“Let’s hope that any security-related work being done to harden these websites from malicious attack was not interrupted by the government shutdown, and fingers crossed that no new critical patches come out that are needed to protect them from exploits and hackers,” said security researcher Graham Cluley, in his blog.
Steven VanRoekel, CIO for the federal government, said that he fears exactly that. With websites lying dormant and the number of cybersecurity staff across federal agencies having been greatly reduced, hackers and spies could see an opportunity to infiltrate US systems with a far lesser threat of detection.
“I worry about cybersecurity in the midst of a shutdown,” VanRoekel told the Wall Street Journal. “If I were a wrongdoer looking for an opportunity, I’d contemplate poking at infrastructure when there are fewer people looking at it.”
The shutdown also means that bad actors could take their time knocking around the compromised systems. “Additionally, compromised systems may go for a longer period without detection, allowing an attacker to take more than one step toward their target without being noticed,” said Tripwire director of product management Tim Erlin, in a news report. “These deeper intrusions are more likely during this shutdown and harder to uncover when the shutdown ends.
For its part, the National Institute of Standards and Technology (NIST) has gone mostly dark. A forlorn message on its home page reads:
NIST Closed, NIST and Affiliated Web Sites Not Available
Due to a lapse in government funding, the National Institute of Standards and Technology (NIST) is closed and most NIST and affiliated web sites are unavailable until further notice. We sincerely regret the inconvenience.
The Computer Security Resource Center (CSRC) is one of the victims of collateral damage, although some services such as the National Vulnerability Database and NIST Internet Time Service websites are still running, Cluley noted. However, they’re not being updated as often.
VanRoekel said that cybersecurity forces are down to a “skeleton crew,” with the staff that specialize in responding to cyberattacks out on furlough. They would need to be called in to respond after any attack, losing a crucial real-time edge. That reality “is a little bit worrisome for me,” he said. “I have fewer eyes out there.”
The one exception is the Department of Homeland Security, which has retained some of its cyberstaff.
Bottom line? “If I were a hostile nation state, I would start unleashing everything I have right now in an attempt to exploit as much as possible while federal agencies are distracted,” said Lamar Bailey, head of Tripwire’s Vulnerability and Exposures Research Team (VERT), speaking with Softpedia. “In the late 1990′s and early 2000′s, the greatest number of exploits happened over holidays, weekends, and late at night when the IT staff was operating on a skeleton crew. This is no different.”