US Shutdown Plays into Hackers’ Hands
The US government shutdown is having a chilling effect on national cybersecurity, with 80 government web certificates having already expired without being renewed and FBI agents issuing a stark warning.
Vendor Netcraft claimed on Thursday that the lapsed certificates include those affecting “sensitive government payment portals and remote access services” at agencies like NASA, as well as the Department of Justice and the Court of Appeals.
The impact of this administrative snafu is to render the sites inaccessible or insecure. If HSTS is properly implemented, modern browsers will now not allow users to visit sites with expired certificates, said Netcraft.
“However, only a few of the affected .gov sites implement correctly-functioning HSTS policies. Just a handful of the sites appear in the HSTS preload list, and only a small proportion of the rest attempt to set a policy via the Strict-Transport-Security HTTP header — but the latter policies will not be obeyed when they are served alongside an expired certificate, and so will only be effective if the user has already visited the sites before,” it explained.
“Consequently, most of the affected sites will display an interstitial security warning that the user will be able to bypass. This introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.”
The concern is that as the shutdown continues, growing numbers of certificates will expire without being renewed, increasing the security risk.
The National Institute of Standards and Technology (NIST) is particularly badly affected by the shutdown, with an estimated 85% of personnel furloughed and its website shut.
That’s bad news for the information security community as NIST guidance documents and frameworks are widely consulted to improve baseline security practices around the world.
As if that weren’t enough, FBI special agents have signed an open letter warning that the shutdown could hurt operations and even force agents to consider roles elsewhere.
“As those on the frontlines in the fight against criminals and terrorists, we urge expediency before financial insecurity compromises national security,” they said.
Suzanne Spaulding, a former Department of Homeland Security (DHS) under-secretary and Nozomi Networks advisor, warned that the loss of so many government employees means the US is “losing ground against our adversaries.”
“And the timing couldn’t be worse, with Congress just having established the new Cybersecurity and Infrastructure Security Agency (CISA) at the DHS,” she added.
“Getting this agency fully operational requires a lot of work and it’s like repairing an airplane while you’re flying it. You try to avoid disrupting the critical operational activity even while you make changes to improve the organization. This shutdown is a disruption CISA can ill afford.”
House Democrats have accused Trump of holding the country hostage over an exaggerated threat, as he demands over $5bn to fund a wall on the southern border with Mexico that he originally promised would be paid for by the Latin American nation.
The current shutdown is the longest since 1995, with an estimated 800,000 federal employees expecting not to be paid this week. Most Americans blame the president for the impasse, according to a new poll.
This post US Shutdown Plays into Hackers’ Hands originally appeared on InfoSecurity Magazine.
