Reports indicate that government cybersecurity teams were operating with just 45 percent of their staff during the shutdown, providing an opportunity for adversaries and cybercriminals to carry out attacks against the U.S. government
WASHINGTON- U.S. Senator Amy Klobuchar (D-MN) led a letter today to the Department of Homeland Security and the National Security Agency seeking answers over potential cybersecurity breaches during the government shutdown. Reports indicate that government cybersecurity teams, such as the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), were operating with nearly half of its staff furloughed during the shutdown and 80 government websites were rendered either insecure or inaccessible because the websites’ security certificates expired. These lapses in cybersecurity may have provided an opportunity for adversaries and cybercriminals to carry out attacks against the U.S. government.
“Experts have warned that our reduced capacity for cybersecurity during shutdowns provides an opportunity for adversaries and cybercriminals. We are concerned that these circumstances have left our government and citizens vulnerable to cyberattacks and write to request information regarding what actions are being taken to protect our networks in the event of a future shutdown,” the senators wrote.
Klobuchar was joined on the letter by Senators Ed Markey (D-MA), Tom Udall (D-NM), Catherine Cortez Masto (D-NV), Cory Booker (D-NJ), Jack Reed (D-RI) and Tina Smith (D-MN).
The full text of the letter can be found below:
Dear Secretary Nielsen and General Nakasone:
We write to express concern about the recent government shutdown’s effect on the security of our cyber-networks. Reports indicate that government cybersecurity teams, such as the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), were operating with less than half staff during the shutdown. To make matters worse, many government websites were rendered either insecure or inaccessible because the websites’ security certificates expired. Experts have warned that our reduced capacity for cybersecurity during shutdowns provides an opportunity for adversaries and cybercriminals.
Websites that had expired security certificates during the most recent shutdown included those operated by the U.S. Department of Justice, the Administrative Office of the Courts, and NASA, and reports indicate that more than 80 security certificates used by .gov websites expired. We are concerned that these circumstances have left our government and citizens vulnerable to cyberattacks and write to request information regarding what actions are being taken to protect our networks in the event of a future shutdown.
Digital security certificates play an important role in protecting communications transmitted over the internet from hackers and foreign governments. These certificates are necessary for web browsers to be able to verify that they are communicating securely with an authentic website, as opposed to a malicious site run by a fraudster or hacker. Digital certificates must be renewed and replaced before they expire – a task that in the past was done by hand, but can now be done securely through automated renewals. However, many agencies in our government are still updating the certificates manually. Due to the government shutdown, the agency employees that would normally renew and replace these certificates were furloughed. As a result, visitors to these government websites were warned not to log in or perform any sensitive operations on these sites, as traffic and authentication credentials are not encrypted and could be intercepted by malicious actors.
Experts from multiple cybersecurity firms have warned that these lapses in cybersecurity provide an opportunity for adversaries and cybercriminals to carry out attacks against the U.S. government. During the 2013 government shutdown, a cyber-attack was carried out successfully when Chinese hackers breached the Federal Election Commission’s computer network. The hackers crashed computer systems that disclose how billions of dollars are raised and spent each election cycle by candidates, parties, and political-action committees. Shutdowns have severe implications for the health and security of our democracy.
Suzanne Spaulding, a former Under Secretary at the Department of Homeland Security noted that "with each passing day, the impact of the government shutdown on our nation's security grows. Meanwhile, our adversaries are not missing a beat and the daily attacks on our systems continue … Cybersecurity is hard enough with a full team. Operating at less than half strength means we are losing ground against our adversaries." Security consultant Paul Mutton warned that "as more and more certificates used by government websites inevitably expire over the following days, weeks - or maybe even months - there could be some realistic opportunities to undermine the security of all U.S. citizens.”
To better understand how a prolonged government shutdown affected our government networks, we respectfully ask you to provide us with the following information:
- How did the government shutdown impact the security of government websites?
- What steps are being taken to ensure that there are sufficient cybersecurity protections to prevent attacks on government agencies during a shutdown?
- Can DHS work with other government agencies to ensure that security certificates are renewed immediately, regardless of a shutdown?
- Have Cyber Command and DHS considered improving how federal agencies update and replace their website encryption certificates by ensuring that they are automatically issued, renewed, and replaced? Would DHS need any additional authorities to require agencies to automatically renew security certificates?
- Will there be assessments conducted on government websites to discover any suspicious activity that may have occurred during the shutdown?
Thank you for your prompt attention to this serious matter.