When The Money’s Gone

Cybersecurity
losing digital code and money

​​​​Illustration by Michael Gibbs​​

When The Money’s Gone
 

​It could not have come at a worse time. In the middle of the longest partial U.S. government shutdown in history, the National Cybersecurity and Communications Integration Center (NCCIC) issued an alert that it was aware of a global Domain Name System (DNS) infrastructure hijacking campaign affecting government, telecommunications, and Internet entities.

“Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve,” the alert from NCCIC said. “This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.”

Twelve days after the alert was is­sued, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said that the campaign had affected multiple executive branch agency domains and notified agencies that maintain them.

CISA then ordered all .gov and other agency-managed domains to audit public DNS records to verify that they were going to the intended location. CISA also mandated that all passwords for accounts on systems that managed agency’s DNS records be changed and that multifactor authentication be implemented. 

To mitigate the campaign, the NCCIC recommended that organizations implement multifactor authentication on domain registrar accounts used to modify DNS records; verify that their DNS infrastructure directs to the proper Internet Protocol addresses or hostnames; search for encryption certificates related to domains—revoking fraudulent certificates; and monitor their certificate transparency logs.

CISA said it would provide technical assistance to agencies, along with additional guidance through emergency directive calls to accomplish this work. 

However, government agencies faced significant challenges in carrying out CISA’s mandate due to the government shutdown because many federal workers, and contractors, were furloughed or reporting for work without pay. For instance, 43 percent of CISA’s own workforce was furloughed during the shutdown.

This was in addition to the immense pressure these employees face on a day-to-day basis, says Suzanne Spaulding, former undersecretary for the National Protection and Programs Directorate at DHS (later known as CISA).

“My experience at DHS is these are people that are already completely overwhelmed with all the things they have to do—even when they are at full strength,” explains Spaulding, now senior advisor for homeland security at the Center for Strategic and International Studies (CSIS). “They can never get to things as quickly as they would like, or as you would like them to. There aren’t enough of those professionals and the amount of work they have to do to keep those systems in compliance with cybersecurity requirements, or bring systems into compliance with cybersecurity requirements, is massive.”

Shortly after CISA’s mandate went out, U.S. President Donald Trump signed a continuing resolution to fund the rest of the government for three more weeks to give Congress an opportunity to pass a budget for the rest of the fiscal year.

However, concerns remain about the impact that the partial government shutdown had on the nation’s cybersecurity. Critical functions of the government were still operational, but other functions—such as routine maintenance of government websites and networks—ceased during the shutdown.

For instance, one of the most visible signs that the cyber workforce was not on the job was the expiration of roughly 130 federal government websites’ encryption certificates. When visitors went to those sites, they likely received warnings from their Internet browsers that the websites were unsafe—or inaccessible.

“These security certificates, which expired absent manual renewal during the shutdown, render a number of these government sites unreachable to the public, as popular browsers treat the expired certificates as a security risk,” wrote U.S. Senator Mark Warner (D-VA), vice chairman of the Senate Select Committee on Intelligence, in a letter to DHS Secretary Kirstjen Nielsen. “Long term, the effect is an undermining of public trust in the competence and security of federal websites and Web-based government services.”

The shutdown also meant that international dialogues about cybersecurity were not happening, casting doubt on the U.S. government’s ability to be an effective partner, Spaulding says.

“We don’t have specifics, but if there were international meetings happening to talk about and continue to improve the ways in which we can work together to reduce risk and respond more effectively to attacks like WannaCry and NotPetya, it’s very likely that our folks are not able to go to those meetings,” she explains. “And that’s a big problem.”

The shutdown also likely stalled outreach to U.S. state and local partners to enhance election security following the 2018 midterm elections and ahead of the 2020 U.S. presidential election. 

“We are already behind schedule—even before the shutdown started—it was going to be hard for states to do all the things that they should do to secure elections for 2020, and a number of them—including Virginia—have elections in 2019,” Spaulding says. “Losing four weeks in that effort is problematic.”

U.S. lawmakers have voiced concerns about the shutdown’s impact on the nation’s cybersecurity, including Warner. In his letter to Secretary Nielsen, Warner explained that after the last extended government shutdown in October 2013, forensic investigators discovered the first breach of the Office of Personnel Management (OPM). Additional breaches later compromised more than 21 million current and former federal workers’ personal data.

“It’s my sincere hope that we will not come to learn that malicious actors opportunely chose to exploit our defenses while hundreds of thousands of government employees were needlessly pulled away from their jobs,” Warner wrote. 

He asked that Nielsen provide him with information about the federal government’s cybersecurity, including whether DHS noticed an uptick in attempted attacks during the shutdown; what percentage of DHS’s overall workforce—including contractors—was furloughed; the length of time it will take cybersecurity-related contracts that were suspended during the shutdown to resume; and the effect that the shutdown has on retention and morale of the federal workforce, which missed two paychecks during the lapse in appropriations.

FBI agents, many of whom work to investigate cybercrime, are considered essential personnel and were required to work without pay during the shutdown. The FBI Agents Association spoke to agents about the effect this had on their morale and commitment to the Bureau and shared their views anonymously in a report released to officials and the public.

“I’ve been an agent for more than four years and have a degree in computer science and work computer intrusions,” said one agent from the Washington, D.C., region. “Putting up with lower pay than the private sector only makes sense when you actually get paid.”

Another agent echoed those sentiments, adding, “I can’t imagine attracting new, qualified applicants to the FBI as a result of this shutdown—those folks will go elsewhere too, and we will get stuck with subpar applicants.”

Spaulding agrees and says that she is concerned that the United States will see an exodus of its “best and brightest” following the shutdown. 

“Inertia will keep some people who are frustrated from leaving,” she adds. “But certainly, people who have not yet committed to coming in are going to think twice about whether they really want to come into an environment where this kind of thing happens. I think it makes recruiting that much harder; and yes, I think we need to be prepared for a lot more openings.”

The shutdown can also have ramifications on the ability of workers who remain to obtain or continue to hold a security clearance, which is often necessary for those who work in cybersecurity.

Danel A. Dufresne, senior counsel at Tully Rinckey PLLC who works under the firm’s Security Clearance Practice Group, says that one of the main reasons that individuals lose their clearance is because of financial concerns.

For instance, a federal employee who holds a security clearance misses a few paychecks due to a government shutdown and racks up a large credit card bill, or personal loans, to cover his or her expenses until receiving back pay. This puts the employee in a financially tenuous position, which could be a security risk.

“The reason is it’s the basis for coercion,” he explains. “If you owe $10,000 to Citibank, you might be desperate for money to pay that off. If you haven’t told your employer, I could threaten to tell th​em and blackmail you.”

The FBI Association warned of this exact scenario in its report issued during the shutdown. 

“FBI Special Agents are subject to high security standards that include rigorous and routine financial background checks,” the association said. “Missing payments on debts could create delays in securing or renewing security clearances and could even disqualify agents from continuing to serve in some cases.”

Warner had requested that Nielsen provide the information he requested by mid-February. As of Security Management’s press time and prior to another potential government shutdown, DHS had not responded to his request.