It’s been more than a month since the federal government shut down.
We all know the familiar story of the 800,000+ workers, and the millions of contractors, who are not receiving paychecks.
(Plus there are millions of other workers and small businesses in the private sector whose incomes depend at least partially on the government-- and they’re all suffering as well.)
But now the shutdown is starting to affect cybersecurity.
Because it turns out that there are now at least 200 federal websites whose SSL certificates have expired ever since government employees were furloughed.
If you’re not familiar, SSL (and its updated version TLS) are standard encryption technologies that ensure information passed between Internet users and the websites they visit is secure.
Without SSL and TLS, your data (including credit card or other personal information) could easily be intercepted by hackers.
And nearly every website you visit now, from Google to our own BestofColorado.News uses this encryption.
Each site has to have a “certificate”, which is really just a digital file that forms part of the encryption key. These certificates expire from time to time and must be renewed… ideally by competent professionals who know what they’re doing.
Like I said before, there are now at least 200 US government websites whose SSL certificates have expired.
But most agencies no longer have competent professionals on hand to update the certificates.
Instead, the IT guys are sitting at home waiting for the shutdown to end.
Remember that when the government shut down, federal employees were grouped into two categories: ESSENTIAL and NON-ESSENTIAL.
The non-essential employees were sent home and told to wait it out, with a warning that it’s actually against the law for them to even log in to their work emails.
The essential employees, meanwhile, are inexplicably forced to keep working for no pay-- which is something that was supposedly outlawed in the Land of the Free back in 1863.
About HALF of all federal employees, it turns out, are non-essential, with more than 380,000 waiting at home for the shutdown to end.
And depending on the agency, the numbers are even more pronounced.
Cybersecurity seems especially hard-hit: the National Protection and Programs Directorate, which the US Computer Emergency Readiness Team (US-CERT), has lost more than 80% of its workforce since the furlough began.
US-CERT is one of the lead players in cybersecurity; it not only heads the governments efforts to fight off foreign hackers, but it also coordinates with private companies to disseminate information about computer viruses and other cyber threats.
They’ve now collapsed into a tiny skeleton crew, leaving countless government networks vulnerable to attack. It’s not just SSL certificates either; with so many cybersecurity staff on furlough, most agencies won't be able to install critical security updates.
That leaves their systems-- and the treasure trove of information within them, heavily exposed to foreign hackers.
Just think about all the personal data that sits inside government networks. Tax and financial information. Family details. Address history. Travel history. Work history. They literally have your whole life in there.
In 2016, hackers obtained access to the IRS and stole information on hundreds of thousands of taxpayers.
In 2014, a breach of the US Office of Personal Management was discovered. The information of 22 million former and current government employeeswas hacked.
I imagine that right at this very moment there are probably dozens of foreign hacker groups, both government and private, who are having a field day with vulnerable US government networks in what will become the mother of all data breaches.
We probably won’t find out about it for months… maybe even a year or two down the road. But someday you can expect to see news headlines about catastrophic government hack that occurred during the shutdown of 2019.
This is a great reminder, by the way, to take some basic steps to safeguard your own privacy and online security. Let’s say you have an online account with the Social Security Administration.
And, like a lot of people, you might use that same password for several websites-- like your email, social media, bank account, etc. Well, if the Social Security network is hacked and your password stolen, that means ALL of your other accounts could be breached as well.
Don’t make this mistake.
The government is already creating a lot of cybersecurity vulnerabilities in its egomaniacal dispute over a $5 billion border wall. Re-using the same password makes you even more vulnerable.