Some government websites were inaccessible during this week’s government shutdown. Content on other government websites was accessible, but only content published prior to the shutdown. In one instance, the National Science Foundation (NSF) suggested that maintaining its website during a government shutdown could pose cyber security risks. In contrast, the National Endowment for the Humanities (NEH) website remained opened but not updated. The NSF may run its own physical web server(s) onsite, while NEH and other agency sites that continued without interruption are hosted on the enterprise cloud. Conclusions cannot yet be drawn that government-run web servers went dark and cloud hosted sites remained up.
Could The Cloud Save Government Websites From Going Dark In The Next Shutdown?
Forbes | By Kalev Leetaru
Last April I wrote that rumors of the EPA’s open data website disappearing were merely the bureaucratic outcome of a potential government shutdown, but that perhaps the renewed attention to where the government’s scientific agencies host their data might yield changes that would make them more resilient to future government shutdown threats. Unfortunately, it appears that not all agencies learned from last year’s public outcry and earlier this week the US Government shutdown ended up turning off the lights on some US Government websites. How can it be in 2018, with the web such an important way of interacting with government agencies, that entire agency websites could simply vanish at the metaphorical stroke of midnight?
During this past weekend’s US Government shutdown, the EPA open data portal was spared, as was the USDA website, which simply added a brief message about the site not updating during the shutdown, in contrast to the 2013 shutdown, when they just removed their entire site. The data.gov portal largely shut down, though it made an archive of its metadata available via BitTorrent.
The National Science Foundation’s (NSF) website was a different matter. As with the EPA scare last year, I was first alerted to the disappearing site when I started receiving messages from colleagues looking for datasets, critical PDF documents, forms, references and other data from the now-vanished National Science Foundation’s website. Visitors to the NSF website were greeted with an homage to the simpler days of the web: a text-only one-page HTML homepage generated in Microsoft Word.
In contrast, the website of the National Endowment for the Humanities (NEH) remained completely open with the only modification being the addition of a small link to the agency’s shutdown plan. Unlike NSF, NEH’s shutdown directive provides that “public NEH websites such as http://www.neh.gov and edsitement.neh.gov will remain up, but will not be updated.” This is what one might expect from a government agency in 2018: websites simply freeze in time until the government resumes, but whatever was there prior to the shutdown remains accessible.
Similarly, websites for NIH, NASA, USGS, DOE and countless other agencies remained active.
When reached for comment, an NSF spokesperson responded that the agency had shut down its website in 2013 as well and that “The OMB memorandum [OMB-M-18-05] provides further guidance on continuity or suspension of IT operations for an agency, stating that continued access to agency websites does not warrant the retention of personnel or obligation of funds. Consistent with OMB guidance, NSF evaluated the potential operational impact and cyber security risks of maintaining agency websites, and decided it would be most prudent to suspend website operations.”
It is remarkable that NSF cited cyber security risk as a reason for shuttering its website during the shutdown. Given that many other agencies left their websites operating, does this mean they simply tolerated a higher risk of their sites being compromised? Or have they adopted a better cyber security posture that makes their sites more able to weather a shutdown without being hacked?
This also raises the question of what happens to US Government computing systems during a shutdown if they come under cyber-attack and whether website defacement and computer breaches would be detected and/or remediable during a shutdown. If NSF felt it would be unable to adequately detect or respond to a cybersecurity breach of its web site during a shutdown, does this mean that the US Government needs to develop a special cybersecurity policy to assist agencies during shutdowns?
Despite apparently feeling that the cybersecurity risks of leaving its website online during the shutdown were severe enough to warrant its deactivation, the agency did not suspend its social media accounts. When asked why it felt those accounts were not at risk from being taken over during the shutdown, the agency did not respond other than to confirm that it left its social accounts online, but did not update them.
The agency also did not respond beyond its statement above as to why it believed that it could not safely leave its website online, even while many of its peer agencies did so. When asked how “NSF determined that ‘cybersecurity risks’ warranted the deactivation of its website, while its peer agencies continued to operate their sites as normal” and whether “NSF has comment on whether its web infrastructure is notably different from its peers and thus at greater cybersecurity risk?” the agency responded “The OMB guidance stated that agencies should both evaluate potential operational impacts and cybersecurity risks of maintaining agency websites. Like in 2013, we decided it was most prudent to suspend website operations.”
Given that NEH felt so confident in the ability of its website to function unattended during the shutdown that it actually codified in its written shutdown policy that the site would continue to be available, it raises questions of why NSF believes its own website could not safely remain available. After all, if NSF believes its site is so vulnerable that it would be at risk during a shutdown, what does that say about its security posture and safety that it believes it cannot withstand even a few days on its own? NSF did appear to concede that it might learn from its peer agencies, saying “NSF is reviewing its plans and identifying ways where we can make changes while still complying with the law.”
While the agency itself would not comment on why it was unable to leave its website functioning, one clue might be a 2016 bulletin that suggests the agency may run its own physical web server(s) on premises, rather than outsourcing its website hosting to the enterprise cloud. In contrast, websites for NEH, NIH, and NASA all continued without interruption and all resolve to IP ranges in Amazon’s AWS cloud, meaning they could rely on Amazon’s enterprise-grade infrastructure and security to continue functioning even in the absence of Government IT staff to monitor them. DOE’s website, which resolves to an IP hosted by BlackMesh hosting services, similarly remained up. At the same time, however, data.gov, which was shut down, resolves to an AWS and CloudFront IP address, while the USGS website appears to resolve to a US Government IP range and remained up.
Thus, it is not as clear cut as saying that government-run web servers went dark and cloud hosted sites remained up. If the Department of Interior and NSF both indeed operate their own web servers, why is it that the Interior was able to configure those servers to safely and securely continue to function during the shutdown, while NSF felt it was unable to continue making its websites available without placing them at an unacceptable operational and cybersecurity risk? Why did data.gov shutdown even though it is hosted in the commercial cloud, while other sites also hosted in the same cloud remained available? GSA did not respond to a request for comment as to why data.gov was disabled during the shutdown.
Clearly, agency decision making played a key role as to which agencies decided to leave their sites running and which made the decision to wipe their agency from the digital world with a single keystroke in an erasure that would make Orwell’s 1984 government proud.
Putting this all together, it is remarkable that in 2018 a government shutdown could result in entire agency websites and the open data portal of the United States going dark. Even more remarkable is that at least one agency responded that its website shutdown was due at least in part to cybersecurity concerns of running its site unattended, suggesting the US Government may need a unified cybersecurity policy to protect agencies during shutdowns. It is noteworthy that it appears that even those agencies that shuttered their websites appeared to leave their social media accounts online, instead of similarly suspending them out of fears that attackers could leverage social engineering or other approaches to take them over while they were unattended during the shutdown.
That the Government’s outsourced communications platforms on Twitter, Facebook and elsewhere largely remained online even as some websites were turned off, raises the question of whether the US Government should simply outsource the rest of its public digital presence to the firms that power the modern digital age? It appears that many federal agencies have already outsourced their web hosting and that those cloud-hosted sites from the White House (Akamai) to the Department of Energy (BlackMesh) to NEH, NIH and NASA (Amazon AWS) largely remained up during the shutdown, though with the notable exception of data.gov.
In the end, many US Government agencies that shut down in 2013 seem to have learned their lessons and remained available this time, while others chose to wipe their agencies from the digital world in lieu of 1990’s-style one-page homepages written in Microsoft Word. The trend towards outsourcing Government hosting seems to have helped, with even those agencies shuttering their websites electing to keep their cloud-hosted social media accounts running. Perhaps as the last technology holdouts finally join the modern era and as Government moves the rest of its hosting infrastructure to the cloud, the US Government will no longer go digitally dark during the next shutdown.