Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

10:30 AM
John Callahan
John Callahan
Connect Directly
E-Mail vvv

What the Government Shutdown Teaches Us about Cybersecurity

As lawmakers face a Friday deadline to prevent the federal government from closing a second time, we examine the cost to the digital domain, both public and private.

The partial shutdown of the US government last month prevented ranchers from applying for farm loans, Coast Guard personnel from getting paid, and tourists from visiting the Smithsonian Institution. It also had an impact on cybersecurity. For example, the security certificates used by more than 130 US government websites expired, which made it easier for threat actors to trick people into visiting malicious sites that masquerade as legitimate government sites, until they were renewed when the government reopened.

This week, as lawmakers face a Friday deadline to prevent a second closure, the negative impact on the public and private sectors is in danger of repeating. Here's what's at stake.

Outdated NIST Guidelines Leave the Private Sector in the Dark
The website for the National Institute of Standards and Technology (NIST) wasn't updated from December 22, 2018, until January 28, 2019 — making it essentially offline for more than a month. With NIST shut down, cybersecurity professionals couldn't access the technical documents that help them architect their organizations' security programs. Many use NIST standards to evaluate security tools and as a reference on how to implement security technologies. Without this documentation, security practitioners were hindered from trying to roll out strong security measures; with NIST down, they weren't able to make sure that they followed best practices during security rollouts.

Returning Employees Experience Alert Fatigue
A backlog of threat alerts and log files likely greeted federal government security professionals when they eventually returned to work. To handle the flood of alerts, analysts may have focused on the most recent ones and, because of time constraints, overlooked the older ones. If overlooked activity turns out to be a successful infiltration, there's a chance that attackers could still be in a government network without anyone realizing it. Spotting and immediately investigating suspicious activity is the defender's best chance of minimizing the damage caused by a data breach, especially since attackers prefer "low and slow" operations to decrease the likelihood of being detected.

Password Resets Lead to Weakened Security
Password resets are inevitable after the government reopens. With so many employees not working for more than a month, many of them may have forgotten their login credentials. In other cases, some agencies may have password management policies that require workers to change their passwords after a certain period of time (every 60 days, for example). Miss the deadline and they'll have to reset their passwords.

In both cases, help desk employees who handle password resets likely were inundated with requests. To get people back to work faster, the help desk may have relaxed password management policies by permitting the reuse of old passwords. While this approach would get government agencies online faster, attackers could benefit from this situation since password reuse is rampant, a fact not lost on adversaries, who could leverage weakened passwords policies as they search for ways to infiltrate government defenses.

Recruitment Gets Tougher
Finding skilled cybersecurity workers is already difficult for many organizations and is likely to become even more challenging in the coming years. Enrollment in computer science programs peaked in 2017, according to the Computing Research Association's annual survey. Typically, after an enrollment peak there's a two- to four-year period when fewer people pursue computer science degrees. In other words, the already limited security talent pool could grow even shallower.

Factor in the lingering effects of the shutdown and the federal government could face an even tougher recruiting battle as security professionals' negative perception of working for the federal government turns them away from considering careers in public service.

As for the cybersecurity professionals and contractors already employed by the federal government, being out of work for more than a month brings down their morale and may lead to early and midcareer jumps. We're already seeing this situation play out with some people who have government STEM jobs . These workers are loyal and smart and they believe in serving their country, but they also have to pay mortgages and purchase groceries. This brain drain could mean that already understaffed cybersecurity teams take on even more responsibilities. Even the most talented security professionals have a limited amount of capacity.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Dr. John Callahan is responsible for the development of the company's world class enterprise-ready biometric solutions, leading a global team of software developers, computer vision scientists and sales engineers. He has previously served as the associate director for ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/11/2019 | 2:11:34 PM
Cyber a secure career - IT not so
In an odd twist of words, a career in cyber security is secure.  In general, a student entering generic IT has issues because of outsourcing.  Why start a career when long term employment is doubtful. Too many qualified engineers have been terminated (and train your replacement) to make this an attractive field.  Starting there and moving into cyber security is NOT advertised per se - should be and these jobs ARE far more secure than basic server and data center support.  You have to start somewhere in cyber and the entrance door is not well thought of. 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-06
In userman through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not b...
PUBLISHED: 2019-12-06
In userman through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user...
PUBLISHED: 2019-12-06
In SecureWorks Red Cloak Windows Agent before, a local user can bypass the generation of telemetry alerts by removing NT AUTHORITY\SYSTEM permissions from a malicious file.
PUBLISHED: 2019-12-06
SROS 2 0.8.1 (which provides the tools that generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2) leaks node information due to a leaky default configuration as indicated in the policy/defaults/dds/governance.xml document.
PUBLISHED: 2019-12-06
SROS 2 0.8.1 (after CVE-2019-19625 is mitigated) leaks ROS 2 node-related information regardless of the rtps_protection_kind configuration. (SROS2 provides the tools to generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2.)