While the U.S. Federal government is running (for now) again, there remains a concern that the partial shutdown will have a long-term impact on the cybersecurity readiness of the nation.
The shutdown was the longest in U.S. history, and it had federal workers applying for unemployment, seeking emergency loans, and asking for postponements on their mortgage payments. Many experts contend that the partial federal government shutdown had an immediate impact on the cybersecurity readiness at the Department of Homeland Security and the Department of Justice — and even longer-term implications when it comes to staff morale and the ability to hire new talent going forward.
And, should a deal not be made between Congress and the President, there’s a very real chance of another eminent partial shutdown.
Cybersecurity investigations under pressure
The shutdown harmed information security investigations underway, as recently covered by the site Bankinfosecurity.com. “The shutdown is also affecting activities that could have a long-term cybersecurity impact in other ways. The FBI, for example, reports that the shutdown is compromising its ability to run operations or pay informants.”
“The FBI Agents Association, meanwhile, reports that many FBI agents have a security clearance, which relies on them avoiding debt. But with agents not getting paid, they are at greater risk of going into debt and losing their clearance, which could further compound the bureau's operational readiness. "Financial security is a matter of national security," the group warns in an open letter,” Bankinfosecurity’s reporting continued.
In his post, How the U.S. Govt. Shutdown Harms Security independent investigative security journalist Brian Krebs quoted a federal agent off the record as saying that the shutdown “is crushing our ability to take the fight to cyber criminals.”
“The talent drain after this is finally resolved will cost us five years,” the source told Krebs, who asked to remain anonymous because he was not authorized to speak to the news media. “Literally everyone I know who is able to retire or can find work in the private sector is actively looking, and the smart private companies are aware and actively recruiting. As a nation, we are much less safe from a cyber security posture than we were a month ago.”
While the recent refunding has relieved some of the pressure, concerns remain that the government will be shut down a second time should no long term deal be made between the President and Congress.
Websites and systems lacked upkeep
Meanwhile, during the shutdown, federal government websites, from NASA to the Department of Justice ran with out-of-date certificates. As Bleepingcomputer reported, government (.gov) websites with expired certificates on the HSTS preload list were no longer accessible. “One of the websites affected by this mishap is Department of Justice's https://ows2.usdoj.gov/, which displays an error message warning visitors that the connection is not private or secure, depending on the used web browsers.”
This is more than just an accessibility problem, and it also poses a severe security risk. Sites with expired certificates are at increased risk of fraud and identity theft and certain types of man-in-the-middle attacks. “To make things worse, because ows2.usdoj.gov is also on Chromium's HTTP Strict Transport Security (HSTS) preload list, the website will not be accessible given that both Google Chrome and Mozilla Firefox will automatically hide the button allowing users to ignore the warning and open the website," Bleepingcomputer reported.
Those web users with browsers that rely on HSTS lists from Chrome will find that they can’t access any sites using expired certificates. Both Google Chrome and Mozilla Firefox remove the “advance” option from the warning dialog box.
As Netcraft detailed while removing that flexibility (to click advance and ignore the certificate warning) is sure to frustrate some people, but “in this case, security is arguably better than usability when you can't have both. If users were to ignore such warnings, they would be vulnerable to the type of man-in-the-middle attacks that TLS certificates were intended to combat.”
However, because of less stringent HSTS (HTTP Strict Transport Security) policy implementations, the warning dialogue boxes are sub-optimal. “Consequently, most of the affected sites will display an interstitial security warning that the user will be able to bypass. This introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks,” Netcraft continued.
The arm of the federal government that manages many of the security framework and guidance documents security professionals rely on are difficult, if not impossible, to find on official websites with 85 percent of the National Institute of Standards and Technology (NIST) employees sent home.
While cybersecurity is designated as a critical operation, that doesn’t mean it isn’t affected by the shutdown, as Gopal Ratnam writes in Roll Coll: “Meanwhile, the House Homeland Security Committee, which oversees the Department of Homeland Security, said it remains in the dark about how the shutdown has affected the department’s mission to safeguard critical infrastructure from cyberattacks.”
“With so many cyber activities reliant on highly skilled contractors required to augment government personnel, government shutdowns significantly degrade the ability of the government function to meet all of their cyber mission requirements,” said Greg Touhill, president of Cyxtera Federal in that story.
Touhill cited security operations, software patching and penetration testing as “essential functions” deferred because of the shutdown.
Even when federal departments designate security operations centers as critical during a shutdown, “they still have gaps covering mission-essential tasks, and many of the smaller agencies affected by the shutdown are unable to maintain the full 24x7 watch coverage,” Touhill, a retired U.S. Air Force officer who served as the first U.S. federal chief information security officer in 2016, told RollCall.
Long term ramifications
While these were all short-term impacts, many contend there could be much longer damage done by the shutdown. As Joseph Marks reported in the Washington Post Cybersecurity 202 Newsletter, "About 20 percent of staffers are furloughed at the Department of Homeland Security's main cyber operations division, and most are administrative and support staff, a DHS official, told me. Across the department's full cyber and infrastructure security division, about 43 percent of staff are furloughed, according to a planning document.”
“With the prospect of better pay and greater job security in the private sector, more government cyber operators are likely to decamp to industry, those former officials tell me, and the smartest cybersecurity graduates will look to industry rather than government to hone their skills. That’s especially dangerous, they say, considering the government’s struggle to recruit and retain skilled workers amid a nationwide shortage of cybersecurity talent,” Marks reported.
Not all parts of the government were closed. There was one person maintaining the National Vulnerability Database (NVD), and a small team is maintaining the National Cybersecurity Center of Excellence (NCCoE) during the shutdown.
Further, the National Cybersecurity and Communications Integration Center service desk was open and accepting calls and the National Technical Information Service both remained open and running.
While federal agencies are mandated to maintain baseline levels of cybersecurity across agency systems, the reality was the shutdown made that mandate unrealistic and increasingly difficult, and in some cases impossible, to achieve.