The list of services and agencies impacted by the partial federal government shutdown is growing, but cybersecurity seems to be the scariest of impacts.
The US government shutdown is affecting some agencies that handle cybersecurity duties, such as the Department of Homeland Security’s recently formed Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology (NIST).
The impasse on border security is not stopping threats and cyber vulnerabilities will continue to grow when there are not enough resources to fight and prevent malicious activity against the public and private sector. The effects that are being felt in the short term include one report that found that TLS certificates for at least 130 U.S. government websites have expired, which could lead to lapses in security certifications. Some key areas that are vulnerable are:
NIST’s cybersecurity guidelines are not available
A majority of the site, including cybersecurity documentation, isn’t being updated because of a lack of government funding. Since private sector security professionals use the agency’s cybersecurity standards as a framework for how they should architect their organization’s security program, which security tools to use and how to properly implement security technologies like encryption schemes, this lack of access to this documentation severely hinders a company’s ability to develop and implement robust security measures
Increasing backlog of attacks and vulnerabilities
Once the shutdown is rolled back, cybersecurity professionals will have to deal with a backlog of threats, attacks, and vulnerabilities. It may take time to resolve all of them, and some may even slip through the cracks. In addition, successful infiltrations may have already happened, and since attackers tend to prefer “low and slow” operations to minimize the risk of getting detected, these several weeks would have given them ample time to conduct malicious operations or establish backdoors for use in future campaigns.
Passwords may need a reset, hiking risks
When they return to their desks after nearly a month, many of almost 800,000 US government workers may have forgotten their passwords, so thousands of password resets may need to happen. This deluge may ask for relaxed password reset policies, giving a window for risks. Attackers that are always looking for a point entry into US government websites, could take the opportunity these loosened policies offer, to find weak spots in the government defenses.
Government cybersecurity positions will be difficult to fill
With an existing cybersecurity talent shortage where qualified security workers are difficult to find and even harder to retain, the shutdown will have ensured a lot of talent just leaves. Rehiring will be needed very soon, and to look for talented, dedicated people who protect the country from cyber-attacks will be difficult, now after this loss of faith. Much talent would have shifted to the private sector industry.
The government will need to plan very meticulously when the offices do open, to ensure the worst case scenarios do not become reality.