Shutdown Makes Government Websites More Vulnerable to Hackers, Experts Say

Several parts of the federal government have been shutdown for about a month now and cybersecurity professionals said government websites were becoming more vulnerable to security breaches each day the shutdown continued.

Visitors to manufacturing.gov, for instance, are finding that the site has become unusable — its information about the manufacturing sector is no longer accessible. Instead, it features this message at the top of the homepage:

NOTICE: Due to a lapse in appropriations, Manufacturing.gov and all associated online activities will be unavailable until further notice.

Security certificates help keep websites secure, but last week the British security firm Netcraft reported that more than 130 certificates used by U.S. government websites had expired.

These certificates ensure users are actually accessing government resources and not a fraudulent website, said Dan Kaminsky, the chief scientist at the security firm White Ops.

The lack of a certificate makes it easier for a bad actor to trick users into going to a fake website. Even though there's a warning when users click on a website without an updated certificate, Kaminsky said, "people might get used to ignoring the browser warnings" because of the shutdown. "Then you think you're really walking into this [web]site and you're really not."

He offered a worst-case scenario: Imagine if the security certificate was down for the Social Security Administration website and a fake one was set up. Someone could go to the bogus site, enter their password and give the hackers access to their personal information.

The shutdown also meant there were fewer information technology staff on hand. For instance, around 2,000 employees — down from the usual 3,500 — are working at the Cybersecurity and Infrastructure Security Agency, one of the government arms leading the nation's cyber defenses, according to the White House Office of Management and Budget's contingency plans.

Rob Ragan, a partner in the cybersecurity firm Bishop Fox, said that means a lot of important tasks may not be done, such as updating software with the latest security patches.

"You end up getting buried in a really big backlog of issues that you may never dig yourself out of," he said. "One of those issues may have been an indicator of a compromise or a breach that may go unnoticed for months or years to come."

Security researchers worried that the shutdown was like putting a red blanket in front of a bull. Nations like Russia, China and Iran could see it as a signal to charge ahead. There is much information on government websites that's personal and even classified, Ragan said.

The likelihood of security lapses increase as the shutdown drags on, said Vikram Thakur, a technical director at the security firm Symantec.

"As time goes on, that risk is most definitely going to go up exponentially," said Thakur.

Ironically, Thakur said, having fewer personnel on the job lowers at least one kind of security risk: email phishing. That's when hackers send an email with a link that unleashes malware into the system.

"If nobody's opening email and nobody's using the work network, the chance or the success rate for attackers, who are using email as their primary mode of attack" drops, Thakur said.

NPR asked the Department of Homeland Security's cyber division for comment but did not hear back. House Democratic aides said they're also unable to get information on which federal IT workers were on the job.

Democrats want to see details when the shutdown ends. In the event of a future shutdown, Democrats might move to keep all IT workers on the job in the name of cybersecurity.