There are now more than 130 .gov websites marked in browser address bars as “insecure” because expired digital certificates that haven’t been renewed by employees who’ve been furloughed during the US government shutdown, which is now entering its 27th day.
The number of government sites with expired certificates is up from 80 reported by Netcraft at the beginning of last week.
The expired Transport Layer Security (TLS) certificates mean that some sites can’t be reached at all by visitors using Chrome and Firefox due to the site’s strict transport security policies.
Websites affected by non-renewed certificates include the US government portal for manufacturing, manufacturing.gov, two Federal Aviation Authority websites, a National Archives customer portal, the FFIEC Financial Institutions Examination Council) Anti-Money Laundering Infobase, numerous Department of Agriculture sites, and some government remote access services.
These join sites with expired certificates from NASA, The US Department of Justice, and the Court of Appeals.
Netcraft’s Paul Mutton, who's been tracking .gov sites with certificates not renewed during the shutdown, notes that individual expired certificates can be fixed for about $400 a year, but this won’t happen until Trump’s stalemate over a wall at the Mexican border is resolved.
Some fear that the expired certificates are just the tip of the iceberg in terms of how government shutdown is impacting US cybersecurity. There are concerns there will be short and long term impacts of such large numbers of government employees with cybersecurity functions not maintaining systems for whole a month.
In the near term there are fears that attackers could strike while the US has its guard down because key cybersecurity functions only working at half-steam during the shutdown. Over the longer term, the government could lose its best talent to the private sector.
The Department of Homeland Security’s Cybersecurity and Infrastructure Agency’s (CISA) planning document for the shutdown indicates that just 2,008 of the 3,531 CISA employees have been retained until Congress releases funding.
CISA, which is tasked with protecting infrastructure from physical and cyber attacks, was created when Trump signed the a new cybersecurity act in November.
Even worse, some 85 percent of staff at NIST or the National Institute of Standards and Technology have been furloughed, which Duo Security notes that could impact the release of key cybersecurity standards and guidelines it had been working prior to the shutdown.