International Trade Today is a Warren News publication.
Expired Patches, Certificates

Lawmakers Seek Cyber Assessment of Federal IT After Government Shutdown

Federal IT systems were at higher risk of cyber breach during the longest federal government shutdown in U.S. history, House lawmakers told us. Senate Democrats prodded federal agencies for answers Tuesday on what might have been compromised. Experts told us agencies such as the FCC and the FTC likely fell behind on security patch schedules. Risk of security breaches such as phishing scams also likely was heightened for the short-staffed agencies, they said.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

There’s no way the closure didn’t have an “adverse impact on all kinds of security, including cybersecurity,” House Intelligence Committee Chairman Adam Schiff, D-Calif., told us. House Homeland Security Committee ranking member Mike McCaul, R-Texas, said he's "concerned about our federal IT systems to begin with, and obviously this shutdown situation is not helping the situation.”

Expiring security certificates for federal websites and suspended work at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (see 1901140024) raised concerns, Senate Intelligence Committee ranking member Mark Warner, D-Va., wrote Homeland Security Secretary Kirstjen Nielsen. Citing lack of coordinated cyberstrategy, Warner asked about any increased level of attacks during the shutdown, plans for resuming work and high-tech workforce retention.

A similar letter was sent Nielsen and NSA Director Paul Nakasone by Democratic Sens. Amy Klobuchar, Minnesota; Ed Markey, Massachusetts; Tom Udall, New Mexico; Catherine Cortez Masto, Nevada; Cory Booker, New Jersey; and Jack Reed, Rhode Island. Like Warner, the group cited short staffing at CISA and expiring security certificates. They asked if agencies are exploring automatic certificate renewals and what security assessments are taking place to analyze the shutdown impact. DHS and NSA didn’t comment Wednesday.

​​​​​​​Lack of IT personnel likely resulted in out-of-date security patch protections, said DCT Associates President Cynthia Brumfield. IT administrators typically send phishing alerts, so employees mightn't have received all details about malicious emails, she said. As federal workers return, they have to address a backlog of patching, verifying security certificates and running network scans, she said.

The FCC operated at about 17 percent due to the lapse in funding (see 1812210048). The FTC was at 23 percent (see 1812270042). They didn’t comment.

​​​​​​​Patch cycles generally run two to four weeks, so vulnerabilities likely increased the longer the shutdown dragged, said CompliancePoint Senior Vice President-General Manager Greg Sparrow. Brumfield and Sparrow cited expiration of government website security certificates. Netcraft reported more than 130 transport layer security certificates used by federal sites expired without renewal during the shuttering. FCC and FTC site certificates were up to date. Sparrow said the expirations make it complicated for site visitors to verify website validity and create security issues with the data in transit.

​​​​​​​Expect to learn about hackers who exploited these systems during the shutdown, Sparrow said. Agencies are vulnerable when fully staffed, and the lack of funding compounded that issue, he said.

Russia, China, North Korea and Iran are constantly probing for ways to exploit these IT systems, said CyberCecurity Managing Partner Ray Hutchins. He called China the best-resourced threat from that group. It’s already difficult for large organizations to stay up to date with security patches, Hutchins said, so the shutdown surely exacerbated the issue.

​​​​​​​Brumfield noted prospective and employed federal cybersecurity personnel​​​​​​​ are likely less attracted to public sector work because of the shutdown: “They’re bailing. They’re taking job offers elsewhere.” That may also apply to non-IT staff at agencies including the FCC (see 1901280044).