recommended reading

Cybersecurity brings new wrinkle to 'essential' personnel

With a possible government shutdown looming, agencies face a tough decision that was barely an issue in 1995, the last time they had to furlough employees: Which computer security personnel should be required to continue working?

The stalemate between Congress and the White House over funding levels for the rest of the fiscal year could force the government to suspend services and employees who are not "essential" -- or critical to the safety of life and property. The lists of essential security personnel drawn up 15 years ago are irrelevant, computer specialists say. Pinpointing essential information technology personnel today is more important than ever, they note, because many crucial activities have moved online at agencies, notably at the Social Security Administration and Treasury Department.

"In 1995, the government wasn't really doing anything about security, with the exception of three-letter agencies and the military," said Jeffrey Wheatman, a security and privacy analyst with the Gartner research group, referring to such entities as the CIA and the FBI. Agencies immediately should be determining which systems need daily surveillance and strategic defense, as well as evaluating the job descriptions of the people operating those systems, according to former federal executives citing government policy.

"In 1995, we already had that decided," said Hord Tipton, a former Interior Department chief information officer who was Bureau of Land Management assistant director for resource use and protection during the shutdown that lasted from Dec. 16, 1995, to Jan. 6, 1996. "If they haven't done it, there's going to be a mad scramble, and there's going to be a hole in the system."

In the 1990s at Interior, the vital systems included those that monitored volcano and earthquake activity.

"You've got a week to do this," said Tipton, now executive director of the International Information Systems Security Certification Consortium, an association that certifies cybersecurity specialists. "If you haven't, you'd better get cracking. In this day and age, I would be surprised if they haven't."

Under federal rules, departments are supposed to have contingency plans on-hand that identify critical systems and the personnel associated with those tools. The last time around, the Office of Management and Budget began issuing guidance on winding down operations the previous August. OMB officials on Monday said they have not released new guidance but OMB Circular No. A-11, which addresses funding hiatuses, remains in effect. The memo was last updated July 2010.

"OMB is prepared for any contingency as a matter of course -- and so are all the agencies," Communications Director Kenneth Baer told reporters. "In fact, since 1980, all agencies have had to have a plan in case of a government shutdown, and they routinely update them. All of this is beside the point since, as the congressional leadership has said on a number of occasions and as the president has made clear, no one anticipates or wants a government shutdown."

The answer to who should be deemed essential depends in part on how long the shutdown endures, Wheatman said. A furlough lasting a couple of weeks would require incident-response personnel, network administrators and staff who monitor firewall logs for potential intrusions. But a monthlong shutdown would require more employees to report, he said. New threats could emerge during that time frame, which would demand people with strategy-oriented job functions to devise new lines of defense.

"The staff who develop policy for security are not necessarily essential," said Karen Evans, former White House administrator for e-government and information technology. "However, the ones who do operational activities related to network monitoring activities, in my opinion ... are essential. I don't know that I can name agencies where they are not necessary." Evans currently serves as the national director of U.S. Cyber Challenge, a nonprofit recruitment program for aspiring information security professionals.

Wheatman acknowledged that opinions on who is essential are subjective. "If you went six months without writing a new policy, that's not going to have much effect on your risk posture," he said, "but it's important to communicate that not everybody is going to view these functions the same way."

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.