The longest government shutdown in U.S. history sparks several concerns, including implications to cybersecurity. Starting on December 21, 2018 and still going, we have reached day 27. With 800,000 federal workers affected, many wonder how long this will go on. Experts are warning that the shutdown poses dangerous consequences to our nation's cybersecurity. As an executive or employee of a business have you considered the potential implications the shutdown poses to your overall security posture?
Before we dive into the cybersecurity impacts, it is important to recognize that there are departments that are still operating at full capacity including: Defense, Labor, Education and the Health and Human Services sectors.
Operating at Bare Bones
The Department of Homeland Security is just one of the nation's departments facing major concern. They are operating with 45% of their staff furloughed. We all know attackers are opportunistic. We also all know that with nearly half of the staff not present to perform their daily tasks, there is a high likelihood the environment is chaotic, stressful and overwhelming; creating a perfect opportunity for an attacker to strike. According to GTSC's Homeland Security news source, the research, strategy and training areas have ceased during the shutdown. It is equally as important to consider the insider threat as is to consider the outsider threat. Well-intentioned employees who are experiencing drastically increased workloads and additional stress can increase risk, as they may unintentionally breach information during a phishing attempt that they may have otherwise detected.
The National Institute of Standards and Technology (NIST) is another department drastically impacted by the shutdown. Eighty-five percent of their staff is currently furloughed. NIST employees help private and public-sector companies stay up-to-date with the absolute latest attack methods and mitigation strategies. NIST is a trusted agency who’s cybersecurity research and guidance is respected and used by organizations world-wide. The release of this research is delayed due to the shutdown. Fortunately, a key function of NIST, which is the National Vulnerability Database remains open.
Transport Layer Security (TLS) certificates are expiring, creating insecure or inaccessible “.gov” domains. In fact, over 80 TLS certificates for ".gov" domains have not been renewed. When certificates expire, websites become more susceptible to having encryption broken. Additional concerns are the agencies' abilities to keep up on security patches and updates.
Holding a government cybersecurity focused position is prestigious and one of honor, but the shutdown of 2013 warns us of the looming threat that employees may start to look for positions in the private sector. The shutdown also forces new cyber-talent to perhaps think twice before applying for a government position. Retention of top cyber talent is critical to our nation’s security. It remains to be seen just how this will impact retention and new hire rates.
What this means for Businesses
In 2019, cybersecurity is at the top of every executive’s mind. We are bombarded with stories of attacks and breaches on a weekly (sometimes even daily) basis. In a perfect world, security is challenging enough to keep up with when resources are fully funded and staffed. Consider the statistic from Ponemon Institute that states that 55% of small and medium-sized companies have experienced a cyberattack in the last 12 months. These breaches occurred during a time when government agencies were operating at full capacity. Cybersecurity strategic planning, research and training have all come to a screeching halt due to the shutdown. During this period, it is critical for your business to maintain strong security hygiene.
- Remind all of your employees, particularly your leaders, to stay alert for phishing attempts. Cybercriminals frequently use real-world events (such as news about a government shutdown) to trick users into clicking on a link or opening an attachment.
- Educate employees about the expired TLS certificates. Many people use their breaks or lunch periods to take care of personal business. This may include visiting a website to check on social services they rely on for themselves or family members. These sites often require people to put in personal information to gain access to what they need. Warn employees of the danger of providing credentials on a site that is not secure.
- Speak to your employees about the importance of not logging onto social media from work devices. Malicious actors understand human behavior, and they know that people often cannot resist clicking on links that are convenient, scandalous and/or sensational. These are often shared through social media and put your company at risk.
- Some companies monitor threat intelligence and information sharing from the Department of Homeland Security and/or NIST. If you are not already doing so, now is a great time to meet with a trusted cybersecurity partner to further understand risks related to your specific security environment and how to mitigate them.
We have no way of knowing how long the shutdown will last. Naturally, this heightens the concern over our nation's cybersecurity as a whole. Although most of us cannot impact the cybersecurity of the nation, we can do our part to maintain a strong security posture for both ourselves and our companies.