Shutdown could test IT security at federal agencies

Agencies would have skeletal IT teams in place to manage systems

A government shutdown that lasts more than a few days could test the ability of federal agencies to protect their information systems against security threats.

Several agencies, over the past few days, have released contingency plans showing that they will have to heavily scale down their IT teams to maintain, manage and protect IT infrastructure during a shutdown.

The U.S. Department of Veterans Affairs , for instance, said it will furlough more than 40%, or 3,267, of its 8,026 IT employees in the event of an appropriations lapse. Those remaining will be responsible for functions such as network maintenance and protection, information security and for keeping the data center and enterprise infrastructure running.

In some cases, the shutdown will leave barely a skeletal staff in place to run legally "excepted" activities.

The Federal Trade Commission exempted a total of six employees from taking a forced furlough. The six will be responsible for ensuring the integrity and availability of the agency's IT infrastructure to other exempt employees at the agency. The six individuals will also be responsible for other tasks, including direct support of the agency's network and telecommunication services, operating the FTC's data center, rotating backup media for offsite store and provide on-site database administration support, the FTC said in its contingency plans.

The Social Security Administration exempted 10%, or 310 of its 3,187 IT employees, for infrastructure and program support purposes. The U.S. Department of Housing and Urban Development asked all but 349 of its 8,709 administrative and management staff to go on furlough. Among those exempted from the furlough are 13 IT employees out of 244 in the agency CIO's office. The 13 will be responsible for keeping critical systems running and protecting them against security threats.

Most other federal agencies are expected to have a similar handful of IT security staff and other essential personnel to run infrastructure operations.

"I believe that most CIOs will have their security and network analysts deemed 'essential,' and they will be on a heightened [state] of awareness," said Karen Evans, former de facto federal CIO during the George W. Bush administration.

Many IT services will need to be available through a shutdown so most IT staff will also be deemed essential, she noted. "But, the short of it is, because of all the services online and how government accesses these services, there are going to be risks," associated with a prolonged shutdown, she said.

Eugene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University said the contingency plans that federal agencies have set up should be adequate for a few days but not for a long stretch.

Even with systems shut down, functions like patching and installing key maintenance upgrades are important and could pose a challenge for skeletal teams that have been assembled to manage IT systems during a shutdown, he said.

If the shutdown were to persist through the second Tuesday of October for instance, many agencies could find themselves scrambling to install Microsoft's monthly security updates, Spafford said.

Mike Brown, vice president and general manager at security firm RSA's global public sector unit, noted that security risks to federal agencies overall should not increase dramatically as a result of the shutdown. However, the potential for agencies to make mistakes increases during times of reduced staffing.

"I would expect that most of the infrastructure would be maintained by personnel who have been designated as essential, and that planning has taken place to ensure security remains a priority," Brown said. "However, any time there is an event like this, there is the potential for mistakes to take place," Brown said. "Not only will the impact of nonessential personnel weigh on an organization, but additional issues could arise based on the overall status of personnel and priorities."

A Sept. 16 directive issued by the White House Office of Management and Budget requires federal agencies to wind down all IT activities other than "excepted" activities, including those that are essential to safety and protection of property, in the event of a government shutdown.

The directive leaves it up to agency heads to determine what systems can be kept running, but it makes clear that the only systems allowed to run will be those that directly support an exempted activity. If that system happens to be interconnected with other system, the agency has to figure out a way to keep it running without affecting the safety and security of the other systems, the directive noted.

"Given that websites represent the front-end of numerous back-end processing systems, agencies must determine whether the entire website can be shut down or components of the website will be shut down," to ensure compliance with procedures during an appropriations lapse, the OMB memo noted.

This article, Shutdown could test IT security at federal agencies, was originally published at

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about government it in Computerworld's Government IT Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government ITsecurity

More about BushFederal Trade CommissionFTCGovernment ITMicrosoftOffice of Management and BudgetRSATopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts