Thursday, October 3, 2013

The security implications of the US Government shutdown

Well, after much encouragement from friends and colleagues, I have created a new home in this blog.  Welcome to the inaugural edition!

What better to tackle than one of my favorite targets of high noise and low signal? Let's take a slightly different look at the government and their latest schoolyard sandbox silliness; their inability to agree on a budget and shut down the government.  In all honesty, I didn't think they would get to this state.  I guessed they would cut a last minute deal and work out their differences.  Well, like five-year-old's at the playground, they have quit playing together, picked up their marbles, and gone home.  Of course, they still get paid, which is a crime in its own right; once again showing that they are willing to hurt lots of people to prove their private points as long as they are not among those truly affected.

Ok, all that aside, I didn't want to write about that issue in particular.  For those of us that have worked in the government contracting infosec space will attest, the heavy lifting of the government's computer security business is done by contractors.  Who are now out of work, afaik.  I have had client's government intel feeds say they are shutting down due to the budgetary shutdown, so I'm extrapolating a bit here.  I'm sure there may be a few projects that have some secret funding or protected funding, but I doubt they could or would talk about it either way.  Ponder both of those possibilities for a few seconds....

Who's driving this bus?

All information security professionals know that we are in the midst of dealing with an evolution of technologies that is generating greater visibility into our own systems and greater information as a function of these new fulfilled requirements to counteract the burst of APT activity that is becoming the norm.  Of course, more info equals a greater need to analyze all that stuff and find what is really important.  Nothing new here.  This spring-like blossoming of information delivered by security tools happens every few years with such regularity as the World Cup.  Government contracts for infosec services typically follow a pattern of about nine government contractors to one government employee, ballpark average.  So during an epoch of already high risk, we are shutting down our sensors by virtue of removing most of the people at the consoles.  This, of course, assumes that the remaining one in ten are active duty military, which still get paid and remain behind manning the now very less populated bridge.  This is like driving the autobahn and as the sun goes down choosing to turn off your headlights and move from the driver seat to the back seat (or get out of the car entirely) while the car continues to hurtle down the road.  Who does that?

Risky Business

This is what the US Government has chosen to do by choosing not to fund anything but 'necessary' services and let the 'unnecessary' ones shut down.  Make no mistake, I'm not saying that government infosec contracts are the only necessary services that are shut down.  Plenty of people are talking about the other ones that are equally affected.  This is a blog is about information security and risk and folks, there is no bigger risk than being in the middle of an massive infosec war and choosing to turn off your sensors and step away from the consoles.

Thanks Senators and Congresspersons.  Can you please move your investments and personal information to the top of the databases so that there is a digital airbag that I can bounce off of and not have my information at risk when the car crashes?  Meh...nevermind, the bad guys don't just take the top 'n' rows of data.  It was a good thought.