The US government has been in shutdown mode for a record length of time, already at the time of writing exceeding the previous Clinton-era record, 21 days in 1995-96, by more than 50%.
With disagreement over the $5 billion cost of President Trump’s border wall showing no signs of abating, the shutdown could well roll on into February.
What impact is the shutdown having on cybersecurity?
The most visible effect has been on government-run websites. As many users, and news outlets, have begun to notice, many sites have suffered the expiration of their digital certificates. By January 16th, Netcraft was reporting more than 130 US government sites were affected.
An expired certificate means the site is no longer trusted by browsers, many of which will prevent access entirely. This means these sites can no longer perform their core mission of connecting people with government services.
The importance of TLS, HTTPS and digital certificates to a more secure and private web has been widely acknowledged for several years, but it is only in the last couple of years that real progress has been made in transitioning to safer connection methods. This step-change has been driven largely by heavy-hitters such as Google, who announced just under a year ago that their search results would start flagging any site not holding a valid digital certificate as “not secure”.
This was introduced in July 2018, by which time anyone running a website and interested in getting any traffic had been forced to get with the program and implement HTTPS. To help with the process, various providers now offer low-cost or even free digital certificates to anyone who wants them. The US government was well ahead of the curve, demanding HTTPS-only on all government sites as long ago as 2016.
Of course, a policy is only useful when it is implemented, and can only be implemented when there are people available to do the work. When certificates expire they need to be renewed. In many organizations this is automatic, or occurs only rarely as cert licenses are taken out for long periods. Government tends to avoid long-term contracts like this, as they mean higher up-front spending and pass savings to a future, possibly rival administration.
There may also be contractual difficulties which require regular re-negotiation or approval. Nevertheless, it should be possible for government IT teams to either prepare for renewals well in advance, or predict when shutdowns are likely (they typically occur at fixed points of budget renewal) and keep their certificate renewal cycles well away from such danger periods.
Once a certificate has expired, the impact is often worse than having no certificate in the first place. Since Google’s move in mid-2018, unsecured sites are flagged as such, but can still be accessed. When a site claims to be secure but has an expired or otherwise invalid certificate, browsers tend to block access completely, at best only allowing people in after digging through some stern warnings or changing security settings.
If people are required to take such steps to access government sites, we risk undoing all the education efforts of the last decade and encouraging people to skirt security to get things done. And with physical government understaffed and overloaded, automated online services are likely to be in more demand than ever.
Bad actors are almost certain to be taking advantage of the situation, setting up clones of government sites, tricking users into accessing them without the usual warnings about faked or failed certificate checks, and harvesting the exact same sensitive personal data that HTTPS is supposed to keep private.
Patching and vulnerabilities
The shutdown has other effects beyond simple website security, of course. With IT teams running at skeletal staffing levels, many everyday tasks must be pushed aside as workers struggle to keep on top of the basics of keeping things alive. This may mean that applying patches and updates may be postponed, opening windows of vulnerability into crucial government systems.
Every day the shutdown extends, the more likely it is that a flaw in a piece of software being used to protect a government database or other system is discovered and exploited by malicious actors, but not patched due to the absence or distractedness of IT personnel.
Monitoring of events and investigation of anomalies may also be allowed to drift, eventually falling off the end of an ever-growing to-do list. This is exactly how those epic data breaches we keep hearing about manage to go unnoticed for months, sometimes even years.
Security staff morale
In the longer term, there are likely to be some serious consequences for staffing and morale. Thanks to technology evolving faster than education systems, cybersecurity expertise is already in short supply. Governments need to attract and hold on to the best available talent, and that gets harder when there’s uncertainty over when employees will get paid.
Contractors are a major part of many IT teams, particularly in governments where many short-term projects are required, and in shutdown situations contractors have a far worse time of it than full employees. Where employees may be “furloughed” with the promise of back-payment once the shutdown is over, most contractors are simply asked to stop working, and getting paid, as soon as a shutdown commences.
With contractors already short on job security, government work becomes less attractive and rates will be forced upwards, costing future governments more to get their business done. If governments can’t attract or afford the right skills, work done is of lower quality, and security is often one of the first things to be sacrificed at the altar of budgets.
Since the widespread uptake of the internet, governments have jumped at the chance to automate mass access to the services citizens require. As this shutdown shows, automation can’t entirely replace the people who keep the nation’s wheels turning.