How the government shutdown is putting national cybersecurity at risk
- The country's cybersecurity stance has been weakened by the partial government shutdown, with both immediate and longer-term negative consequences.
- This is especially true as a longstanding "brain drain" of cybersecurity talent has turned into an open bleed.
- Many essential cybersecurity functions continue, but the jobs are made harder by the fact that other IT staff who would normally implement routine fixes are furloughed.
The partial government shutdown is quickly turning into a nightmare scenario for the country's cybersecurity functions, often in unexpected ways. Even after Congress ultimately reaches a deal to end the shutdown, these negative effects could last far into the future.
Close to half of the employees within the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, or CISA — which works to help secure the nation's critical infrastructure industries, such as banking, water, energy and nuclear — are furloughed. Eighty-five percent of the National Institute of Standards and Technology workers have been furloughed as well, and these are the employees who help private- and public-sector companies stay up to date on the latest cyberattacks and mitigation techniques.
The shutdown is also contributing to an already stark brain drain of cybersecurity talent, creating new, possibly disgruntled insider threats and ushering in a huge backlog of unchecked and needed security updates.
Here are a few of the ways the lack of government funding is grinding down America's cybersecurity readiness.
Basic maintenance on hold
"CISA coordinates all cybersecurity efforts between the government and its private partners, ensuring both are properly trained and prepared to handle potential cyberattacks," explains Jon Murphy, leader of the cybersecurity practice at consulting firm Alliantgroup. "The absent employees could mean that various US government agency's computer systems might go without needed security updates and possibly lack the ability to detect newer intrusions/attacks timely."
Even cybersecurity functions that are deemed "essential," including those that deal with active defense of nuclear systems and other critical functions, are suffering because of a lack of incoming information and assistance from other government agencies.
"The government shutdown is raising new and alarming concerns as routine website maintenance is essentially furloughed," said Mike O'Malley, VP of strategy at Radware.
"Because almost all 'routine' maintenance includes a level of security patching along with human touchpoints, we have laid out the welcome mat to any and all nefarious actors," he said. "Unfortunately, we know all too well from experience that hackers, especially nation-state sponsored, have a high level of patience and are willing to lie in wait for the most opportune moment."
One basic maintenance task often filled by entry-level employees is monitoring websites for expired security certificates.
Because of the shutdown, more than 80 such certificates have expired across agencies such as NASA and the Department of Justice, according to research from cybersecurity company Tripwire.
The certificates in question are called "TLS" or "transport layer security," which provide security as part of securing websites using HTTPS. This is the protocol that encrypts data being transferred over the internet, including your emails, web browsing history and the secure documents you send. It's extremely important.
When certificates expire, websites become more susceptible to having encryption broken, opening a way for hackers to read information in transit. The frequent pop-ups also provide another opportunity for fraudsters to create phony links that transmit malware.
"In addition to expired HTTPS certificates, with federal workers furloughed, it is likely that computer systems of several government agencies did not receive the January 2019 Microsoft patches and will soon miss updates from Oracle and other vendors," said Craig Young, a security specialist with Tripwire's research team.
Young said he expects these weaknesses could lead to attacks from nation-states such as Russia, which has developed malware that can be implanted on routers — malware that "is perfect for surreptitiously hijacking HTTPS connections to US government web sites."
What this all means is that while the shutdown may only last weeks, malware may be implanted that lasts long past any time when a congressional deal is finally reached.
The people problem
Furloughed workers and closed agencies have also created a "bad look" for government agencies looking to fill cyber jobs.
"Undoubtedly IT job seekers had a more negative view of federal employment due to the shutdown," said Dave Mihelcic, federal chief technology and strategy officer for Juniper Networks, and former chief technology officer of Defense Information Systems Agency. "Likewise the most talented IT professionals in federal service were left with lasting questions about their future that would cause some to seek outside opportunities."
Young employees have traditionally viewed government cybersecurity jobs as quite prestigious. Working in cybersecurity at the National Security Agency, Central Intelligence Agency, Department of Homeland Security, Justice or Energy departments can significantly bolster a graduate's resume. The most lucrative private-sector jobs often place a premium on experience with these agencies.
But the shutdown may change that perception as it wears on, Mihelcic said, especially as the best cybersecurity specialists have many other options, and it's questionable whether these agencies will even be able to adequately recruit them.
"With the class of 2019 graduating in just a few months, there is a new pool of talent entering the job market who have a dynamic set of IT and cyber skills to offer employers from both the private and public sector," Mihelcic said. "As the war for this pool of talent begins, the government furlough could present significant ramifications for agencies because they are currently precluded from making any headway in attracting, recruiting and hiring prospective IT and cyber candidates."
Cybersecurity is also often severely hurt by insiders who steal information to sell it, sabotage systems because they are angry or steal intellectual property for their own financial gain, among other malicious activities.
Insiders are often motivated by three key factors — financial problems, organizational issues and politics, according to experts at insider threat management firm ObserveIT. All of these factors are particularly heightened among government workers and can lead to a proliferation of malicious insiders.
Data can be relatively easy to steal for a government employee with access no matter the motivation, said Sai Chavali, a security strategist for ObserveIT.
Chavali pointed to the recent case of NSA contractor Harold Martin, who is scheduled to stand trial in June for taking 50 terabytes of data during his tenure. Martin's attorneys have argued he was a "hoarder" of data, and though his actions — which allegedly lasted more than a decade — were unrelated to the shutdown, they illustrate how much damage a single determined insider can do, said Chavali.
"[Martin's] incident specifically highlights how hard it is to detect user activity," Chavali said. "Commonly we're seeing malicious and technical users choose these hard-to-track external storage devices (such as flash and hard drives) to exfiltrate data out of their endpoints without touching the network over multiple years."
The government will face other issues related to long-term planning, said Robert Silvers, a cybersecurity partner at law firm Paul Hastings and a former top cyber official at DHS. "The problem is that strategic planning gets put on ice. Proactive outreach to companies, local law enforcement, international partners, procurement of new technology — it's all frozen," he said.
"It would be like keeping the military operational but halting weapons purchases and maintenance. It's corrosive in the long run and impedes progress in an area where we already have a lot of work to do."
Correction: This story has been corrected to reflect the fact that the websites of the U.S. courts of appeals continue to be actively managed during the partial government shutdown.