US gov shutdown causing ‘realistic’ cybersecurity threat
Over 80 official websites are down or insecure as a result of the US government shutdown, with nobody on hand to renew expired TLS (Transport Layer Security) licenses.
According to Netcraft, sites affected include “sensitive government payment portals and remote access services”, and include the likes of NASA, the US Department of Justice, and the Court of Appeals.
The result of an ongoing dispute over President Trump’s bid to erect a wall on the Mexican border, the shutdown means 400,000 federal employees are currently not receiving pay.
Non-renewal of security certificates, which ensure communications between devices and websites are sent in an encrypted, secure manner, is one side effect of the shutdown.
When issued, these certificates are given an expiration date, which can be anything between a few months to a number of years.
In the case of the US Department of Justice, the agency’s website was using a certificate that expired in the weeks leading up to the shutdown and has not been renewed since.
Meanwhile, the Department of Homeland Security’s new cybersecurity and infrastructure security agency is currently operating with less than half of its staff, according to Suzanne Spaulding, a former official, in a column for The Hill.
“With each passing day, the impact of the government shutdown on our nation’s security grows. Meanwhile, our adversaries are not missing a beat and the daily attacks on our systems continue.
“Cyber-security is hard enough with a full team. Operating at less than half strength means we are losing ground against our adversaries,” said Spaulding.
In a blog for Netcraft, cybersecurity consultant Paul Mutton warned that the President’s unwillingness to compromise on demands, and the continued lack of paid employees, as a result, could lead to increasingly serious vulnerabilities in the country’s cyber defense.
“As more and more certificates used by government websites inevitably expire over the following days, weeks – or maybe even months – there could be some realistic opportunities to undermine the security of all US citizens.”
28 September 2022
28 September 2022