Government Website Certificates Are Expiring – Leaving Millions of Americans at Risk
It’s been almost a month since the US Government shut down on December 22, 2018, and while some effects of this record-breaking shutdown are obvious, others are flying under the radar — including the increased vulnerability to cybercrime faced by millions of Americans.
It’s been almost a month since the US Government shut down on December 22, 2018, and while some effects of this record-breaking shutdown are obvious, others are flying under the radar — including the increased vulnerability to cybercrime faced by millions of Americans.
Government websites are currently warning users to be wary of entering sensitive information as their digital certificates expire. For non-security professionals, this may seem like an adequate solution to the problem; however, this “warning” is only scratching the surface, and the reality is that IT systems of all types depend on digital certificates to operate safely.
Digital certificates also secure the internal computing applications that keep our government agencies running. They are essential to information flow, financial transactions, healthcare, utilities, transportation, defense, and other important functions. Without active certificates, all of these government functions are at risk of shutting down.
Recent research from Netcraft revealed that more than 80 SSL / TLS certificates used by .gov websites have expired and will not be renewed during the shutdown. Since large agencies might be using thousands of certificates, they require continual monitoring and care to ensure that certificate expirations don’t create outages or data breaches.
December’s widespread outage in service for O2, Softbank, and other major cellular carriers, shows the damage that unaddressed certificate expirations can cause. Reports of expirations in agencies such as NASA, the Department of Justice, and the Court of Appeals, emphasize the seriousness of this possibility.
History shows us that cybercriminals leverage opportunities and adjust their methods, targets, and timing to gain the greatest advantage. Cybercriminals, like all criminals, attack when their targets are most vulnerable—like when there is a disruption from the normal day-to-day. The widespread disruption of normal business processes and established roles that occurs during a shutdown can open agencies up for social engineering attacks like Business Email Compromise (BEC) or other spear phishing schemes. Criminals may try to capitalize on the confusion from the shutdown to trick employees into misguided actions that they wouldn’t otherwise engage in.
As we enter the 26th day of the shutdown, Americans, as well as the enterprises who closely alongside different government organizations, remain in the dark and at risk. The widespread uncertainty may fool unsuspecting civilian workers into giving away information, access, or even money to a criminal posing as a government worker.
Certificate automation and management is one way organizations can defend against this kind of risk. The technology can monitor and automatically replace expiring certificates, give visibility into the certificates in use, and even discover new certificates before an unexpected expiration can cause a problem — reducing the risk of lost revenue or data and financial penalties for outages or security breaches.
For now, be cautious when visiting US Government sites during this shutdown — especially those that display a Not Secure warning or certificate error.