With the prospect of a partial federal government shutdown on Oct. 1, and its implications for IT security, it's worth considering what occurred in Minnesota two years ago, when a similar budget squabble between Democrats and Republicans shuttered state operations for nearly three weeks.
"One thing that we learned very quickly is that there is no easy way to turn a government off, even temporarily," says Chris Buse, the state government's chief information security officer (see Shutdown Takes Toll on Infosec Pros).
If Congress doesn't pass a continuing resolution by midnight Sept. 30, a lack of funds will force the government to suspend most programs, furlough nonessential employees and contractors and, in some instances, shutter IT systems.
That's what happened in Minnesota on July 1, 2011, when the Democratic governor and Republican legislature could not agree on a budget, halting all but the most essential programs and temporarily laying off thousands of employees.
Deciding which IT systems are essential, and maintaining a staff to assure they function securely during a government shutdown, isn't easy.
"Identifying who will be furloughed and who will be kept on to weather the storm is a complex and time-consuming process," Buse says. "And once that is done, it is painstakingly difficult to dismantle the complex array of access control solutions that employees use to conduct business."
In the federal government, each department and agency, following Office of Management and Budget guidelines, decides for itself which systems to maintain and which employees to furlough. Agencies can continue programs and systems - and retain the needed employees to operate them - if they're deemed necessary to protect life and property. That means most defense, intelligence and law enforcement systems will remain operational, with continued staffing by IT and security experts.
OMB declined to provide a representative to be interviewed for this story, but spokeswoman Emily Cain, in a statement, says agencies are reviewing relevant legal requirements and updating their plans based on OMB guidance issued last week.
Following OMB Guidance Not Easy
Mark Forman, a former top federal IT official, says guidance offered by the budget office won't make it easy for agency heads to decide which systems should continue functioning and which employees should keep working.
"With more agencies using consolidated and virtualized production environments, those systems may be running or accessible in the production environment even if the users are not accessing them," says Forman, who served as President George W. Bush's first e-administrator, a post now known as chief information officer. "Today, there is a need to continuously monitor and patch or otherwise counter vulnerabilities. Leaving a non-mission critical system unprotected could create a huge risk once the shutdown is over and everyone comes back to work. Or, even worse, it could create a huge pathway into other systems."
Other Consequences of a Shutdown
A partial shutdown also could damage various government IT security initiatives. "It will slow the progress of new programs and put additional stress on the already overworked frontline cybersecurity professionals," says Bruce McConnell, who stepped down last month as the Department of Homeland Security's top cybersecurity policymaker.
If a partial government shutdown occurs, it isn't expected to have much effect on the open enrollment for health insurance under the new healthcare reform law, slated to start through state health insurance exchanges on Oct. 1. That's because funds for the Affordable Care Act aren't subject to annual appropriations, which the continuing resolution addresses. Still, the Republican-controlled House of Representatives passed a continuing resolution that would defund Obamacare; the Senate stripped that provision, setting up a conflict that could result in a partial shuttering of the government.
Forman's successor, Karen Evans, who during the last government shutdown in 1995 served as an IT director at the Justice Department, recalls that non-furloughed employees had to perform not only their jobs but those of furloughed employees. "You had to multi-task because you had a skeleton staff," she says.
A decline in the morale of highly qualified IT and IT security personnel, many of whom feel unappreciated and underpaid, could be one consequence of a government shutdown. When Minnesota state operations resumed on July 20, 2011, Buse says, the state had to restore many systems, spending "even more time reversing the whole process, absent a few of the best and brightest, who quit because they refused to be treated like a political marionette" (See CISO's Core Values Confront Life's Ugly Realities).