That a country can shut down its services is bizarre enough, but that part of its IT services are also put on hiatus is truly outlandish.
The U.S. government began shutting its non-essential services on Tuesday after the U.S. Congress failed to reach an agreement over the country's new budget, stalling over President Barack Obama's Affordable Care Act, also called Obamacare. Without an approve budget deal, government staff performing non-essential services were forced to go on unpaid leave.
Until the 535 members in the U.S. Congress reach an agreement, many government services and agencies will remain closed or suspended, including Federal Trade Commission, Justice Department, Internal Revenue Service, NASA, and Department of Homeland Security.
Over 800,000 government employees have been put on unpaid leave and federal workers, as part of U.S. policy, are not allowed to access their work e-mail, and websites as well as Twitter feeds are not updated. While these may seem to have a minor impact in terms of technology, there are worries the shutdown would leave IT systems at risk.
In defining what falls under essential services, the U.S. government's general rule of thumb is that any function involving "the safety of human life and the protection of property" should be kept running. Obviously, IT services don't pose any direct danger to human life, but that doesn't mean the absence of technology carries no risk to human life.
The number of cybersecurity employees, for instance, had been slashed across U.S. federal agencies, leaving systems potentially vulnerable to attacks, noted Steven VanRoekel, CIO for the U.S. federal government. Expressing concerns hackers would exploit the situation to penetrate IT systems, he told Wall Street Journal's CIO Journal: "If I was a wrongdoer looking for an opportunity, I'd contemplate poking at infrastructure when there are fewer people looking at it."
VanRoekel explained that workers essential to national security were exempted from the shutdown, but in practice, most government sites were running on a "skeleton crew". In anticipation of the furlough, he had urged cybersecurity staff who monitored IT networks against attacks to be exempted, but most of those specializing in attack response were eventually told to stay home. While these folks could still be called back in the event of a cyberattack, he said the lack of real-time response was "worrisome". "I have fewer eyes out there," he noted.
Decisions on which security staff to furloughed were made independently by the different U.S. agencies, and VanRoekel was unable to even evaluate the extent of the impact on the U.S. government's cybersecurity team because the people who could give that assessment weren't working.
At the GovWare conference in Singapore this week, Anthony Bargar, former security advisor at the U.S. Office of Secretary of Defense, underscored the importance of developing cyberoffensive capabilities to deter attacks and protect a country's infrastructure.
A world of increasingly pervasive interconnectivity also increases the risk critical infrastructure will be paralyzed by cyberattacks, especially as the Internet of Things and machine-to-machine communications emerge in the next wave of adoption. Power grids, for example, will soon be connected to the Internet to form smartgrids and everything, including even toasters, would soon have IP addresses. Bargar said: "Cyberdeterrence is the new cold-war reality."
Tony Chew, director specialist advisor at the Monetary Authority of Singapore, noted that adversaries now favored cyberattacks as they were covert and helped minimize collateral damage. "If you are going to fight you cannot just be defending, you must have capability of launching the first strike," said Chew.
In this "new cold-war reality", leaving IT systems unmanned could prove fatal, even if they may seem to support the most non-essential of services because the weakest link in any ecosystem, when attacked, would bring down the entire value chain.
The Singapore government has its own classification of essential services and the operators of such services are not permitted by law to stop functioning, including going on strike. These include banking, civil defense, newspaper, public transport, and weather information services, as well as "information technology services to support the processing of applications for permits for the import, export, and transshipment of goods".
I think this should include all forms of IT functions that support organizations operating services that, if brought to a halt, could pose security risks to a nation and endanger the safety human and property.
And here's what I really don't get, why is the U.S. Congress still getting paid while other government employees aren't?