The IT impact of the ongoing partial US federal government shutdown has begun to show up in the form of degraded computer security. According to internet services biz Netcraft, more than 80 TLS certificates used on .gov websites have expired and have not been renewed.
Not all of those aforementioned TLS certificates have lapsed since the budget impasse became apparent on December 22, 2018. For example a US Justice Department website sports a TLS certificate from web registrar Go Daddy that expired on December 17, 2018.
Due to the expired certificates, would-be visitors may find it difficult to access to affected websites or may be kept away entirely by scary browser warning messages.
In theory, Netcraft observes, support for HTTP Strict Transport Security (HSTS) in modern browsers should prevent users from visiting websites with invalid certs. But because many government websites fail to implement HSTS correctly, visitors to these misconfigured sites will still be able to bypass warnings, raising the possibility of man-in-the-middle attacks.
The partial government shutdown arises from President Trump’s insistence that Congress pass a national budget that includes $5.7 billion for the border wall he previously said would be paid for by Mexico. The Democrats now in control of the US House of Representatives have rejected Trump’s plan and there’s no evident interest in a compromise at the moment. As a result, federal government employees are expected to continue working without pay, or are being barred from work if deemed non-essential.
FYI: NASA eggheads can’t fix a knackered Hubble space ‘scope camera – thanks to Trump’s govt shutdown
With government agencies limiting operations, including the Departments of Agriculture, Commerce, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, State, Transportation, and the Treasury, not to mention the Environmental Protection Agency, official inattention is magnifying security risks.
As the funding freeze loomed last month, DHS issued shutdown guidance saying it’s expected only 2,008 of its 3,531 employees in the recently formed Cybersecurity and Infrastructure Security Agency (CISA) would be active in the absence of funding. That means a lot of IT security work will be left undone. While a skeleton staff remains active at NIST to keep the national vulnerability database and time servers running, the majority of employees were sent home and its website pared back, somewhat hampering security research.
On Thursday, the FBI Agents Association, a group that represents almost 13,000 active duty FBI Special Agents, sent a petition to the White House and Congressional leaders warning of the impact of the shutdown on the national law enforcement agency.
Noting that FBI workers will not be paid on Friday, January 11, as they should be, the petition asks for elected leaders to fund agency operations “before financial insecurity compromises national security.” ®
READ MORE HERE