More than 80 TLS certificates used by US government websites have expired so far without being renewed, leaving some websites inaccessible to the public.
NASA, the US Department of Justice, and the Court of Appeals are just some of the US government agencies currently impacted, according to Netcraft.
The blame falls on the current US federal government shutdown, which has resulted in hundreds of thousands of government workers being furloughed across all government agencies, including staff handling IT support and cybersecurity.
Consequently, government websites are dropping like flies, with no one being on hand to renew TLS certificates.
Websites with expired certificates where admins followed proper procedures and implemented correctly-functioning HSTS (HTTP Strict Transport Security) policies are down for good, and users can’t access these portals, not even to browse for basic information.
Government websites with expired TLS certificates but which didn’t implement HSTS show an HTTPS error in users’ browsers, but this error can be bypassed to access the site via weakened HTTPS state.
Nevertheless, visitors are warned not to log in or perform any sensitive operations on these sites, as traffic and authentication credentials aren’t encrypted and could be intercepted by threat actors.
Visiting and browsing content is fine, but users should also be aware that all websites will not be actively managed and there won’t be employees on hand to process requests or update sites with the latest correct information.
The current government shutdown has been a disaster on the cybersecurity front so far. Experts from multiple cyber-security firms have warned that this would be the perfect time for hostile countries to carry out cyber-attacks against the US government, as agencies are understaffed and IT infrastructure is left largely unattended.
According to Axios, the Department of Homeland Security’s newly created Cybersecurity and Infrastructure Security Agency (CISA) has had 43 percent of its staff, which amounts to roughly 1,500 employees, sent home. The National Institute of Standards and Technology, which puts together and manages many security standards, has also kept only 49 employees of its normal 3,000.
But besides the losses in current personnel, government agencies have also missed an important opportunity for recruiting new cyber-security talent this winter, according to CyberScoop. No representatives for the FTC, NIST, the State Department, or CISA were present at booths at an important cyber-related student recruiting event held in Washington this year.
In the end, nothing good will come out of this shutdown. May it be a cyber-attack that goes undetected or agencies losing cyber-security personnel leaving for the private sector, the ripple effects of this shutdown will haunt agencies for months or years to come.
Editor’s Note: Updated January 11 to remove commentary that assigned responsibility for the prolonged government shutdown.