Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

2/11/2019
10:30 AM
John Callahan
John Callahan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What the Government Shutdown Teaches Us about Cybersecurity

As lawmakers face a Friday deadline to prevent the federal government from closing a second time, we examine the cost to the digital domain, both public and private.

The partial shutdown of the US government last month prevented ranchers from applying for farm loans, Coast Guard personnel from getting paid, and tourists from visiting the Smithsonian Institution. It also had an impact on cybersecurity. For example, the security certificates used by more than 130 US government websites expired, which made it easier for threat actors to trick people into visiting malicious sites that masquerade as legitimate government sites, until they were renewed when the government reopened.

This week, as lawmakers face a Friday deadline to prevent a second closure, the negative impact on the public and private sectors is in danger of repeating. Here's what's at stake.

Outdated NIST Guidelines Leave the Private Sector in the Dark
The website for the National Institute of Standards and Technology (NIST) wasn't updated from December 22, 2018, until January 28, 2019 — making it essentially offline for more than a month. With NIST shut down, cybersecurity professionals couldn't access the technical documents that help them architect their organizations' security programs. Many use NIST standards to evaluate security tools and as a reference on how to implement security technologies. Without this documentation, security practitioners were hindered from trying to roll out strong security measures; with NIST down, they weren't able to make sure that they followed best practices during security rollouts.

Returning Employees Experience Alert Fatigue
A backlog of threat alerts and log files likely greeted federal government security professionals when they eventually returned to work. To handle the flood of alerts, analysts may have focused on the most recent ones and, because of time constraints, overlooked the older ones. If overlooked activity turns out to be a successful infiltration, there's a chance that attackers could still be in a government network without anyone realizing it. Spotting and immediately investigating suspicious activity is the defender's best chance of minimizing the damage caused by a data breach, especially since attackers prefer "low and slow" operations to decrease the likelihood of being detected.

Password Resets Lead to Weakened Security
Password resets are inevitable after the government reopens. With so many employees not working for more than a month, many of them may have forgotten their login credentials. In other cases, some agencies may have password management policies that require workers to change their passwords after a certain period of time (every 60 days, for example). Miss the deadline and they'll have to reset their passwords.

In both cases, help desk employees who handle password resets likely were inundated with requests. To get people back to work faster, the help desk may have relaxed password management policies by permitting the reuse of old passwords. While this approach would get government agencies online faster, attackers could benefit from this situation since password reuse is rampant, a fact not lost on adversaries, who could leverage weakened passwords policies as they search for ways to infiltrate government defenses.

Recruitment Gets Tougher
Finding skilled cybersecurity workers is already difficult for many organizations and is likely to become even more challenging in the coming years. Enrollment in computer science programs peaked in 2017, according to the Computing Research Association's annual survey. Typically, after an enrollment peak there's a two- to four-year period when fewer people pursue computer science degrees. In other words, the already limited security talent pool could grow even shallower.

Factor in the lingering effects of the shutdown and the federal government could face an even tougher recruiting battle as security professionals' negative perception of working for the federal government turns them away from considering careers in public service.

As for the cybersecurity professionals and contractors already employed by the federal government, being out of work for more than a month brings down their morale and may lead to early and midcareer jumps. We're already seeing this situation play out with some people who have government STEM jobs . These workers are loyal and smart and they believe in serving their country, but they also have to pay mortgages and purchase groceries. This brain drain could mean that already understaffed cybersecurity teams take on even more responsibilities. Even the most talented security professionals have a limited amount of capacity.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Dr. John Callahan is responsible for the development of the company's world class enterprise-ready biometric solutions, leading a global team of software developers, computer vision scientists and sales engineers. He has previously served as the associate director for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/11/2019 | 2:11:34 PM
Cyber a secure career - IT not so
In an odd twist of words, a career in cyber security is secure.  In general, a student entering generic IT has issues because of outsourcing.  Why start a career when long term employment is doubtful. Too many qualified engineers have been terminated (and train your replacement) to make this an attractive field.  Starting there and moving into cyber security is NOT advertised per se - should be and these jobs ARE far more secure than basic server and data center support.  You have to start somewhere in cyber and the entrance door is not well thought of. 
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15151
PUBLISHED: 2019-08-18
AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h.
CVE-2019-15149
PUBLISHED: 2019-08-18
core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected.
CVE-2019-15145
PUBLISHED: 2019-08-18
DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.
CVE-2019-15146
PUBLISHED: 2019-08-18
GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in GPMF_Next in GPMF_parser.c.
CVE-2019-15147
PUBLISHED: 2019-08-18
GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GPMF_Next in GPMF_parser.c.