How the US Government Shutdown Hampers IT Security & Regulation
Regardless of who you think is to blame for the US government shutdown going on right now, there’s one thing for certain: the federal government’s ability to protect US critical infrastructure is going to be somewhat to severely hampered by this reality. This deserves a few moments of our time:
- Basic Website Availability: Try to do something not-so-esoteric such as checking out the NIST (National Institute of Standards and Technology (part of the US Department of Commerce)) website to confirm a recent standard or comment period and you’ll be surprised to see this screen welcome you!
That is just plain downright worrisome, as NIST is used by Americans and non-Americans involved in projects as diverse as specifications, voting machines, measurements, technical parts of the 9/11 investigation, and of course most recently the encryption/Snowden/NSA scandal. For the uninitiated, NIST’s official mission is to “Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” (I’m going to link to Wikipedia on the assumption that the government shutdown is going to prevent you from reading this on the NIST.gov website! Try this one once everyone gets back to work.)
- Inviting the Bad Guys to Tinker: We should assume this shutdown will invite the bad guys to come out in force to tinker and to knock on our government’s IT infrastructure. After all, when the entire U.S. Department of Housing and Urban Development only has 13 (yes 13!) people on hand to keep “critical systems running and protecting them against security threats” then we should be worried. Don’t those people need to get some shut-eye, grab a bite to eat, or use the bathroom every once in a while? Can you say sleeping-under-your-desk?
- Testing Agency and Department Business Continuity Plans (BCP): They say every cloud has a silver lining. If that’s the case, then U.S. taxpayers sure had better hope that IT folks with a pro-active mindset in at least some of the affected federal agencies are using this open-ended period of time as an opportunity test their Business Continuity Plans. Whether it’s a temporary technical outage at a cloud provider, a snowstorm, or a government shutdown, such events sometimes provide inadvertent opportunities to test BCPs.
- Possible Regulatory Bottlenecks & Limited Market Monitoring: The ongoing rollout and development of regulatory updates has been causing consternation among people tracking such matters. With some regulators (e.g. the CFTC) defined as non-essential while others (e.g. the FDIC, OCC, CFPB, and others) remaining on the job, the work of some key elements of Dodd-Frank basically comes to a compete standstill. “It will leave the markets untended during a critical phase of Dodd-Frank implementation, to the detriment of all market participants,” CFTC Commissioner Bart Chilton said last week. He also warned, “Under a shutdown scenario, government regulators will be handcuffed in our ability to go after crooks who are trying to evade our oversight and protection of markets. You can bet the ‘do-badders’ are licking their chops.”
- Triage: It’s a simple matter of fact that this government shutdown will represent a challenge to most IT security folks, especially if the shutdown continues for a while. That being said, it’s most likely forcing IT InfoSec people to triage with their limited time and resources. Perhaps this is another silver lining that will enable agencies to come out of this shutdown period stronger and more knowledgeable about their inefficiencies, vulnerabilities, and other areas of concern.