As the U.S. government shutdown continues, it isn't only federal agencies being put at risk of cyberattacks. The government also runs federal security services relied upon by the private sector to help enterprises address and mitigate threats.
Experts said the U.S. government faces increasing risk as the shutdown prolongs and may face more problems after the shutdown ends if IT and infosec staff leave for the private sector. But, cybersecurity services run by the government -- like NIST, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Vulnerability Database (NVD) -- have also had workers furloughed.
According to the Department of Homeland Security, CISA's cybersecurity division "works with government and private sector customers to ensure the security and resilience of the Nation's cyber infrastructure." Because of the shutdown, CISA has had 43% of its employees furloughed. The NVD, which helps to alert enterprises about new threats, has been reduced to a single employee.
The Department of Commerce website notes that most of its federal security services and research have been halted due to the government shutdown, including NIST's Computer Security Division, but claims the NVD will continue to be available and updated. Chris Wysopal, CTO at Veracode, noted on Twitter that even NIST documents are unavailable.
Want to download the latest NIST 800-53 draft? Sorry you can't. https://t.co/GLFDBGI0uw— Chris Wysopal (@WeldPond) January 17, 2019
Additionally, while the National Cybersecurity and Communications Integration Center states its website will not be maintained during the shutdown, US-CERT has been active.
At the time of this writing, no government agency -- including DHS and the Department of Commerce -- have responded to requests for comment.
Tim Mackey, technical evangelist at software maker Synopsys, based in Mountain View, Calif., said the impact on these federal security services worries him because "security information from federal services is at the core of many security tools" at the corporate level.
"The NVD, like other services, is operating at seriously reduced staffing levels, while malicious organizations remain fully staffed. Independent publication of security disclosures by vendors with impacted products remains an option for commercial software but isn't viable for open source components. When it comes to security disclosures, a service such as the NVD is critical in communicating security information for open source projects," Mackey said. "Given that modern software is powered by open source components, any disruption in security information flow impacts commercial software as much as the open source equivalent. The core takeaway being that you can't patch or defend against something you don't know about, and the NVD is a critical source of security information."
Mackey noted that the NVD averaged about 45 new vulnerabilities per day in 2018, and a check of the service's RSS feed showed the shutdown has not slowed that pace as yet.
Tim Callan, senior fellow at Sectigo, the certificate authority formerly known as Comodo CA, based in Roseland, N.J., said the level at which federal security services and private sector enterprises are connected makes the potential threats more complex.
"Some companies have tight working relationships with the government agencies they serve or depend on. Once again, the widespread disruption of normal business processes and established roles can open agencies up for social engineering attacks like business email compromise or other spear-phishing schemes. Criminals may try to capitalize on the confusion employees are experiencing to trick them into taking action or granting access they otherwise wouldn't," Callan said. "An employee attempting to help out what appears to be a reassigned or overworked government worker who is just trying to keep the trains running may actually be giving away information, access or even money to a criminal con man posing as a government worker."
Callan added that the government holds information on private organizations that could be put at risk due to the shutdown.
"A good example of this interconnectedness is the Defense Federal Acquisition Regulation Supplement (DFARS), which specifies IT security requirements for companies doing business with the Department of Defense. DFARS exists to mitigate vulnerabilities in private industry being used to compromise [Department of Defense] operations and secrets," Callan said. "I wonder if the opposite could occur as well, where vulnerable parts of the U.S. government become high-value targets not for their own operations but for what they may reveal about the private companies that must deal with them."
Mackey suggested all organizations "look at the security tools they have and see which ones are dependent upon information from federal cybersecurity data feeds."
"When such a tool is found, contact the vendor and ask them how they are mitigating service disruptions in these feeds related to the shutdown," Mackey said. "Understanding the service levels within security tooling should be part of any security response plan. After all, security tools are only as good as their data sources and if those data sources can be disrupted through external actions like lack of government funding, then perhaps a change in tooling is in order."