Several parts of the federal government have been shut down for about a month now, and cybersecurity professionals say government websites are becoming more vulnerable to security breaches each day the shutdown lasts.
Visitors to manufacturing.gov, for instance, are finding that the site has become unusable — its information about the manufacturing sector is no longer accessible. Instead, it features this message at the top of the homepage:
NOTICE: Due to a lapse in appropriations, Manufacturing.gov and all associated online activities will be unavailable until further notice.
Security certificates help keep websites secure, but last week the British security firm Netcraft reported that more than 130 certificates used by U.S. government websites had expired.
These certificates make sure users know “this is really the government resource that I’m trying to access and not some bad guy,” explains Dan Kaminsky, the chief scientist at the security firm White Ops.
The lack of a certificate makes it easier for a bad actor to trick you into going to a fake site. Even though there’s a warning when you click on a site without an updated certificate, Kaminsky says, “people might get used to ignoring the browser warnings” because of the shutdown. “Then you think you’re really walking into this site and you’re really not.”
He offers a worst-case scenario: Imagine if the security certificate was down for the Social Security Administration website and a bad actor set up a fake site. Someone could go to the bogus site, enter their password, and give the hackers access to personal information.
The shutdown also means there are fewer IT staff on hand. For instance, around 2,000 employees — down from the usual 3,500 — are working at the Cybersecurity and Infrastructure Security Agency, one of the agencies leading the nation’s cyberdefenses, according to the White House Office of Management and Budget’s contingency plans.
Rob Ragan, a partner in the cybersecurity firm Bishop Fox, says that means a lot of important tasks may not be done, such as updating software with the latest security patches.
“You end up getting buried in a really big backlog of issues that you may never dig yourself out of,” he says. “And, at that point, one of those issues may have been an indicator of a compromise or a breach that may go unnoticed for months or years to come.”
Security researchers worry that the shutdown is like putting a red blanket in front of a bull. Nations like Russia, China and Iran could see it as a signal to charge ahead. Meanwhile, Ragan says, think about the amount of information on government websites that’s personal and even classified.
And the likelihood of security lapses increases as the shutdown drags on, says Vikram Thakur, a technical director at the security firm Symantec.
“We’re in the fourth week of a shutdown right now,” he says. “But as time goes on and on, that risk is most definitely going to go up exponentially.”
Ironically, Thakur says, having fewer personnel on the job lowers at least one kind of security risk: email phishing. That’s when hackers send an email with a link that unleashes malware into the system.
“If nobody’s opening e-mail and nobody’s using the work network, the chances or the success rate for attackers who are using email as their primary mode of attack” drop, Thakur says.
NPR asked the Department of Homeland Security’s Cyber Division for comment but did not hear back. House Democratic aides say they’re also unable to get information about which federal IT workers are on the job.
But they want to see details when the shutdown ends. In the event of a future shutdown, Democrats might move to keep all IT workers on the job in the name of cybersecurity.