Democrats and Republicans on Capitol Hill failed to reach an agreement on a spending plan to fund the federal government by the midnight deadline on Monday, thus beginning a partial shutdown of the government. Despite the shutdown, essential workers such as agents with the U.S. Department of Homeland Security and other federal law enforcement authorities will remain on duty. That’s not to say, however, that there can’t or won’t be some fallout as it relates to security from this stalemate in Congress.
Larry Slobodzian, senior solutions engineer for LockPath, which provides governance, risk and compliance (GRC) reporting products to a variety of companies in both the private and public sectors, said that one of most important things organizations need to do is consider the risks posed to them by a federal government shutdown. For example, Slobodzian said that from the viewpoint of one of their customers, which is a multi-national manufacturer that works closely with the Department of Energy, Department of Defense and intelligence community, one of the first things they would do is take the threat of a government shutdown and place it on their “risk register.”
“That risk would go through a workflow so that the proper people analyzed it, it was made visible to management and that it showed up on specific reports,” explains Slobodzian. “When you analyze a risk, you’re scoring it from several different vectors: one would be the impact if this risk actually took place. For a government shutdown, one thing would be impact to business, what’s the probability of that occurring, what’s our proximity to that impact, and very specific values such as what it would cost us from a contractual standpoint? Are there any fines or brand equity losses that we need to account for? And, specifically, what do we need to do if that took place?”
Slobodzian says that companies are going to focus primarily on the risks that are high-impact, high-probability, both of which would obviously characterize a government shutdown and be included in any business continuity plans.
“In the business continuity plan, we would account for anytime that our government services has any type of a shutdown – what do we do next? Who do we put on the bench? Who do we furlough? Who do we call up and put on 24-hour watch? Where do they need to go? What do they need? All of that would be in our business continuity plan,” says Slobodzian. “Prior to the shutdown, we would have tested that business continuity plan.”
Slobodzian believes that the greatest impact to the security community as a result of this shutdown could be in the DHS’s fusion centers and initiatives such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), both of which enable security managers in the critical infrastructure sector to discuss potential threats and concerns with their federal counterparts.
“That’s where there’s going to be the biggest impact. They were already understaffed and they’ve never had enough people to do all of the work and so they were already a year or two behind or worse in some cases - on running risk assessments, auditing configurations, following up on whether or not something was a false positive for a sensor - and now they’re going to be several days or, hopefully not, several weeks behind,” he says. “The proactive approach to security is really hampered by losing your qualified professionals who are considered non-essential.”
Being that this isn’t the first and likely not the last time that a political game of chicken will have serious ramifications for businesses, Slobodzian advises security managers to continually update and practice their business continuity and risk management plans.
“Business continuity planning is basically essential for any business and is often required by regulation. Those plans also need to be tested to make sure everyone who has a role to play knows exactly what their role is,” he says. “I served in the Marine Corps and we were always trained to take over the next person’s position, so if my lieutenant is taken out of action I know exactly how to do his job and he knew the captain’s job and so on and so forth. I think that is something that really gets lost in the business world.”
The importance of developing a comprehensive business continuity plan and employing GRC tools is only superseded by having an executive leadership team that is aware of the risks and actually helps the implementation of these plans throughout the organization. “I think the most important role in all of this is the executive, the leaders who oversee (these plans) they really need to be driving from the top down and that really enables communication between multiple departments,” Slobodzian added.
