As the Government Shutdown Drags on, Security Risks Intensify

Credit to Author: Lily Hay Newman| Date: Wed, 16 Jan 2019 12:00:00 +0000

The current federal government shutdown, the longest in United States history, is in its fourth week, with no clear path to resolution. With 800,000 federal employees on full or partial leave as a result, cybersecurity experts raised an early alarm about how the shutdown would impact US cybersecurity. Those early concerns have since compounded and evolved into a mounting crisis.

Most intelligence and law enforcement work is continuing during the shutdown, because the Department of Defense already has its funding established for 2019. And a large number of critical federal employees outside of DoD are being asked to report to work uncompensated until they can receive backpay. But crucially, from a cybersecurity perspective, organizations within the Department of Homeland Security—including the new Cybersecurity and Infrastructure Security Agency, launched in November—are operating with a skeleton crew.

"The problems are growing as the shutdown continues."

Carlos Perez, TrustedSec

The lack of resources has stoked fears that sophisticated hackers may use the shutdown as an opportunity to infiltrate inconspicuous, backwater federal networks, which they could then use as a launchpad to penetrate more valuable government targets. As the shutdown persists, attackers have had weeks, instead of just hours or days, to make their moves. They could be carrying out entire operations, or laying malicious infrastructure for future assaults.

That may sound extreme, but less so when you consider how many probes and attempted intrusions the US government defends against every day—and how many times motivated hackers have successfully penetrated those defenses. And that's when everything's operating at full capacity.

"The problems are growing as the shutdown continues," says Carlos Perez, head of research and development at the IT security firm TrustedSec. "My friends in the government say their biggest worry is that other states or other actors are going to up their tempo while there are fewer people to watch the systems. But what worries me the most is the loss of knowledge capital because of this shutdown—there are a lot of resumes going out right now."

Which leads to another unfortunate consequence of the shutdown. The federal government already struggles to compete with private industry on recruiting cybersecurity practitioners with diverse specialities. The shutdown could make government work an even tougher sell "If it continues for much longer it’ll create lots of problems," says Ang Cui, CEO of the embedded security firm Red Balloon. "Furloughs are great recruiting opportunities for companies like Red Balloon, though."

It's also not just law enforcement that's affected. Eighty-five percent of employees at the National Institute of Standards and Technology are also furloughed. And while NIST is a standards body, not a threat detection organization, it still plays a vital role in ensuring that developers all over the world implement encryption schemes correctly and securely. The shutdown interruption means that NIST's website is down, and by extension, the documentation and other resources it provides are all unavailable.

"It means the private sector can’t get work done," says Matthew Green, a cryptographer at Johns Hopkins University. For example, many companies that implement encryption schemes for financial transactions need to have their systems evaluated under the Federal Information Processing Standard, to ensure there aren't any errors in such high-stakes code. "If people can’t get standards, they could make mistakes," Green says.

Meanwhile, daily security IT maintenance is breaking down. Many government websites have had their HTTPS encryption certificates expire during the shutdown, exposing them to potential snooping or even impersonator sites. And with most IT staff staying home, it seems unlikely that software patches and upgrades are being installed at their regular clip, potentially leaving them exposed to malware they'd otherwise be protected against. Events like DHS’s annual "Cybersecurity and Innovation Showcase," where the agency examines new cybersecurity technologies for potential purchase, have also had to be cancelled.

Whenever the shutdown ends, IT managers and cybersecurity analysts will have to dig out from weeks of systems logs and automated threat alert data while also attempting to resume full operations. The bigger the backlog, the harder it will be to catch up.

"Each day multiplies the added impact," says Michael Borohovski, cofounder of web security firm Tinfoil Security. "It's going to take even more effort for groups and agencies to get back up and running and get up-to-date with the latest threats and concerns, setting us back significantly."

The shutdown is even hindering progress on implementing cybersecurity-related legislation. For example, the 21st Century Integrated Digital Experience Act, passed on the day the shutdown started, aims to standardize government websites across agencies and create a baseline for consistent security defenses. The law gave agencies 180 days to meet the requirements. Similarly, the SECURE Technology Act includes deadlines that will now be difficult to meet. Some relate to establishing vulnerability discovery and remediation programs at DHS, while others have to do with supply chain monitoring procedures to tighten oversight of hardware parts in electronics.

All of which, again, takes a back seat to whatever's going on behind the scenes and undetected on government networks. The US's digital adversaries have shown that they take opportunities where they can get them, as with China's massive 2014 hacking spree, which included the devastating Office of Personnel Management breach. Investigations have since shown that part of the reason the OPM attack spiraled to such an extreme was that the agency's IT and digital security teams were understaffed.

"The important takeaway," says Borohovski, "is that cyberthreats decidedly do not operate on the US government's schedule."

https://www.wired.com/category/security/feed/