The US government shutdown is having a chilling effect on national cybersecurity, with 80 government web certificates having already expired without being renewed and FBI agents issuing a stark warning.
Vendor Netcraft claimed on Thursday that the lapsed certificates include those affecting “sensitive government payment portals and remote access services” at agencies like NASA, as well as the Department of Justice and the Court of Appeals.
The impact of this administrative snafu is to render the sites inaccessible or insecure. If HSTS is properly implemented, modern browsers will now not allow users to visit sites with expired certificates, said Netcraft.
“However, only a few of the affected .gov sites implement correctly-functioning HSTS policies. Just a handful of the sites appear in the HSTS preload list, and only a small proportion of the rest attempt to set a policy via the Strict-Transport-Security HTTP header — but the latter policies will not be obeyed when they are served alongside an expired certificate, and so will only be effective if the user has already visited the sites before,” it explained.
The concern is that as the shutdown continues, growing numbers of certificates will expire without being renewed, increasing the security risk.
The National Institute of Standards and Technology (NIST) is particularly badly affected by the shutdown, with an estimated 85% of personnel furloughed and its website shut.
That’s bad news for the information security community as NIST guidance documents and frameworks are widely consulted to improve baseline security practices around the world.
As if that weren’t enough, FBI special agents have signed an open letter warning that the shutdown could hurt operations and even force agents to consider roles elsewhere.
“As those on the frontlines in the fight against criminals and terrorists, we urge expediency before financial insecurity compromises national security,” they said.
Suzanne Spaulding, a former Department of Homeland Security (DHS) under-secretary and Nozomi Networks advisor, warned that the loss of so many government employees means the US is “losing ground against our adversaries.”
“And the timing couldn’t be worse, with Congress just having established the new Cybersecurity and Infrastructure Security Agency (CISA) at the DHS,” she added.
“Getting this agency fully operational requires a lot of work and it’s like repairing an airplane while you’re flying it. You try to avoid disrupting the critical operational activity even while you make changes to improve the organization. This shutdown is a disruption CISA can ill afford.”
source: Info Security