Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

10:30 AM
John Callahan
John Callahan
Connect Directly
E-Mail vvv

What the Government Shutdown Teaches Us about Cybersecurity

As lawmakers face a Friday deadline to prevent the federal government from closing a second time, we examine the cost to the digital domain, both public and private.

The partial shutdown of the US government last month prevented ranchers from applying for farm loans, Coast Guard personnel from getting paid, and tourists from visiting the Smithsonian Institution. It also had an impact on cybersecurity. For example, the security certificates used by more than 130 US government websites expired, which made it easier for threat actors to trick people into visiting malicious sites that masquerade as legitimate government sites, until they were renewed when the government reopened.

This week, as lawmakers face a Friday deadline to prevent a second closure, the negative impact on the public and private sectors is in danger of repeating. Here's what's at stake.

Outdated NIST Guidelines Leave the Private Sector in the Dark
The website for the National Institute of Standards and Technology (NIST) wasn't updated from December 22, 2018, until January 28, 2019 — making it essentially offline for more than a month. With NIST shut down, cybersecurity professionals couldn't access the technical documents that help them architect their organizations' security programs. Many use NIST standards to evaluate security tools and as a reference on how to implement security technologies. Without this documentation, security practitioners were hindered from trying to roll out strong security measures; with NIST down, they weren't able to make sure that they followed best practices during security rollouts.

Returning Employees Experience Alert Fatigue
A backlog of threat alerts and log files likely greeted federal government security professionals when they eventually returned to work. To handle the flood of alerts, analysts may have focused on the most recent ones and, because of time constraints, overlooked the older ones. If overlooked activity turns out to be a successful infiltration, there's a chance that attackers could still be in a government network without anyone realizing it. Spotting and immediately investigating suspicious activity is the defender's best chance of minimizing the damage caused by a data breach, especially since attackers prefer "low and slow" operations to decrease the likelihood of being detected.

Password Resets Lead to Weakened Security
Password resets are inevitable after the government reopens. With so many employees not working for more than a month, many of them may have forgotten their login credentials. In other cases, some agencies may have password management policies that require workers to change their passwords after a certain period of time (every 60 days, for example). Miss the deadline and they'll have to reset their passwords.

In both cases, help desk employees who handle password resets likely were inundated with requests. To get people back to work faster, the help desk may have relaxed password management policies by permitting the reuse of old passwords. While this approach would get government agencies online faster, attackers could benefit from this situation since password reuse is rampant, a fact not lost on adversaries, who could leverage weakened passwords policies as they search for ways to infiltrate government defenses.

Recruitment Gets Tougher
Finding skilled cybersecurity workers is already difficult for many organizations and is likely to become even more challenging in the coming years. Enrollment in computer science programs peaked in 2017, according to the Computing Research Association's annual survey. Typically, after an enrollment peak there's a two- to four-year period when fewer people pursue computer science degrees. In other words, the already limited security talent pool could grow even shallower.

Factor in the lingering effects of the shutdown and the federal government could face an even tougher recruiting battle as security professionals' negative perception of working for the federal government turns them away from considering careers in public service.

As for the cybersecurity professionals and contractors already employed by the federal government, being out of work for more than a month brings down their morale and may lead to early and midcareer jumps. We're already seeing this situation play out with some people who have government STEM jobs . These workers are loyal and smart and they believe in serving their country, but they also have to pay mortgages and purchase groceries. This brain drain could mean that already understaffed cybersecurity teams take on even more responsibilities. Even the most talented security professionals have a limited amount of capacity.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Dr. John Callahan is responsible for the development of the company's world class enterprise-ready biometric solutions, leading a global team of software developers, computer vision scientists and sales engineers. He has previously served as the associate director for ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
2/11/2019 | 2:11:34 PM
Cyber a secure career - IT not so
In an odd twist of words, a career in cyber security is secure.  In general, a student entering generic IT has issues because of outsourcing.  Why start a career when long term employment is doubtful. Too many qualified engineers have been terminated (and train your replacement) to make this an attractive field.  Starting there and moving into cyber security is NOT advertised per se - should be and these jobs ARE far more secure than basic server and data center support.  You have to start somewhere in cyber and the entrance door is not well thought of. 
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.