Most people have at least heard of the partial shutdown plaguing the U.S. federal government. Now over three weeks old, the stoppage owes its existence to a conflict over border security funding. President Donald Trump wants $5.7 billion to build a new wall along the U.S. Mexican border, while Democrats say they will not fulfill this request. This disagreement is a problem, as border security funding is tied to the federal government’s overall operating budget. No agreement means no consensus on passing an appropriations bill or even a short-term extension for large sections of the federal government to remain open.
As a result, nine federal departments and federal agencies including the Environmental Protection Agency (EPA) and the Federal Aviation Administration (FAA) closed on 22 December 2018 when their funding ran out. According to Fortune, other federal entities are currently open but have greatly reduced their workforce while the shutdown continues. Others have asked that only “essential” employees report to work knowing that they won’t be paid until after the shutdown ends. Together, these closures and reductions in work have caused 800,000 federal employees to be furloughed.
Obviously, this shutdown threatens the financial security of all affected federal employees and their families. But the trouble doesn’t end there. These hundreds of thousands of individuals are responsible for keeping the federal government up and running. Without them, crucial work doesn’t get done, and the nation suffers for it.
Digital Security and the Federal Shutdown: Short-Term Effects
We’re already seeing some short-term consequences with respect to digital security. Just over two weeks into 2019, Netcraft discovered that more than 130 TLS certificates used by .gov websites had expired. In the absence of a valid certificate, some websites have become unavailable, while others allow users to enter the site using an insecure connection. Digital attackers may, in turn, prey upon those users with man-in-the-middle (MitM) attacks.
An exact cause for these closures remains unknown, but it’s possible the federal shutdown had something to do with it by preventing people like web admins from showing up. A lack of such support personnel no doubt makes it more difficult for essential digital security personnel to do their work. As noted by Business Insider, these individuals now likely need to do more in the face of personnel shortages to get the job done.
With essential personnel burdened by these added tasks, it’s possible that federal networks will fall behind on basic digital security hygiene. For instance, Michael Daniel, former White House cybersecurity coordinator and current president and CEO of the industry group Cyber Threat Alliance, told Business Insider that gaps in support activities, such as hiring and vetting contracts, will make it difficult to keep each agency’s workforce healthy and update needed equipment to ensure better digital security.
Craig Young, a security specialist with Tripwire’s research team, explained to CNBC that patching may also become an issue as the shutdown continues. Specifically, he noted how “it is likely that computer systems of several government agencies did not receive the January 2019 Microsoft patches and will soon miss updates from Oracle and other vendors.” As a result, Young anticipates there will be more instances in which nation-states like Russia exploit those weaknesses using malware that can infect routers. Such threats are “perfect for surreptitiously hijacking HTTPS connections to US government web sites,” Young added.
Troubling Long-Term Impacts
The consequences discussed above are concerning, but agencies and organizations can rectify most of them once the federal government opens. Unfortunately, not all of the shutdown’s effects are as easily remedied. There are a few developments in particular that may have more lasting ramifications for the nation’s digital security. These include the following events:
New Cybersecurity and Infrastructure Security Agency Delayed
Back in November, President Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018, legislation which established the Cybersecurity and Infrastructure Security Agency (CISA). This entity, according to the Department of Homeland Security, “leads the national effort to defend critical infrastructure against the threats of today, while working with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow.” But CISA can’t do either with 40 percent of its staff furloughed in response to the shutdown. In the absence of CISA’s leadership, critical infrastructure organizations may fall behind today’s digital threats as they continue to evolve and grow more numerous.
Automatic Indicator Sharing Stalled
Critical infrastructure organizations aren’t the only ones that might not be up-to-date with the latest digital threats because of the shutdown. As reported by TechCrunch, a program inside the Department of Homeland Security known as Automated Indicator Sharing (AIS) is supposed to enable the rapid exchange of threat indicators between the federal government and the private sector. With its staff furloughed, as well, AIS can’t share indicators of an attempted compromise with its network in real time. Partners therefore can’t implement measures to protect themselves from that threat on a timely basis. At the same time, criminals will now have time to learn from their mistakes, modify their attacks and make them more difficult to detect in the future.
Missed Deadlines for SECURE Technology Act
On the eve of the most recent federal shutdown, President Trump signed the SECURE Technology Act into law. The aim of this legislation is to reduce supply chain threats affecting the federal government as well as to establish a bug bounty program and vulnerability disclosure policy at the Department of Homeland Security. But with a reduced workforce, federal agencies such as Homeland Security can’t fulfill the deadlines set forth by the Act. These delays will increase both the number and severity of supply chain risks and unknown vulnerabilities that threaten government networks.
NIST Set Back in Its Publication Schedule
At its core, the National Institute of Standards and Technology is an organization that uses research to publish standards for cryptography, microbial systems and other important disciplines. Given the fact that the shutdown has reduced its employee base to just 79 people, NIST doesn’t have the resources to keep its original research and publication schedule. The institute will likely face delays in releasing new digital security standards. As a result, the U.S. government will need to wait to protect itself using the latest digital security best practices.
A Powerful Message to Digital Security Experts Everywhere
The federal shutdown remains in effect as of this writing. Unfortunately, there’s no clear end in sight. The New York Times recently quoted President Trump saying that the closure could last “months or even years.”
Fifth Domain feels this uncertainty may be the worst consequence of the shutdown overall for the federal government and its digital security. While they struggle to do even more with fewer resources or wait to go back to work, public digital security employees will no doubt cast a glance to the private sector where jobs pay better and where the unemployment for trained digital security professionals is zero percent. In the private sector, digital security experts don’t have to worry about political vicissitudes temporarily throwing them out of a job or delaying their pay.
Such stability may serve as a powerful enough message to lure some out of public service and into the private sector. It may also discourage budding digital security professionals from serving their country. Absent these bright security minds, federal networks will be all the more vulnerable to digital threats for years to come.