Build the Firewall: Government Shutdown Puts US Cybersecurity at Risk
On Friday, January 25, President Trump and the 116th US Congress reached an agreement to temporarily reopen the US federal government for three weeks, ending the longest federal government shutdown in history. For those outside the US or not current on US politics, the US federal government must pass funding bills in order to appropriate how to spend the US taxpayers’ money to run the government. Passing a spending bill requires the US President and the US Congress to both agree on how to spend that money, which did not happen by the spending bill’s December deadline. If a spending bill is not passed, the government cannot operate, money cannot be paid, and non-essential federal workers and contractors are asked not to show up to work and will not collect a paycheck until the President and Congress pass a spending bill to reopen the government. Federal employees deemed “essential”, such as the FBI, Transportation Security Administration, and Customs and Border Protection, will work without pay until the government reopens. While this is not a political blog and I will not advocate here for one side or the other, the impact on the US cybersecurity infrastructure simply cannot be overlooked.
Having this federal government shutdown be the longest in history had several implications on US cyber-readiness. All federal employees and contractors did not receive their paychecks during the shutdown. With the eye-popping statistic that only 39% of Americans would be able to pay for a $1000 unexpected expense, it is no wonder that federal employees are turning to websites like Indeed.com to search for stability with a new employer. Statistics provided by Indeed.com report that job searches by federal employees surged over 30% after the federal government shutdown began and accelerated as the shutdown dragged on for weeks.
This series of unfortunate events brilliantly sets the stage for social engineering and watering hole attacks. In a related story, a network of ATM machines in Chile was taken over by a North Korean hacking group through such an attack. The North Korean hacking group put out ads for job opportunities in the banking sector and even conducted virtual face-to-face interviews through the video chat application Skype. At the end of the interview process, the interviewer sent a file (named ApplicationPDF.exe) to the job seeker (who was applying for a software development role) with the instructions to run the file in order to generate a form to fill out as part of the hiring process. The received file would not generate a form for employment, but would act as a remote access tool giving the “interviewer” full access to the victim’s machine. In this case, the victim’s machine had access to an ATM network and the North Koreans were able to steal an unspecified amount of money before they were detected and kicked out of the system.
While there is no evidence that any federal employees have been targeted with this type of an attack to date, it is conceivable that you can simply copy/paste “banking sector” with “federal agencies” and end up with a very similar outcome. In today’s always-connected “we-are-vacuuming-up-your-data” world through the likes of Snapchat, Google, Facebook, LinkedIn, and Equifax, it is easier now than ever to reach an attacker’s target audience. An attacker could easily tailor their attack campaign to only show their phony job postings on the LinkedIn feed, Facebook Wall, or Twitter timeline of affected federal employees. A desperate job applicant looking for a means to support their family with gainful employment may do things they would normally rationally not do such as open attachments from their new prospective employer. Without proper security controls, these remote access tools on US federal machines could grant dangerous levels of access to the attackers.
Most of the US Government’s IT staff are considered non-essential, so they were told not to show up for work. The designation of IT staff as non-essential must have been made in an era before the cyberwars. The consequences of this decision will be devastating to America’s cyber-readiness. Simple tasks such as updating the soon-to-be, and now-expired SSL certificates on US federal government websites were not performed and many websites are showing SSL certificate errors, often warning users not to enter in any sensitive information or even visit them. An early count as of two weeks ago show over 80 expired SSL certificates on government websites (mostly sub-domains). With Google taking a strong stance of protecting users against themselves, it takes great effort to visit a website with an expired SSL certificate using the latest versions of the Google Chrome browser, the dominant web browser by market share.
Having expired SSL certificates potentially opens visitors to a man-in-the-middle attack since the purpose of the certificates is to both ensure secure communication to and from the website, as well as acting as proof that the website the user is visiting really is who they say they are. Forcing users to accept the expired certificates in order to conduct business will normalize this dangerous behavior. In the era where users are always taught to “look for the green address bar and the padlock” before entering in sensitive information, accepting the expired SSL certificates effectively destroys what little cybersecurity awareness training average users receive.
In addition to expiring SSL certificates, asking IT staff not to work leaves federal systems vulnerable by definition. January 9th was a Microsoft Patch Tuesday, where numerous patches were released to address security vulnerabilities in Microsoft Windows and Office products, found in every US Federal Agency. Since the process of automatically renewing expiring SSL certificates is trivial and was still not done as evidenced by the previous example, there is a high probability that Microsoft Updates still require some type of administrator intervention. Since the Patch Tuesday updates were not applied, hundreds of thousands of federal machines are now vulnerable to these now-known attacks. Adobe also patched two critical vulnerabilities each in Adobe Acrobat and Reader during the US government shutdown, with the patches likely sitting idle until employees return back to work on Monday.
Like the parent who steals a loaf of bread to feed his or her starving children, desperate times make people do things they would normally not. Imagine a scenario where an employee who has maxed out credit cards and is coming up on missing their second paycheck. They receive an e-mail from someone claiming to be from their payroll department with the message “Good news! We found some money from last year’s budget to pay everyone their salary while the shutdown continues. To claim your money, please log into the HR portal using the following link: [insert convincing payroll URL] and follow the instructions on the site” Sent to enough people, there will be some individuals who click on the link and enter in their government credentials, personal, or financial information. However, the link they received from someone claiming to be in their HR department is actually a phishing link and that employee and their agency have just been compromised.
In addition to federal employees going without pay during the shutdown, federal contractors are suffering a worse fate. While federal employees will be paid their salary during the 35 day shutdown, there is no guarantee that federal contractors will receive back pay. The US government relies extensively on contractors to perform tasks ranging from systems administration to guarding museums. Federal contractors have bad a bumpy history when it comes to protecting their systems to prevent an attack on US government systems. In 2013, an employee of federal contractor Booz Allen Hamilton began to leak highly classified information regarding surveillance programs put in place by the US government. In 2016, a federal contractor in charge of background investigations was breached, which led to the hacking of the US Office of Personnel Management (OPM) and subsequent loss of 22 million records, including highly sensitive information of federal employees. Employees of government contractors are just as susceptible to the social engineering and watering hole attacks as federal employees. With no guarantee of backpay, contractors could get even more desperate than furloughed federal employees. Many contractors have VPN or physical access to US government systems so a compromise of their device could potentially compromise government systems.
The government shutdown highlights the need for not only more automation, but security in a more ubiquitous nature protecting employees and contractors on all devices no matter where they are connecting. Having employees and contractors use a FedRAMP-approved always-on security solution will ensure users are protected even when the government is shut down. While personnel may not work during a shutdown, cloud-hosted security solutions are always being updated to protect against the latest internet threats without the need to apply Patch Tuesday and other updates. Simply put, security clouds are always running the latest software version, with the latest security updates, without the need for human intervention. Security solutions participating in Microsoft and Adobe’s Active Protections Program will be instantly protected against Patch Tuesday vulnerabilities. Unlike endpoint security solutions which require heavy resources to constantly monitor processes, stacks, and integrity checks, all that is required for security-as-a-service solutions is a lightweight client to forward internet traffic to the nearest security cloud enforcement point. Appliance-based solutions require users to full-tunnel VPN their traffic back to a datacenter for security inspection, while increasing latency and degrading the user experience.
The use of a cloud security stack will assist in protecting furloughed employees from phishing and social engineering attacks, even those hidden behind the use of SSL or TLS encryption. ApplicationPDF.exe does not stand a chance against a Cloud Sandbox, which can be used to discover and block zero-day threats. FakeHRWebsite[.]com will be detected and blocked by known or heuristics-based phishing detection. Data Loss Prevention with Exact Data Match can detect and block the leakage of even a single record of sensitive information (think First Name, Last Name, and Social Security Number). Requiring federal contractors to use a FedRAMP-approved Zero Trust Remote Access Platform can significantly reduce the attack surface and exposure in the event of accidental or intentional account compromise.
The government shutdown has happened before and it will happen again. If the President and Congress do not reach an agreement within 21 days of the temporary funding bill, the government will shut down again. Government agencies and federal contractors should take this time to implement and automate security as much as they can so users and systems are protected even if personnel are unable or unwilling to perform their duties. Even if a permanent spending bill is signed within 21 days, government shutdowns are now becoming as common as the Golden State Warriors winning a national championship.