US government shutdown leaves websites at risk

In December 2018, President Donald Trump announced a partial shutdown of the US government, leaving 800,000 ‘non-essential’ workers unpaid. They range from security personnel at airports and staff at national parks through to employees responsible for the operation and maintenance of various federal or state websites.

The government shutdown has been implemented as part of Trump’s dispute with Democrats over the construction of his desired border wall with Mexico: he is insisting that Congress ratify the release of $5.7bn to fund it. The Democrats, who are now in control of the House of Representatives, have refused to accede to his demand, leading to deadlock between the two sides.

While the closure of various branches of the government has been covered closely in the media, less attention has been given towards the impact of it on cyber security in the US.

In the last couple of weeks, however, various problems have begun to emerge.

First, it has been reported that the security certificates of around 130 government websites have expired.

Secure Sockets Layer (SSL) and their successor Transport Layer Security (TLS) certificates are designed to protect communication between website and user through facilitating the encryption and authentication of data while it is in transit. When those certificates are allowed to expire, there is a possibility that visitors will ignore warnings and simply continue to attempt to reach the part of the site they are aiming for. While browsers should prevent this, websites where HTTP Strict Transport Security (HSTS) has not been properly installed will still allow uses to get through.

The danger here lies in the possibility of a man-in-the-middle (MITM) attack, whereby communication between website and visitor is intercepted by cyber criminals intent on stealing personal data.

Expiration of certificates can also lead to other major problems. According to reports, Ericsson’s failure to renew a software certificate resulted in millions of people being left without mobile phone services in December 2018; and the very serious breach experienced by Equifax in 2017 would have been discovered a lot sooner by the company but for an expired certificate.

Other cyber security concerns relating to the government shutdown revolve around the creation of fake websites which can easily fool unwary people into believing they are accessing the genuine one. Domains are registered, and SSL/TLS certificates are set up. This is a common tactic used in phishing campaigns.

In December 2018 new research from PhishLabs showed that almost half of all phishing sites now use an SSL/TLS certificate, meaning that their URLs begin with 'HTTPS' and the majority of browsers display the padlock symbol that users believe guarantees their browsing safety.

There has been a huge rise in the use of these certificates since 2016.The figure two years ago was just 2.81%, and in 2017 it was 31.2%. The increase to 49% by the end of Q3 2018 is primarily attributed to the continued use of SSL/TLS certificates by phishers.

As well as the problems arising from the expiration of certificates, spoof websites and phishing campaigns, many US government websites are no longer being actively maintained, and visitors to them are now being greeted with a warning.

For example, the Department of Homeland Security is displaying the following message:

NOTICE: Due to the lapse in federal funding, this website will not be actively managed. This website was last updated on December 21, 2018 and will not be updated until after funding is enacted. As such, information on this website may not be up to date. Transactions submitted via this website might not be processed and we will not be able to respond to inquiries until after appropriations are enacted.

If these sites are not actively and properly maintained, it is likely that vital updates are not being applied, and they are thus being left exposed to any number of vulnerabilities or malware infections. The patches issued by Microsoft for January, for instance, may not be incorporated; nor will others released by other companies.

Further, there is every possibility that hacker groups from ‘hostile’ states such as China, Russia, Iran or North Korea could seek to capitalise on the prospects offered to them by the disruption in the government’s normal services, and will view this time as an excellent opportunity to launch new attacks or cyber-espionage campaigns.

China, for example, is in the middle of a trade war with the US due to Trump’s imposition of economic tariffs, and could certainly be preparing for a new, highly damaging wave of cyber attacks on a range of sectors and organisations, from critical infrastructure through to the military.

Other hacker groups such as FancyBear (Russia), Lazarus (North Korea) or CharmingKittens (Iran) are also likely to be using the downtime in services for their own purposes, infiltrating vulnerable networks - possibly lesser-known federal or state websites - where they may lie in wait for months before launching attacks on more important and valuable targets.

Any companies contracted out for government work could also be affected if their information is accessed due to cyber security problems resulting from the shutdown. It is therefore particularly important at this time for all organisations involved with the US government to revisit their own cyber security practices and ensure that systems are updated as soon as patches are released.