Add cybersecurity to the already lengthy list of services and agencies impacted by the partial federal government shutdown.
While many essential defense and law enforcement personnel have been required to work without pay, some agencies that handle cybersecurity duties, such as the Department of Homeland Security’s recently formed Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology (NIST), are working with reduced staff.
Threat actors, meanwhile, aren’t stopping their campaigns because of an impasse on border security. Preventing them from carrying out malicious activity against public and private sector targets requires the full capabilities and resources of the federal government. Some of the shutdown’s effects will be felt in the short term. For example, one report found that TLS certificates for at least 130 U.S. government websites have expired, which could lead to lapses in security certifications. Others are more long term; for example, we may see fewer cybersecurity professionals considering careers with the federal government after these events.
Security professionals working for either private companies or government agencies will need to be vigilant while the shutdown continues. Here are some key areas to watch:
No access to NIST’s cybersecurity guidelines
Any security professional who’s visited NIST’s website since the shutdown began on December 22 has been greeted with the message that a majority of the site, including cybersecurity documentation, isn’t being updated because of a lack of government funding. Private sector security professionals use the agency’s cybersecurity standards as a framework for how they should architect their organization’s security program. This includes which security tools to use and how to properly implement security technologies like encryption schemes. A lack of access to this documentation severely hinders a company’s ability to develop and implement robust security measures, especially those that want to ensure they’re following the appropriate guidelines and measures.
Attackers may go undetected
When the government fully reopens, it’s almost guaranteed that security professionals will have a backlog of log files and threat alerts to review. There’s a real chance the most recent log files and alerts could be prioritized over older ones, which may never get reviewed due to time constraints.
But some of these overlooked alerts and log files may show suspicious activity. If the suspicious activity is actually a successful infiltration, that could mean attackers are on a government network without anyone realizing it. Attackers tend to prefer “low and slow” operations to minimize the risk of getting detected. With the shutdown extending for several weeks, attackers who infiltrated the government’s defense would have ample time to conduct malicious operations or establish backdoors for use in future campaigns.
Passwords resets can lead to weakened security
After being out of work for nearly a month, there’s a chance some of the 800,000 furloughed workers may have forgotten their passwords when they return, leading to thousands of password resets. In other cases, employees may be required to change their password at certain intervals (some organizations make employees change their passwords quarterly, for example) and missing the deadline requires calling IT support and asking for a password reset.
To deal with the flood of password reset requests, the help desk may relax password management policies and, for instance, allow employees to use a password they’ve used in the past or require fewer characters. While these shortcuts help people get back to work more quickly, they aren’t good security policies – especially considering how frequently the U.S. government is targeted. After all, attackers know people reuse passwords, many of which have already been exposed in data breaches. They could leverage these loosened policies as they attempt to find weak spots in the government defenses.
Government cybersecurity positions will be difficult to fill
The shutdown could make the federal government’s recruiting efforts difficult. Across the public and private sectors, there is already a major cybersecurity talent shortage; qualified security workers are difficult to find and even harder to retain. When presented with the option of either receiving a steady paycheck from a company or taking a government job and possibly going weeks without getting paid because of politics, corporate life may appeal more to a security professional.
Meanwhile, it’s important to recognize that the shutdown is hurting morale among current federal government cybersecurity professionals, who are already working on understaffed teams. The people who protect the country from cyberattacks are talented, dedicated, and believe in public service, but they also have bills to pay and families to support. Given the demand for their skills, some may have spent the shutdown fielding emails from recruiters or applying for private sector jobs.
From increasingly sophisticated attackers to ever-expanding attack surfaces, cybersecurity professionals already face enough daily challenges. With the added weight of reduced federal government support, their jobs will only get harder.
As the shutdown continues, hopefully keeping these possible outcomes in mind will lead to better cybersecurity.
John Callahan is Chief Technology Officer at Veridium.