Cyber takes on new prominence in shutdown government

Congress has until Feb. 8 to strike a funding deal before the continuing resolution currently funding the government runs out.

During the brief a just-concluded shutdown, agencies got a sneak preview from the Office of Management and Budget about how to prioritize resources and staff, and what has changed since the 2013 government shutdown.

Cybersecurity is more prominent in 2018. The Jan. 19 OMB memo providing guidance to agencies classified cybersecurity functions as necessary to avoid imminent threat to federal property, even during a shutdown.

"At a minimum, agencies must avoid any threat to the security, confidentiality and integrity of the agency information and information systems maintained by or on behalf of the government," the memo reads. "Agencies should maintain appropriate cybersecurity functions across all agency information technology systems, including patch management and security operations center (SOC) and incident response capabilities."

That guidance, while technically new, mostly falls in line with protocols carried out by agencies on a more informal basis during previous shutdown scares, according to Tony Scott, who served as federal CIO under the Obama administration. However, the new emphasis reflects how cybersecurity has elevated in importance since previous shutdowns.

Many of the federal government's crown jewel cybersecurity programs, like Continuous Diagnostics and Mitigation or the Automated Indicator Sharing program, didn't exist or were in their infancy the last time Congress allowed appropriations to lapse, meaning those programs have yet to be managed under a protracted shutdown.

A spokesperson for the Department of Homeland Security, which oversees both programs, referred FCW to OMB for all questions related to how the agency prepares for a shutdown. According to the latest DHS shutdown plan, the National Protection and Programs Directorate, which helps manage both CDM and AIS, would furlough approximately 45 percent of its total workforce and up to 80 percent of its cyber workforce in the event of a shutdown.

Retired Air Force Brig. Gen. Greg Touhill, who served as federal chief information officer in the Obama administration, told FCW he worried about the long-term ramifications of the federal government existing in a constant state of funding uncertainty. Specifically, Touhill said he fears that it convinces smart, capable IT security employees to flee for greener (and more stable) pastures in the private sector.

Even with the new guidance, Scott said it was not as simple as just targeting high-value software systems or programs for added scrutiny during a shutdown. Even if agencies feel they have freedom to dedicate more resources towards protecting or maintaining a particular piece of software, the highly interconnected nature of federal IT systems and websites could lead to unforeseen complexities.

"A lot of these federal systems, including the websites, are highly intertwined, and it's unknown what the effects of closing down one piece are while keeping the other pieces up and running," said Scott. "There are some circumstances where you could say maybe that introduces more threat than just keeping it running."

The OMB memo attempts to address this, specifying that "If the integration of [a] single system with other systems makes it infeasible to maintain operation…without maintaining others" an agency must "manage its information technology resources consistent with avoiding any imminent threat to Federal property."

However, it's unclear how this guidance may affect agency staffing plans or conflict with other resource priorities during a shutdown.

Touhill said that in past shutdowns, even as federal IT leaders did try to emphasize system and network security needs, the end result was still that far too many members of the cyber workforce, both feds and contractors, wound up getting furloughed. He wondered what the government would do if a major cyber attack or vulnerability, like the recent Meltdown and Spectre scare, were to happen during a shutdown.

Dave Wennergren, former CIO for the Navy, told FCW in an email that the federal government's patchwork funding strategy may be the bigger story, as the lack of financial certainty and appropriations precludes new investments, effective planning and delays the start of new programs or initiatives.

"While shutdowns are frustrating, the bigger issue for government, from cybersecurity to military readiness, is the [reliance] on continuing resolutions," said Wennergren.

Scott said the three cybersecurity-related issues he worried about most during a shutdown were achieving the same security results with fewer resources, the overall effect of a shutdown on staff morale and whether and where the federal government will be able draw support and logistical resources if there is a significant cyberattack during a shutdown.

"If there's an attack, it very quickly transforms from just the cyber team being involved to a bunch of governance and business decisions that need to be made," he said.

"And if the staff and the resources that you need to collaborate are not available, your response is going to be slower."