{"id":5969,"date":"2019-01-22T22:57:00","date_gmt":"2019-01-23T02:57:00","guid":{"rendered":"http:\/\/ncjolt.org\/?p=5969"},"modified":"2020-06-04T20:52:28","modified_gmt":"2020-06-04T20:52:28","slug":"how-the-longest-running-government-showdown-in-history-is-weakening-the-security-of-government-websites-and-could-lead-to-a-brain-drain-of-skilled-cyber-experts","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/how-the-longest-running-government-showdown-in-history-is-weakening-the-security-of-government-websites-and-could-lead-to-a-brain-drain-of-skilled-cyber-experts\/","title":{"rendered":"How the Longest Running Government Showdown in History is Weakening the Security of Government Websites and Could Lead to a Brain Drain of Skilled Cyber Experts"},"content":{"rendered":"\n

On December 22, 2018<\/a>, a partial shutdown of the US government began. While the initial news coverage seemed to be on the damage to national parks<\/a> and the 800,000<\/a> federal workers who are either furloughed or forced to work without pay, it\u2019s now clear that the shutdown is having far-reaching and unexpected consequences. There are several growing cybersecurity issues stemming from the shutdown. <\/p>\n\n\n

From a personnel perspective, the cybersecurity teams within\nthe Department of Homeland Security and the IT staffers across all affected\nagencies are working on skeleton crews. For example, there are currently 1,500\nfewer staff members<\/a> working than usual right now in the Cybersecurity\nand Infrastructure Security Agency. This unstable work environment could\nseriously harm<\/a> the already difficult recruitment efforts for future\ncyber experts and as well as likely push existing workers into the private\nsector. So, the lack of staff not only means there are fewer threat detection\nand mitigation actions that can be performed, but the daily security\nmaintenance of our government\u2019s websites is also suffering.<\/p>\n\n\n

So, the lack of staff not only means there are fewer threat detection and mitigation actions that can be performed, but the daily security maintenance of our government\u2019s websites is also suffering.<\/p><\/blockquote>\n\n\n

There are at least 130<\/a>\ngovernment websites\u2019 HTTPS encryption certificates that have expired during the\nshutdown. Encryption certificates are incredibly important as a tool for\norganizations to monitor security threats as well as a signal to website users\nthat the website is secure and sensitive data can be transmitted to the site. Valid\ncertificates<\/a> demonstrate that a trusted certificate authority has\nverified the web address and correct ownership of a website. Two indications to\nusers that a website is secure are the padlock image generally located next to\nthe website address and also a website starting with \u201chttps\u201d instead of \u201chttp.\u201d\nWhen certificates have expired, the web browser will warn the user. <\/p>\n\n\n

This could have several unintended effects. Inexperienced web<\/a> users might be unduly alarmed by the by the warning and assume that their information is no longer secure. However, once told of the issue\u2014they might ignore the warnings which is also problematic. Security certificates authenticate sites and help protect users from sending sensitive data to impersonator sites. However, without the authentication, impersonator sites might look enough like the real sites that unwitting users might fall for it. <\/p>\n\n\n

Expired certificates can also lead to massive data breaches. In 2017, the data of over 143 million Equifax users<\/a> was stolen after Equifax allowed the security certificate of a monitoring device to expire. Once they updated the monitoring device\u2019s certificate, Equifax immediately realized that massive amounts of data had been transferred out of the system\u2014over two months prior to the discovery. Astonishingly, Equifax also realized that they had allowed least 324 other<\/a> certificates to expire, 79 of which were for devices monitoring highly business critical domains. Therefore, daily site maintenance is critical and every further day of the shutdown merely increases the backlog that IT staffers will have upon returning back to work. <\/p>\n\n\n

Another concern is that hostile foreign governments and sophisticated hackers<\/a> are no doubt exploiting this period to either carry out malicious attacks or insert infrastructure into the systems for future attacks. Also, the government has several different agencies that host vital information that is used daily by private sector companies and employees. In some cases, these government websites are down entirely and the harmful effects of the shutdown grow as the private sector struggles to continue working without this vital information. These aren\u2019t the types of concerns that will make the front page of newspapers, but they might six months from now after an investigation into how our cybersecurity has been compromised. <\/p>\n\n\n

Abi Christoph, 21 January 2019<\/p>\n","protected":false},"excerpt":{"rendered":"

On December 22, 2018, a partial shutdown of the US government began. While the initial news coverage seemed to be on the damage to national parks and the 800,000 federal workers who are either furloughed or forced to work without pay, it\u2019s now clear that the shutdown is having far-reaching and unexpected consequences. There are …<\/a><\/p>\n","protected":false},"author":1,"featured_media":5970,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/5969"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=5969"}],"version-history":[{"count":1,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/5969\/revisions"}],"predecessor-version":[{"id":6875,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/5969\/revisions\/6875"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media\/5970"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=5969"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=5969"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=5969"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}