Security expert says government should shut down federal IT infrastructure

An expert with the Council on Foreign Relations argued that federal government should shut down as much federal IT infrastructure as possible during the shutdown to avoid security risks.

In a recent blog post, senior fellow at the Council on Foreign Relations Robert Knake contended that the security implications of keeping unpaid federal employees on the job are worse than the implications of shutting down the IT infrastructure altogether.

“In an organization as large and complex as the federal government, knowing with any degree of certainty which IT roles are essential is all but impossible. Moreover, as the shutdown lengthens and morale goes from bad to worse, the likelihood that the remaining employees are doing their jobs and doing them well is low. A colleague at a security rating firm told me that there are signs that scores for even basic cybersecurity hygiene are going down,” Knake wrote.

He added that the shutdown will be a boon for cybersecurity firms. Federal government workers in the IT arena will likely flock to private sector jobs as the shutdown continues on. And these workers who don’t go to the private sector will be likely targets for foreign intelligence professionals.

“And while the defenders of federal networks are facing low morale and are unsupported, I have no doubt that our adversaries are fully supported in their mission to compromise federal networks. It’s likely that the postmortem of the next major federal breach will show that the initial compromise occurred during or shortly after the end of the shutdown,” Knake wrote.

Given these circumstances, Knake said the best most secure course of action is to reduce the federal IT infrastructure to a bare minimum. He writes that “federal agencies should shut down their web servers and thereby reduce the attack surface. When funding is reinstated, federal IT systems should be brought back online slowly and deliberately.”

Knake concluded by saying the shutdown is a political failure that will likely cause failures for IT systems and the IT security systems that protect them. “Rather than attempting to maintain the security of these systems, a better alternative is to put them in fail-safe mode and shut them down.”