The longest government shutdown in the history of the United States is leaving federal websites even more vulnerable to hackers and could lead to an exodus of security talent to the private sector, cybersecurity experts warned.
Since the government shut down on Dec. 21, nearly half of the Cybersecurity and Infrastructure Security Agency workforce has been furloughed, while the rest has been working without pay, according to a release from the Committee on Homeland Security.
Security groups unanimously agree that there are more jobs than skilled cybersecurity professionals available to fill them. There will be as many as 3.5 million unfilled cybersecurity jobs by 2021, according to a report released last year by Cybersecurity Ventures and The Herjavec Group. Another report predicts a shortfall of 1.8 million cybersecurity employees by 2022.
As the shutdown continues without an end in sight, some of the best and brightest federal cybersecurity employees could leave their jobs and seek one of the many more lucrative openings in the private sector, said Nate Fick, CEO of security company Endgame and a former Marine Corps officer.
“Cybersecurity is a field that has an endemic talent shortage,” Fick said. “All of a sudden you have these professionals who are furloughed and unpaid, the phones of private companies are ringing off the hook and it’s hard to get them back.”
Aside from the potential brain drain, the cracks are already showing in government websites. Many websites feature a notice at the top of the page letting visitors know that the site won’t be updated because of a lapse in government funding.
That apparently means even routine security practices are going unchecked. Security firm Netcraft reported last week that more than 130 certificates used by government websites had expired.
Certificates require the owner to prove they own a domain. If not, there’s a risk that website URLs can be spoofed and people can be tricked into visiting a fraudulent website, said Robert Siciliano, a security analyst at Hotspot Shield.
“A website is like any vehicle and is required to go through some general maintenance — and without that maintenance, things began to fail and there are vulnerabilities,” Siciliano said.
In one hypothetical scenario, a bad actor could set up a fake government website, trick someone into entering their password and then have access to personal information that could be used to steal identities.
While much of threat detection is automated, humans still play a vital role in reviewing threats and making sure a website’s cybersecurity hygiene is up to date, experts said.
“Cybersecurity is generally a manual process that involves boots on the ground and the eyes and ears of those who engage in responding to digital attacks, understanding the nuances of updating critical security patches, website security certificates, and general website or network maintenance to prevent intrusions,” Siciliano said.
As the shutdown drags on, Fick said hackers — potential bad actors acting on behalf of foreign governments — are receiving a message that the U.S. federal cybersecurity infrastructure isn’t in the best shape to defend against attacks.
“It’s sending a signal to the world that our federal government has reached a degree of dysfunction where, despite everything we say, we are willing to leave chunks of the government uncovered," Fick said.