The shutdown of many offices of the United States Government due to a standoff between President Trump and Congress over fortifying the US-Mexico border could create serious, long-term cybersecurity risks for the United States.
With hundreds of thousands of federal workers furloughed, and with funding for various programs frozen, it is possible, if not likely, that our nation’s defenses against foreign cyberattackers are not running at full capacity; even if cybersecurity personnel themselves are at work, which is, in itself, not fully the case, the absence of other workers means that various information technology, compliance, and human resource functions needed for maintaining proper cyber-hygiene are likely not being performed as needed. As a basic example, it is highly unlikely that updates and patches are being tested and applied in a timely fashion to all computers that need them – some government websites might even become vulnerable to compromise during the shutdown.
Ironically, many government websites whose SSL/TLS certificates have expired during the shutdown have not renewed them – so, while the sites may, in fact, be secure, anyone attempting to access them must ignore a warning that the sites may not be secure, a generally risky action to which the government should obviously not want people to become accustomed.
The shutdown has also had a dramatic impact on government agencies that help secure the private sector – such as the National Institute of Standards and Technology (which is part of the mostly-closed Department of Commerce) and the Department of Homeland Security. The risk becomes quite evident when viewing NIST’s cybersecurity page: just above the leading statement that “NIST implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities” is a warning that reads “NOTICE: Due to a lapse in government funding, this and almost all NIST-affiliated websites will be unavailable until further notice.”
Additionally, the shutdown undermines federal law enforcement agencies, many of which already face serious challenges fighting cybercrime; FBI agents who are not being paid, for example, may be worried about their finances (or even moonlighting in order to pay their bills), and there is no new money to pay informants.
The shutdown also poses a long-term threat to cybersecurity staffing levels.
It is not a secret that there is a shortage of cybersecurity workers. As time passes, unpaid government workers are increasingly likely to seek jobs elsewhere; and graduating college students who would have otherwise considered working for the government are less likely to contemplate doing so. Simultaneously, government employees who are not being paid may fall behind on paying their bills – something that can cause folks to lose their security clearances; as the government is already understaffed when it comes to cybersecurity, losing even a relatively small number of talented folks from the teams dedicated to the most sensitive projects from a national security standpoint could potentially undermine national security. Criminals and foreign adversaries, for example, would be quite happy if FBI agents lose clearances and get removed from investigations. (Note: While critical Department of Defense workers are still at work, there are many people with security clearances in the Department of Justice, Department of State, Department of Homeland Security, etc. many of whom are not at work.)
There is little doubt that the longer the shutdown continues the more likely it is to create opportunities for our nation’s adversaries – some of whom may have already exploited the situation for their own gain, and to our detriment.
In fact, my personal recommendation would be that as soon as the Washington reopens it conduct government-wide security assessments to ensure that no compromises took place, and, if they have, to address the relevant problems ASAP.
Our representatives in Washington should take notice. There is little doubt that the Russians, Chinese, and Iranians already have.