Despite widespread security concerns, the 35-day government shutdown – the longest in US history – had a “minimal” impact on federal cybersecurity and in some areas may have even resulted in improvements, according to IT risk management firm SecurityScorecard.
A stand-off between Republicans and Democrats over funding for President Trump’s US-Mexico border wall saw around 800,000 federal employees furloughed or told to work without pay.
This resulted in delays at major airports, hamstrung terrorist investigations and cost the US economy an estimated $3bn.
During the shutdown, various information security firms and publications reported that federal cybersecurity was at risk due to staff shortages and operational disruption.
While the hypothesis is sound – that adversaries could take advantage of this disruption – SecurityScorecard’s quantifiable analysis has thrown up some surprising results.
The US company’s platform continuously monitors vulnerable areas of an organisation, such as application security, malware and hacker chatter, combining the metrics into a real-time score out of 100.
The firm’s ‘Cybersecurity Impact Analysis of US Government Shutdown’ report, released today, focused on three areas that show some aspects of government network security did drop “a minimal amount during the course of the shutdown”. Others, however, improved.
The government’s network security rating, the measurement of detected open ports, dropped slightly during the shutdown. This is because the number of expired SSL certificates on the public internet increased.
These certificates prove a website is authentic and information sent through it is secure. When this certificate is not renewed it makes it harder to determine if it is legitimate or not.
It is a concern that was raised to Verdict during the shutdown by internet services company Netcraft.
Before the shutdown, the average network security score stood at a peak of 92.27% in September 2018. This fell to a low of 90.7% on 11 January 2019.
SecurityScorecard directly attributes this 1.58% drop to a rise in expired SSL certificates, but notes that a shift of less than 2% does not appear to be “any better or worse than when the US government is operating as usual”.
It reasons that the government shutdown was simply not long enough to have a significant impact on network security.
Endpoint security observations
The second area of focus for SecurityScorecard was endpoint security – that is, protecting networks from threats originating from remote devices such as laptops or mobile devices.
During the shutdown, endpoint security improved by 9.16%, from a September low of 81.37% to a January high of 91.07%.
SecurityScorecard’s reasoning is surprisingly simple: if a machine is not turned on, it cannot be a target.
This theory correlates to a noticeable drop in internet browsing traffic coming from US government networks during the shutdown.
Further reducing the threat, the most vulnerable point of attack on a network is the end users’ workstation or mobile device.
In short, a large percentage of the most vulnerable users were simply not connected.
“An attacker cannot successfully spear phish a target isn’t checking their email or turning on their laptop,” the report states.
Another surprising finding was that patching cadence – the frequency at which software updates are installed – improved during the government shutdown.
SecurityScorecard says that the 1.38% gain could be attributed to critical areas of government – military, defence, law enforcement etc. – that were still operational taking advantage of reduced traffic on the network to implement overdue updates.
A longer US government shutdown could spell trouble
While the findings reveal some surprising side-effects of the government shutdown, SecurityScorecard warns that the 35 day period is a relatively short window for cybersecurity life cycle vulnerabilities.
With the current deal only reopening the government for just three weeks, there remains the looming threat that another shutdown is on the cards.
SecurityScorecard warns that a longer shutdown of 60, 90 or 120 days would “likely have much more measurable impact” on the overall security rating of the US government.
And it should also be noted SecurityScorecard’s report does not take into account other potentially harmful metrics, such as disgruntled cybersecurity experts leaving the public sector for private business, resulting in cybersecurity brain drain.