Shutdown Makes Government Websites More Vulnerable To Hackers, Experts Say

Jan 20, 2019

Several parts of the federal government have been shut down for about a month now, and cybersecurity professionals say government websites are becoming more vulnerable to security breaches each day the shutdown lasts.

Visitors to manufacturing.gov, for instance, are finding that the site has become unusable — its information about the manufacturing sector is no longer accessible. Instead, it features this message at the top of the homepage:

NOTICE: Due to a lapse in appropriations, Manufacturing.gov and all associated online activities will be unavailable until further notice.

Security certificates help keep websites secure, but last week the British security firm Netcraft reported that more than 130 certificates used by U.S. government websites had expired.

These certificates make sure users know "this is really the government resource that I'm trying to access and not some bad guy," explains Dan Kaminsky, the chief scientist at the security firm White Ops.

The lack of a certificate makes it easier for a bad actor to trick you into going to a fake site. Even though there's a warning when you click on a site without an updated certificate, Kaminsky says, "people might get used to ignoring the browser warnings" because of the shutdown. "Then you think you're really walking into this site and you're really not."

He offers a worst-case scenario: Imagine if the security certificate was down for the Social Security Administration website and a bad actor set up a fake site. Someone could go to the bogus site, enter their password, and give the hackers access to personal information.

The shutdown also means there are fewer IT staff on hand. For instance, around 2,000 employees — down from the usual 3,500 — are working at the Cybersecurity and Infrastructure Security Agency, one of the agencies leading the nation's cyberdefenses, according to the White House Office of Management and Budget's contingency plans.

The Commerce Department website is among the federal sites that are not being updated during the partial shutdown.
U.S. Department of Commerce/Screenshot by NPR

Rob Ragan, a partner in the cybersecurity firm Bishop Fox, says that means a lot of important tasks may not be done, such as updating software with the latest security patches.

"You end up getting buried in a really big backlog of issues that you may never dig yourself out of," he says. "And, at that point, one of those issues may have been an indicator of a compromise or a breach that may go unnoticed for months or years to come."

Security researchers worry that the shutdown is like putting a red blanket in front of a bull. Nations like Russia, China and Iran could see it as a signal to charge ahead. Meanwhile, Ragan says, think about the amount of information on government websites that's personal and even classified.

And the likelihood of security lapses increases as the shutdown drags on, says Vikram Thakur, a technical director at the security firm Symantec.

"We're in the fourth week of a shutdown right now," he says. "But as time goes on and on, that risk is most definitely going to go up exponentially."

Ironically, Thakur says, having fewer personnel on the job lowers at least one kind of security risk: email phishing. That's when hackers send an email with a link that unleashes malware into the system.

"If nobody's opening e-mail and nobody's using the work network, the chances or the success rate for attackers who are using email as their primary mode of attack" drop, Thakur says.

NPR asked the Department of Homeland Security's Cyber Division for comment but did not hear back. House Democratic aides say they're also unable to get information about which federal IT workers are on the job.

But they want to see details when the shutdown ends. In the event of a future shutdown, Democrats might move to keep all IT workers on the job in the name of cybersecurity.

Copyright 2019 NPR. To see more, visit https://www.npr.org.

LULU GARCIA-NAVARRO, HOST:

Hackers love to try to breach U.S. computer systems. This now may be easier than ever before. With so many IT and cybersecurity workers furloughed by the shutdown, security professionals say government websites are more vulnerable. NPR's Laura Sydell reports.

LAURA SYDELL, BYLINE: The Trump administration may like to highlight American manufacturing, but try going to manufacturing.gov. The site has become unusable. You can't access any of the details offered about U.S. manufacturing. According to Netcraft, a British security firm, it's one of dozens of government sites that haven't renewed their security certificates. These certificates are a bit like a driver's license - they prove you are who you say you are. Dan Kaminsky, the chief scientist at the American security firm White Ops explains.

DAN KAMINSKY: You need to know you're really talking to your hospital or to something at the Air Force or wherever. And so there are certificates that make it so you know, OK, this is really the government resource that I'm trying to access and not some bad guy.

SYDELL: In some cases, the lack of a security certificate may just make a site unusable. But Kaminsky says the lack of a certificate also makes it easier for a bad actor to redirect you to a fake site.

KAMINSKY: People might get used to ignoring the browser warnings. Oh, well, you know, it's just the shutdown. And then you think, oh, you're really walking into this site. And you're really not.

SYDELL: Kaminsky offers up a worst case kind of scenario. Imagine if the security certificate was down for the Social Security website, and a bad actor sets up a fake one. Someone could go to that site, enter their password and give the hackers access to personal information. The shutdown also means that there are fewer IT staff. For example, according to contingency plans on the White House Office of Management and Budget website, only around 2,000 employees out of more than 3,500 are working at the Cybersecurity and Infrastructure Security Agency. That's one of the agencies leading the nation's cyber defenses. Rob Ragan, a partner in the cybersecurity firm Bishop Fox, says there may be a lot of important tasks that aren't getting done, such as updating software with the latest security patches.

ROB RAGAN: You end up getting buried in a really big backlog of issues that you may never dig yourself out of. And at that point, one of those issues may have been an indicator of a compromise or a breach that may go unnoticed for months or years to come.

SYDELL: Security researchers worry that the shutdown is like putting a red blanket in front of a bull. Nations like Russia, China and Iran could see it as a signal to charge ahead. Ragan says think about the amount of information on government websites that's personal and even classified. And as the shutdown drags on, the likelihood of security lapses increases, says Vikram Thakur, a technical director at the security firm Symantec.

VIKRAM THAKUR: That risk is most definitely going to go up exponentially.

SYDELL: Ironically, Thakur says fewer personnel lowers at least one kind of security risk. One of the most popular hacking schemes is email phishing. That's when hackers send an email to an employee with a link that unleashes malware into the system.

THAKUR: If nobody's opening email and nobody's using the work network, the chances of the success rate for attackers who are using email as their primary mode of attack kind of falls all the way through.

SYDELL: NPR reached out to the cyber division at the Department of Homeland Security for comment but didn't hear back. Democratic aides in the House say they, too, are unable to get information right now about which IT workers are on the job. However, when the shutdown ends, they want to see details. In the event of a future shutdown, Democrats might move to keep IT workers on the job in the name of cybersecurity. Laura Sydell, NPR News. Transcript provided by NPR, Copyright NPR.