After Fed Government Shutdown, Time to Rethink Your IT Security

Recovering from the latest federal government shutdown reminds Christopher Kennedy of taking an aircraft carrier out of the mothball fleet.

A former Marine and official with the Treasury Department, Kennedy has worked in cybersecurity for more than 20 years, including stints in the private sector. His current job, announced January 24, is CISO and vice president of customer success with AttackIQ, a security vendor that focuses on continuous security validation.

With one federal government shutdown behind us, and the threat of another one a few weeks away, the aircraft-carrier metaphor is a good one for Kennedy: it illustrates how difficult it can be to re-open the U.S. government after several weeks, especially when it comes to cybersecurity, which is considered part of the country’s critical infrastructure.

Despite the fact that cybersecurity is top of everyone’s mind these days, the shutdown showed how fast problems could accumulate within an organization’s infrastructure. For instance, since SSL certificates were not renewed, websites such as the U.S. Justice Department were not available.

On a tactical level, the cybersecurity ramp-up following the government shutdown is fairly straightforward: employees come back to work, systems are checked, licenses that may have expired are renewed, and those already manning the most mission-critical infrastructure can get a much-needed break when returning employees step in.

The most complex part is the employees. Whether full-time government workers or contractors, the extent of the recent shutdown (35 days) and the damage to the economy ($11 billion) is a serious blow to a workforce that has a sense of mission and craves stability.

“The bigger picture is that you created a lot of instability in an institution that is highly stable,” Kennedy told Dice in an interview. “People who are federal employees are workers that answer a call to service, but who are also looking for the stability of work. Now, everything is complicated because you still want to draw that mission, but the job doesn’t offer that same stability. I’m not sure how long it takes to recover from that.”

This type of disillusionment with work can lead to insider threats against an agency or organization, whether employees not fulfilling their duties, or the more extreme example of a worker selling data or access to systems and networks.

For Kennedy, countering some of these lingering feelings requires CISOs and other security and IT leaders to build a better level of communication into their security posture. He calls this “if you see something, say something” culture, where workers feel they can raise concerns about colleagues who are acting inappropriately or still feeling lingering pressure from the shutdown.

“It starts from the top. It’s got to be something that the most senior executives in the organization create as part of the culture,” Kennedy said. “It’s about saying, ‘Hey, we’re getting back to work, let’s get back to work. We have an important mission, let’s get it done and security really matters here. We understand that we all have been through a lot here but we’re in this together.’ You can spin it positively but at the same time acknowledge the risk.”

For government CISOs facing this situation (and possibly a similar situation in a few weeks), Kennedy offers a six-point checklist:

Senior Management Messaging and Culture

Make sure there is top-level messaging about what happened, as well as the priorities going forward. This is also the time to emphasize how best to manage security within the organization.

Battle-Damage Assessment

Another military metaphor from Kennedy. This uses an agency’s audit team to conduct a quick and dirty review of the control and security posture. The questions to ask: Did anything break? Did any contracts expire and do licenses need to be renewed? Did anyone leave, and what can we do to backfill positions?

People Security

Did anyone with top-level access leave? Do we know who has the “God keys”? Within the critical staff, did anyone’s security clearance expire? Can we still trust certain people to do their jobs?

Circling Back

Now that this type of shutdown has happened, what’s the new norm for next time? Go back to the first three parts of the checklist and see what improvements can be made.

Create a Continuous Validation Program

This can help an agency or organization develop a better security posture for the next emergency.

Ask the Big Question

How important is the agency’s or organization’s entire threat program? Are changes in management needed? Is there more investment needed?

The best way to ensure that government security teams (and the contractors who support them) are maintaining critical cybersecurity infrastructure is to move fast, identify problems, and tap the resources that are needed, especially after these types of disruptions, said Praveen Jain, the CTO of Cavirin, a Santa Clara, Calif.-based provider of cybersecurity risk posture and compliance for hybrid cloud platforms.

“Quickly evaluate and triage any security issues and handle them in the appropriate order,” Jain wrote in an email. “Don’t shy away from putting in the extra hours to do this, and if you are able to raise your internal security controls for a time, do it until you are confident in your cyber posture. And if challenged for skills, the private sector and local governments are quite experienced, so draw on your contacts for help in getting back to normality.”