The partial shutdown of the US government last month prevented ranchers from applying for farm loans, Coast Guard personnel from getting paid, and tourists from visiting the Smithsonian Institution. It also had an impact on cybersecurity. For example, the security certificates used by more than 130 US government websites expired, which made it easier for threat actors to trick people into visiting malicious sites that masquerade as legitimate government sites, until they were renewed when the government reopened.
This week, as lawmakers face a Friday deadline to prevent a second closure, the negative impact on the public and private sectors is in danger of repeating. Here's what's at stake.
Outdated NIST Guidelines Leave the Private Sector in the Dark
The website for the National Institute of Standards and Technology (NIST) wasn't updated from December 22, 2018, until January 28, 2019 — making it essentially offline for more than a month. With NIST shut down, cybersecurity professionals couldn't access the technical documents that help them architect their organizations' security programs. Many use NIST standards to evaluate security tools and as a reference on how to implement security technologies. Without this documentation, security practitioners were hindered from trying to roll out strong security measures; with NIST down, they weren't able to make sure that they followed best practices during security rollouts.
Returning Employees Experience Alert Fatigue
A backlog of threat alerts and log files likely greeted federal government security professionals when they eventually returned to work. To handle the flood of alerts, analysts may have focused on the most recent ones and, because of time constraints, overlooked the older ones. If overlooked activity turns out to be a successful infiltration, there's a chance that attackers could still be in a government network without anyone realizing it. Spotting and immediately investigating suspicious activity is the defender's best chance of minimizing the damage caused by a data breach, especially since attackers prefer "low and slow" operations to decrease the likelihood of being detected.
Password Resets Lead to Weakened Security
Password resets are inevitable after the government reopens. With so many employees not working for more than a month, many of them may have forgotten their login credentials. In other cases, some agencies may have password management policies that require workers to change their passwords after a certain period of time (every 60 days, for example). Miss the deadline and they'll have to reset their passwords.
In both cases, help desk employees who handle password resets likely were inundated with requests. To get people back to work faster, the help desk may have relaxed password management policies by permitting the reuse of old passwords. While this approach would get government agencies online faster, attackers could benefit from this situation since password reuse is rampant, a fact not lost on adversaries, who could leverage weakened passwords policies as they search for ways to infiltrate government defenses.
Recruitment Gets Tougher
Finding skilled cybersecurity workers is already difficult for many organizations and is likely to become even more challenging in the coming years. Enrollment in computer science programs peaked in 2017, according to the Computing Research Association's annual survey. Typically, after an enrollment peak there's a two- to four-year period when fewer people pursue computer science degrees. In other words, the already limited security talent pool could grow even shallower.
Factor in the lingering effects of the shutdown and the federal government could face an even tougher recruiting battle as security professionals' negative perception of working for the federal government turns them away from considering careers in public service.
As for the cybersecurity professionals and contractors already employed by the federal government, being out of work for more than a month brings down their morale and may lead to early and midcareer jumps. We're already seeing this situation play out with some people who have government STEM jobs . These workers are loyal and smart and they believe in serving their country, but they also have to pay mortgages and purchase groceries. This brain drain could mean that already understaffed cybersecurity teams take on even more responsibilities. Even the most talented security professionals have a limited amount of capacity.
- Credential Compromises By the Numbers
- Government Shutdown Brings Certificate Lapse Woes
- Kudos to the Unsung Rock Stars of Security
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.