How Government Shutdowns put U.S. Cybersecurity at Risk

Last Friday, January 25, President Trump and the 116th U.S. Congress reached an agreement to temporarily reopen the U.S. federal government for three weeks, ending the longest federal government shutdown in history. 

During the shutdown, federal employees deemed “essential,” such as the FBI, the Transportation Security Administration, and Customs and Border Protection, worked without pay. And the U.S. government’s IT staff? Most members are considered non-essential, so they were told not to show up for work and would not receive paychecks during the shutdown. The designation of IT staff as non-essential must have been made in an era before the cyberwars. 

The decision to furlough IT staffers is potentially devastating to America’s cyber-readiness. Simple tasks such as updating SSL certificates on federal government websites were not performed and many websites are showing SSL certificate errors, often warning users not to enter any sensitive information or even visit them. An early count as of two weeks ago showed more than 80 expired SSL certificates on government websites. With Google’s stance on user protection, it takes considerable effort to visit a website with an expired SSL certificate using the latest versions of the Google Chrome browser, the dominant web browser.  

Having expired SSL certificates opens visitors to man-in-the-middle attacks since the purpose of the certificates is to both ensure secure communication to and from the website, as well as act as proof that the website is actually what it says it is. Forcing users to accept the expired certificates in order to conduct business will normalize this dangerous behavior. In the era where users are always taught to “look for the green address bar and the padlock” before entering in sensitive information, accepting the expired SSL certificates effectively destroys what little cybersecurity awareness training average users receive.

In addition to the expiration of SSL certificates, allowing IT staff to be furloughed leaves federal systems vulnerable by definition. January 9th was a Microsoft Patch Tuesday, in which numerous patches were released to address security vulnerabilities in Microsoft Windows and Office products, found in every U.S. federal agency. Since it’s unlikely that the Patch Tuesday updates were applied, hundreds of thousands of federal machines are under threat by these now-known vulnerabilities. Adobe also patched two critical vulnerabilities each in Adobe Acrobat and Reader during the U.S. government shutdown, with the patches likely sitting idle until employees finally returned to work on Monday.  

The government shutdown highlights the need for not only more automation, but security of a more ubiquitous nature, protecting employees and contractors on all devices no matter where they connect. Having employees and contractors use a FedRAMP-approved, always-on cloud security solution will ensure users are protected even when the government is shut down. While personnel may not be at work, cloud-hosted security solutions are always being updated to protect against the latest internet threats without the need to apply Patch Tuesday updates and others. Simply put, security clouds are always running the latest software version, with the latest security updates, without the need for human intervention.  

Security solutions that participate in Microsoft and Adobe’s Active Protections Program will be instantly protected against Patch Tuesday vulnerabilities. Unlike endpoint security solutions, which require heavy resources to constantly monitor processes, stacks, and integrity checks, all that is required for security-as-a-service solutions is a lightweight client to forward internet traffic to the nearest security cloud enforcement point. Appliance-based solutions require users to full-tunnel VPN their traffic back to a data center for security inspection, which increases latency and degrades the user experience.

The use of a cloud security stack assists in protecting furloughed employees from opportunistic attackers—known for launching watering hole attacks and phishing and social engineering campaigns against laid-off workers in need of income—and it protects even if those attacks are hidden behind the use of SSL or TLS encryption. Data Loss Prevention with Exact Data Match can detect and block the leakage of even a single record of sensitive information (think First Name, Last Name, and Social Security Number). Requiring federal contractors to use a FedRAMP-approved Zero Trust Remote Access Platform can significantly reduce the attack surface and exposure in the event of accidental or intentional account compromise.

The government shutdown has happened before, and it will happen again. If the President and Congress do not reach an agreement within 21 days of the temporary funding bill, the government will shut down again. Government agencies and federal contractors should take this time to implement and automate security as much as they can, so users and systems are protected even if personnel are unable or unwilling to perform their duties. Even if a permanent spending bill is signed within 21 days, government shutdowns are now becoming as common as the Golden State Warriors winning a national championship. Dub Nation!

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Christopher Louie, CISSP, is a sales engineer at Zscaler