Watching the United States government hash out a budget and looming shutdown, I worry about the blackhat hackers exploiting it. Not enough of those protecting us from these threats are essential workers. Agencies I depend upon, like CISA, furlough 80% of their workforce, leaving whitehats in the dark about what they’ve detected. Their research feeds the companies we depend on to protect systems from ransomware, foreign governments, etc.
It seems to my layperson self that anyone protecting online services is essential.
In 2009, I worked for a state government office where we were furloughed for a few days. Due to the human resources rules, I had to work as an hourly employee and not as an exempt employee during the week I took a furlough day. Moreover, I was limited to working only 32 hours that week.
For a couple of those weeks, I was the on-call. And our maintenance windows happened on Friday nights. Options on how to handle it were:
- Automate the maintenance so no human needs to be present.
- Post-pone the maintenance
- Shift my furlough day to some other time.
I, personally, preferred #1. The regular maintenance didn’t require a human to restart the services to address Weblogic memory leakage. We ran nightly restarts in crontab to spread out the likelihood of managed servers failing due to these. The restarts every other week addressed the same for the admin servers. The scripts were well tested as all I did was run the stop script, wait for it to finish, run the start script, and wait for it to end. It’s easy enough to put these in a crontab. Plus, the work week started on Saturday, so I could schedule these for Friday night, not work Friday itself, and at midnight check on it after midnight during the following workweek.
Management disagreed, so we shifted my furlough day. Sometimes, more than once, both keep me under 32 hours and keep the mostly 24/7 service operational.
Dealing with a day here and there was painful enough. I cannot imagine managers’ challenges in keeping quality whitehats happy with this prospect of days to months. We weaken our national cybersecurity posture by failing to keep talent who have lots of places to go and not deal with a Congress to do their job and set a budget.