Report: Shutdown Had ‘Minimal’ Effects on Government Cybersecurity

The 35-day government shutdown had “very minimal” immediate effects on the cybersecurity of federal agencies, according to security researchers.

While lawmakers and cyber wonks warned the longest government shutdown in history would leave agencies vulnerable to cyberattacks, researchers at Security Scorecard determined those fears were largely unfounded.

In fact, they said keeping hundreds of thousands of feds away from computers and network-connected devices may have had short-term benefits for the government’s cyber posture.

In a report published Wednesday, researchers assessed 128 federal agencies in three categories related to their overall cyber posture: network security, patching cadence and endpoint security. While network security scores dipped slightly during the shutdown, agencies improved their grades in the other two categories while much of the government was shuttered.

Researchers attributed the drop in network security to a spike in expired SSL certificates. Feds must consistently renew the protocols, which enable web browsers to securely connect to the internet, but they were unable to do so when agencies were shuttered.

Though agencies let a handful online security protocols lapse during the shutdown, they appeared to devote resources to addressing vulnerabilities and upgrading software, according to the report. Many cybersecurity workers continued to work without pay while agencies were closed, and researchers speculated they took advantage of the decreased internal traffic to catch up on overdue patching.

Agencies also significantly improved endpoint security during the shutdown, largely because there were so few endpoints in use, researchers found. Furloughed employees were forced to stay offline for the duration of the shutdown, so there were less devices for back actors to exploit.

“When thousands of users with outdated browsers and operating systems are not logging into government networks on a daily basis with the same frequency as previously observed, the attack surface is reduced for that period of time,” researchers wrote. “An attacker cannot successfully spearphish a target if the target isn’t checking their email or turning on their laptop.”

Despite their reassuring findings, researchers said shutdowns that drag past the two-month mark could have more dire effects on the government’s cyber posture, echoing the sentiments of many in the national security sphere.

On Jan. 24, the day before the government reopened, former Homeland Security Department officials warned the shutdown could damage the country’s national security and cyber posture “for months, if not years.”

Day-to-day cyber operations may have been unaffected by the funding lapse, but the agency was forced to halt efforts to proactively defend against emerging threats, said Caitlin Durkovich, who served as assistant secretary for infrastructure protection during the Obama administration. As online adversaries improve their tactics, the government will be left playing catch up, she and other officials said.

The shutdown could also exacerbate the government’s struggle to recruit and retain young, tech-savvy employees. Technologists who might otherwise consider federal jobs may see less stability in civil service and opt for higher paying gigs in the private sector.

“If you're a highly qualified person in the tech field or the cyber field, you've got a lot of employers out there that are looking to scoop you up,” Margot Conrad, director of federal workforce programs at the Partnership for Public Service, told Nextgov. “I do think agencies are really going to be hurting now in terms of recruiting the next generation of talent that [they] desperately need.”