or initiatives.

"While shutdowns are frustrating, the bigger issue for government, from cybersecurity to military readiness, is the [reliance] on continuing resolutions," said Wennergren.

Scott said the three cybersecurity-related issues he worried about most during a shutdown were achieving the same security results with fewer resources, the overall effect of a shutdown on staff morale and whether and where the federal government will be able draw support and logistical resources if there is a significant cyberattack during a shutdown.

"If there's an attack, it very quickly transforms from just the cyber team being involved to a bunch of governance and business decisions that need to be made," he said.

"And if the staff and the resources that you need to collaborate are not available, your response is going to be slower."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.