Shutdown's Impact on Federal IT SecurityNIST Suspends Work on Obama's Cybersecurity Framework
As federal agencies begin to shutter noncritical government IT systems and furlough nonessential employees because of the partial government shutdown that took effect at midnight Oct. 1, the National Institute of Standards and Technology says it's suspending work on President Obama's cybersecurity framework.
"All work on the framework will stop for the duration because the framework and its staff are not [exempt from furloughs]," NIST spokeswoman Jennifer Huergo said hours before the shutdown.
IT security experts, meanwhile, say perceived disruptions caused by the shutdown could encourage America's cyber-adversaries to increase their attacks and probes on federal government IT systems and networks.
NIST is coordinating the public-private sector initiative to develop the framework that's designed to create IT security best practices for the nation's mostly privately owned critical infrastructure operators. The White House had designated Oct. 10 as the day NIST would issue a preliminary framework.
But NIST professionals working on the framework are not deemed essential personnel under the administration's partial shutdown guidance and have been furloughed. "Because we do not know how long a shutdown would last, we cannot speculate on how it will impact our ability to meet the deadline," Huergo says.
Obama issued an executive order last February calling for the creation of a cybersecurity framework. The final version of the cybersecurity framework is due to be issued this coming February (see Identifying Gaps in Cyber Framework).
NIST Suspends Guidance Work
Work on other NIST IT security guidance, such as special publications and federal information processing standards, also has been suspended during the partial government shutdown.
Because of the shutdown, cybersecurity experts warn that the federal government must remain diligent despite a smaller workforce to defend against the possible increase in probes and attacks (see Previewing a Government Shutdown).
"The smart adversaries try to launch attacks when they know there's a reduced administrative presence that can identify and respond to their activities," says Jacob Olcott, cybersecurity principal at security adviser Good Harbor Consulting. "The bad guys read the newspapers, too, so it won't be surprising to see them try to exploit the reduced number of IT staff, including security staff."
Even though adversaries could perceive a partial government shutdown as weakening government cybersecurity, Purdue University Computer Science Professor Gene Spafford suggests "sophisticated and quiet attacks" might be more successful than other types of intrusions.
"Very noisy events stand out more when regular traffic thins out," says Spafford, who heads Purdue's Center for Education and Research in Information Assurance and Security. "So, for instance, massive exfiltration is more observable when there is less normal traffic."
First Shutdown in 17 Years
The last time the federal government partly shutdown, during the Clinton administration in 1995 and 1996, government was far less dependent on IT for its operations. The increased reliance on IT and the Internet since then has made government systems more vulnerable. There is more IT infrastructure to protect, Spafford says, plus adversaries who would launch attacks are better trained and motivated today than nearly two decades ago.
But in one respect, federal networks might be safer because of the Trusted Internet Connections initiative, a program that reduces the number of connections between federal networks and the Internet from thousands upon thousands to fewer than 100, says Robert Bigman, who until last year served as the chief information security officer at the Central Intelligence Agency. "Hopefully, there should be fewer Internet network interfaces," he says.
Even with essential staffing, there will be fewer people manning government network defenses, Bigman says. "This means that malicious data-driven attacks may go unseen and responded to, the critical event response plan may be impacted and, accordingly, systems may be at greater risk," Bigman says. "Depending on how long this lasts, there may also not be sufficient staffing to implement patches - e.g., Microsoft Patch Tuesday - and generally respond to vulnerability disclosures."
Deciding Who Stays, Who Doesn't
To get an idea how government agencies determined who remains employed during the government shutdown, take a look at the Commerce Department's "for-discussion-only" document, Plan for Orderly Shutdown Due to Lapse of Congressional Appropriations. The document, dated Sept. 27, lists four types of exempted positions:
- Employees engaged in military, law enforcement or direct provision of healthcare activities;
- Those holding positions financed by legislation other than fiscal year 2014 appropriations;
- Staff members and managers necessary to protect the safety of human life or the protection of property, including IT networks; and
- Workers whose jobs are exempted from furlough by other laws.
The Commerce Department typifies how agencies address the shutdown. Most Commerce employees, including many in information technology, are being furloughed. Among those exempted from furloughs are employees in the Office of Chief Information Officer, including the CIO, two deputy CIOs and three IT specialists, who support troubleshooting of servers and workstations as well as monitoring for security vulnerabilities and incidents.
There are other exemptions at Commerce, though many are just for a few days. At Commerce's Office of Oceanic and Atmospheric Research, 18 computer staffers and 15 systems contractors would continue working for two days before being furloughed so they can plan and execute an orderly shutdown of the office's IT system. Elsewhere within the Office of Oceanic and Atmospheric Research, one staffer would remain working throughout the shutdown to operate the Earth Systems Research Laboratory Computer Network and Remote Access Systems, which Commerce defines as a central network link for all network services with the lab and must remain in operation to support excepted activities authorized during the shutdown.
The Commerce Department plan is based on guidance from the White House Office of Management and Budget, issued Sept. 17 in a memorandum from OMB Director Sylvia Burwell. If a systems or website operation is necessary to support essential activities, then the agency must maintain that system, including retaining personnel to assure its operation and security, the memo states. Otherwise, the system or website should be shuttered.
"The mere benefit of continued access by the public to information about the agency's activities would not warrant the retention of personnel or the obligation of funds to maintain (or update) the agency's website during such a lapse," according to an attachment to the memorandum.
The guidance gives furloughed employees no more than three to four hours to secure their files, complete time and attendance records and make preparations to secure their work.
Each agency can set its own policies for whether furloughed employees provided with government-owned smart phones must surrender them during the shutdown, the memorandum states. But the rules forbid remote work during the shutdown for furlough workers, even if they retain government-owned smart phones.