On December 22, 2018, a partial shutdown of the US government began. While the initial news coverage seemed to be on the damage to national parks and the 800,000 federal workers who are either furloughed or forced to work without pay, it’s now clear that the shutdown is having far-reaching and unexpected consequences. There are several growing cybersecurity issues stemming from the shutdown.
From a personnel perspective, the cybersecurity teams within the Department of Homeland Security and the IT staffers across all affected agencies are working on skeleton crews. For example, there are currently 1,500 fewer staff members working than usual right now in the Cybersecurity and Infrastructure Security Agency. This unstable work environment could seriously harm the already difficult recruitment efforts for future cyber experts and as well as likely push existing workers into the private sector. So, the lack of staff not only means there are fewer threat detection and mitigation actions that can be performed, but the daily security maintenance of our government’s websites is also suffering.
So, the lack of staff not only means there are fewer threat detection and mitigation actions that can be performed, but the daily security maintenance of our government’s websites is also suffering.
There are at least 130 government websites’ HTTPS encryption certificates that have expired during the shutdown. Encryption certificates are incredibly important as a tool for organizations to monitor security threats as well as a signal to website users that the website is secure and sensitive data can be transmitted to the site. Valid certificates demonstrate that a trusted certificate authority has verified the web address and correct ownership of a website. Two indications to users that a website is secure are the padlock image generally located next to the website address and also a website starting with “https” instead of “http.” When certificates have expired, the web browser will warn the user.
This could have several unintended effects. Inexperienced web users might be unduly alarmed by the by the warning and assume that their information is no longer secure. However, once told of the issue—they might ignore the warnings which is also problematic. Security certificates authenticate sites and help protect users from sending sensitive data to impersonator sites. However, without the authentication, impersonator sites might look enough like the real sites that unwitting users might fall for it.
Expired certificates can also lead to massive data breaches. In 2017, the data of over 143 million Equifax users was stolen after Equifax allowed the security certificate of a monitoring device to expire. Once they updated the monitoring device’s certificate, Equifax immediately realized that massive amounts of data had been transferred out of the system—over two months prior to the discovery. Astonishingly, Equifax also realized that they had allowed least 324 other certificates to expire, 79 of which were for devices monitoring highly business critical domains. Therefore, daily site maintenance is critical and every further day of the shutdown merely increases the backlog that IT staffers will have upon returning back to work.
Another concern is that hostile foreign governments and sophisticated hackers are no doubt exploiting this period to either carry out malicious attacks or insert infrastructure into the systems for future attacks. Also, the government has several different agencies that host vital information that is used daily by private sector companies and employees. In some cases, these government websites are down entirely and the harmful effects of the shutdown grow as the private sector struggles to continue working without this vital information. These aren’t the types of concerns that will make the front page of newspapers, but they might six months from now after an investigation into how our cybersecurity has been compromised.
Abi Christoph, 21 January 2019