Government Shutdown’s Negative Impact on Federal Cybersecurity
A quick glance at the headlines tell you how the government shutdown is affecting people across the country. National parks vandalized. Food safety inspections halted. Air travel at risk as planes aren’t fixed or inspected and TSA workers calling in sick instead of working without pay. These are all very serious concerns, but there is another area impacted by the shutdown: Our nation’s cybersecurity is at stake.
“The Department of Defense and Homeland Security are now using minimal staff to keep the departments running, jeopardizing their core responsibilities of ensuring our nation’s internet and critical infrastructures are protected from cybercrime and cyberattacks,” said Heather Paunet, vice president of Product Management at Untangle.
And with only a skeleton crew manning the networks, data sharing and rapid response can fall by the wayside, Paunet added. “Protecting the nation’s cybersecurity is a team effort, and we need all our departments up and running so that we, as citizens, can rest assured we are protected from all threats.”
1,500 Furloughed Cybersecurity Employees
Government shutdowns are never good, but for the administration’s cybersecurity efforts, the timing of this shutdown is particularly bad.
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) had to put approximately 1,500 non-critical employees on furlough, or about 43 percent of its staff.
“The shutdown has caused inevitable delays on the agency’s progress toward becoming a formidable defender against would-be cybercriminals, especially since it has only been operational since last November,” said Logan Kipp, technical architect at SiteLock.
Also, on the day before the shutdown officially began, President Trump signed the SECURE Technology Act. This new law is designed to improve overall security with a bug bounty program, addresses vulnerabilities in DHS’s infrastructure and creates a process to address and mitigate supply chain risks. “There are several deadlines for DHS to accomplish key tasks outlined in this new law to strengthen cybersecurity,” Suzanne Spaulding wrote for The Hill. “These deadlines will simply be missed, and important protections and policies will be delayed.”
If you are trying to visit government websites, chances are the sites are unavailable or they aren’t secure. That’s because more than 80 TLS certificates expired in early January. Now that the security on these websites has expired, they are at risk of being compromised by our adversaries, using the sites for attack campaigns, according to Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team).
“Expired TLS certificates do not directly expose data, but when users visit the pages, they will be presented with an interstitial warning that the certificate is not valid,” said Young. If strict transport security is not enabled, the user is able to click through the warning and visit the site. Since users are being told to expect these warnings, it makes the perfect opportunity for an attacker to intercept connections using a fake TLS certificate. The error message may have different details, but most users will not recognize this.”
Also, Young added, with staff on furlough, it also means that government networks will miss January’s Microsoft patches, and if the shutdown continues, other patch releases will also not be applied. This is another door that has been opened for hackers and nation-states to enter into the government’s network infrastructure.
It isn’t just today’s cybersecurity being affected by the shutdown. Expect long-term ramifications for federal cybersecurity efforts, primarily in attracting a skilled security workforce. Government agencies have already struggled to fill employee vacancies, in part because the pay can’t compete with what can be earned in the private sector. Now, said Joseph Carson, chief security scientist at Thycotic, it is going to be even more difficult to keep experienced workforce from seeking a more stable work environment.
“The U.S. government will need to do much more to attract experienced cybersecurity professionals, given the recent chaos and instability,” Carson added.
Perhaps there will be one positive to come out of the shutdown in relation to cybersecurity. “When the government reopens, it will be a good opportunity to re-evaluate what we consider mission-critical, both within the DoD and across other agencies,” said Mukul Kumar, chief information security officer and VP of Cyber Practice at Cavirin. “It is very possible that additional cyber resources should be put in this bucket.”