Lance Bellers - Fotolia
As the government shutdown extends longer, experts believe cybersecurity risks could grow and lead to bigger problems that go far beyond state and federal agencies.
The shutdown has already created government cybersecurity issues, as more than 80 TLS certificates for government websites expired in recent weeks since the shutdown began on Dec. 22. But experts noted that, because it is a partial shutdown, the risks are higher for agencies where workers are furloughed.
The Departments of Defense, Energy, Veterans Affairs, the legislative branch and other government agencies had funding secured with appropriations bills passed in September. However, a lack of funding has led to 85% of NIST employees and 43% of employees within the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency being furloughed, and the National Vulnerability Database is down to being staffed by a single individual.
Bryson Bort, CEO of cybersecurity vendor SCYTHE, based in Arlington, Va., and fellow at the National Security Institute, said the effects of the shutdown on government cybersecurity may "be invisible, but additive as this prolongs."
"For now, it's simple things, like NIST -- [which] provides best-practice guidance on cybersecurity -- has [its] webpages down that host those documents," Bort said. "Patching is certainly going to be slower, so if there are any serious and up patch requirements, then there could be a greater window than normal."
"The NCCIC [National Cybersecurity and Communications Integration Center], the DHS watchfloor [running a 24/7 ops center], is operating despite funding," he continued. "But, in general, monitoring is probably not happening at 100% of usual operations, which means that there is an increased chance that malicious activity may not be spotted."
Tim Callan, senior fellow at Sectigo, the certificate authority formerly known as Comodo, based in Roseland, N.J., agreed that problems will only get worse with time.
"In addition to certificates, IT departments must continually respond to patch requirements, hardware failures, bug fix requirements, and compliance monitoring and reporting," Callan said. "In the short term, these activities can be delayed with reasonable safety. But the more time that passes, the harder it is to ignore the tasks required to keep IT infrastructure running."
Callan added that the effects of the shutdown could extend beyond these agencies, because "the U.S. government is the nation's largest employer by a long shot, with connections across the entire global economy."
"Each agency affects the operations of not only other federal agencies, but also state and local government, private industry, NGOs [nongovernmental organizations] and individual citizens. Disruptions in expected technical operations can have cascading effects across other parts of the government and beyond," Callan said. "Likewise, a successful security exploit might not only affect the agency in which the vulnerability is discovered, but the information or access criminally gained might ultimately compromise other parts of government or the private sector."
Despite the risks, Bort said he doesn't believe threat actors will use the shutdown as an opening to attack.
Tim Callansenior fellow, Sectigo
"I do think this is a good opportunity to step up iterative campaigns to compromise, gather intelligence and place something quiet for the future," Bort said. "The biggest risk would be the IRS. The timing of the shutdown [is] right as we move into tax season. In the past, there have been significant issues with fraud. There are several key entities who have figured out that there is a lot of money to be made."
Callan said many agencies could be holding sensitive data that would be a target for malicious activity.
"It's imaginable that a compromise of the Department of Treasury or Department of Commerce or the FTC [Federal Trade Commission] could yield valuable industries secrets or [personally identifiable information], for example," Callan said. "If nothing else, every department possesses the W2 information of a large number of employees. The Department of Agriculture, for example, is 67% furloughed and has more than 100,000 employees. That W2 information alone is a rich target for cybercriminals."
Tim Mackey, technical evangelist at software maker Synopsys, based in Mountain View, Calif., also noted that the effects on government cybersecurity might continue after the shutdown ends.
"As the shutdown progresses, it's reasonable to expect furloughed workers will begin seeking alternate employment with their personal financial situation on the line," Mackey said. "Any material reduction in staffing from what agency leaders deem an effective minimum increase the risks of unintended disruptions."
"This is something we're already seeing with TSA checkpoints and likely is happening within IT departments, as well," he continued. "Looking into a post-shutdown world, hiring top talent may be that much more difficult when a candidate has an option of federal service versus private sector employment."