Cybersecurity brings new wrinkle to 'essential' personnel

With a possible government shutdown looming, agencies face a tough decision that was barely an issue in 1995, the last time they had to furlough employees: Which computer security personnel should be required to continue working?

The stalemate between Congress and the White House over funding levels for the rest of the fiscal year could force the government to suspend services and employees who are not "essential" -- or critical to the safety of life and property. The lists of essential security personnel drawn up 15 years ago are irrelevant, computer specialists say. Pinpointing essential information technology personnel today is more important than ever, they note, because many crucial activities have moved online at agencies, notably at the Social Security Administration and Treasury Department.

"In 1995, the government wasn't really doing anything about security, with the exception of three-letter agencies and the military," said Jeffrey Wheatman, a security and privacy analyst with the Gartner research group, referring to such entities as the CIA and the FBI. Agencies immediately should be determining which systems need daily surveillance and strategic defense, as well as evaluating the job descriptions of the people operating those systems, according to former federal executives citing government policy.

"In 1995, we already had that decided," said Hord Tipton, a former Interior Department chief information officer who was Bureau of Land Management assistant director for resource use and protection during the shutdown that lasted from Dec. 16, 1995, to Jan. 6, 1996. "If they haven't done it, there's going to be a mad scramble, and there's going to be a hole in the system."

In the 1990s at Interior, the vital systems included those that monitored volcano and earthquake activity.

"You've got a week to do this," said Tipton, now executive director of the International Information Systems Security Certification Consortium, an association that certifies cybersecurity specialists. "If you haven't, you'd better get cracking. In this day and age, I would be surprised if they haven't."

Under federal rules, departments are supposed to have contingency plans on-hand that identify critical systems and the personnel associated with those tools. The last time around, the Office of Management and Budget began issuing guidance on winding down operations the previous August. OMB officials on Monday said they have not released new guidance but OMB Circular No. A-11, which addresses funding hiatuses, remains in effect. The memo was last updated July 2010.

"OMB is prepared for any contingency as a matter of course -- and so are all the agencies," Communications Director Kenneth Baer told reporters. "In fact, since 1980, all agencies have had to have a plan in case of a government shutdown, and they routinely update them. All of this is beside the point since, as the congressional leadership has said on a number of occasions and as the president has made clear, no one anticipates or wants a government shutdown."

The answer to who should be deemed essential depends in part on how long the shutdown endures, Wheatman said. A furlough lasting a couple of weeks would require incident-response personnel, network administrators and staff who monitor firewall logs for potential intrusions. But a monthlong shutdown would require more employees to report, he said. New threats could emerge during that time frame, which would demand people with strategy-oriented job functions to devise new lines of defense.

"The staff who develop policy for security are not necessarily essential," said Karen Evans, former White House administrator for e-government and information technology. "However, the ones who do operational activities related to network monitoring activities, in my opinion ... are essential. I don't know that I can name agencies where they are not necessary." Evans currently serves as the national director of U.S. Cyber Challenge, a nonprofit recruitment program for aspiring information security professionals.

Wheatman acknowledged that opinions on who is essential are subjective. "If you went six months without writing a new policy, that's not going to have much effect on your risk posture," he said, "but it's important to communicate that not everybody is going to view these functions the same way."