Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

2/11/2019
10:30 AM
John Callahan
John Callahan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What the Government Shutdown Teaches Us about Cybersecurity

As lawmakers face a Friday deadline to prevent the federal government from closing a second time, we examine the cost to the digital domain, both public and private.

The partial shutdown of the US government last month prevented ranchers from applying for farm loans, Coast Guard personnel from getting paid, and tourists from visiting the Smithsonian Institution. It also had an impact on cybersecurity. For example, the security certificates used by more than 130 US government websites expired, which made it easier for threat actors to trick people into visiting malicious sites that masquerade as legitimate government sites, until they were renewed when the government reopened.

This week, as lawmakers face a Friday deadline to prevent a second closure, the negative impact on the public and private sectors is in danger of repeating. Here's what's at stake.

Outdated NIST Guidelines Leave the Private Sector in the Dark
The website for the National Institute of Standards and Technology (NIST) wasn't updated from December 22, 2018, until January 28, 2019 — making it essentially offline for more than a month. With NIST shut down, cybersecurity professionals couldn't access the technical documents that help them architect their organizations' security programs. Many use NIST standards to evaluate security tools and as a reference on how to implement security technologies. Without this documentation, security practitioners were hindered from trying to roll out strong security measures; with NIST down, they weren't able to make sure that they followed best practices during security rollouts.

Returning Employees Experience Alert Fatigue
A backlog of threat alerts and log files likely greeted federal government security professionals when they eventually returned to work. To handle the flood of alerts, analysts may have focused on the most recent ones and, because of time constraints, overlooked the older ones. If overlooked activity turns out to be a successful infiltration, there's a chance that attackers could still be in a government network without anyone realizing it. Spotting and immediately investigating suspicious activity is the defender's best chance of minimizing the damage caused by a data breach, especially since attackers prefer "low and slow" operations to decrease the likelihood of being detected.

Password Resets Lead to Weakened Security
Password resets are inevitable after the government reopens. With so many employees not working for more than a month, many of them may have forgotten their login credentials. In other cases, some agencies may have password management policies that require workers to change their passwords after a certain period of time (every 60 days, for example). Miss the deadline and they'll have to reset their passwords.

In both cases, help desk employees who handle password resets likely were inundated with requests. To get people back to work faster, the help desk may have relaxed password management policies by permitting the reuse of old passwords. While this approach would get government agencies online faster, attackers could benefit from this situation since password reuse is rampant, a fact not lost on adversaries, who could leverage weakened passwords policies as they search for ways to infiltrate government defenses.

Recruitment Gets Tougher
Finding skilled cybersecurity workers is already difficult for many organizations and is likely to become even more challenging in the coming years. Enrollment in computer science programs peaked in 2017, according to the Computing Research Association's annual survey. Typically, after an enrollment peak there's a two- to four-year period when fewer people pursue computer science degrees. In other words, the already limited security talent pool could grow even shallower.

Factor in the lingering effects of the shutdown and the federal government could face an even tougher recruiting battle as security professionals' negative perception of working for the federal government turns them away from considering careers in public service.

As for the cybersecurity professionals and contractors already employed by the federal government, being out of work for more than a month brings down their morale and may lead to early and midcareer jumps. We're already seeing this situation play out with some people who have government STEM jobs . These workers are loyal and smart and they believe in serving their country, but they also have to pay mortgages and purchase groceries. This brain drain could mean that already understaffed cybersecurity teams take on even more responsibilities. Even the most talented security professionals have a limited amount of capacity.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Dr. John Callahan is responsible for the development of the company's world class enterprise-ready biometric solutions, leading a global team of software developers, computer vision scientists and sales engineers. He has previously served as the associate director for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/11/2019 | 2:11:34 PM
Cyber a secure career - IT not so
In an odd twist of words, a career in cyber security is secure.  In general, a student entering generic IT has issues because of outsourcing.  Why start a career when long term employment is doubtful. Too many qualified engineers have been terminated (and train your replacement) to make this an attractive field.  Starting there and moving into cyber security is NOT advertised per se - should be and these jobs ARE far more secure than basic server and data center support.  You have to start somewhere in cyber and the entrance door is not well thought of. 
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.