LULU GARCIA-NAVARRO, HOST:
Hackers love to try to breach U.S. computer systems. This now may be easier than ever before. With so many IT and cybersecurity workers furloughed by the shutdown, security professionals say government websites are more vulnerable. NPR's Laura Sydell reports.
LAURA SYDELL, BYLINE: The Trump administration may like to highlight American manufacturing, but try going to manufacturing.gov. The site has become unusable. You can't access any of the details offered about U.S. manufacturing. According to Netcraft, a British security firm, it's one of dozens of government sites that haven't renewed their security certificates. These certificates are a bit like a driver's license - they prove you are who you say you are. Dan Kaminsky, the chief scientist at the American security firm White Ops explains.
DAN KAMINSKY: You need to know you're really talking to your hospital or to something at the Air Force or wherever. And so there are certificates that make it so you know, OK, this is really the government resource that I'm trying to access and not some bad guy.
SYDELL: In some cases, the lack of a security certificate may just make a site unusable. But Kaminsky says the lack of a certificate also makes it easier for a bad actor to redirect you to a fake site.
KAMINSKY: People might get used to ignoring the browser warnings. Oh, well, you know, it's just the shutdown. And then you think, oh, you're really walking into this site. And you're really not.
SYDELL: Kaminsky offers up a worst case kind of scenario. Imagine if the security certificate was down for the Social Security website, and a bad actor sets up a fake one. Someone could go to that site, enter their password and give the hackers access to personal information. The shutdown also means that there are fewer IT staff. For example, according to contingency plans on the White House Office of Management and Budget website, only around 2,000 employees out of more than 3,500 are working at the Cybersecurity and Infrastructure Security Agency. That's one of the agencies leading the nation's cyber defenses. Rob Ragan, a partner in the cybersecurity firm Bishop Fox, says there may be a lot of important tasks that aren't getting done, such as updating software with the latest security patches.
ROB RAGAN: You end up getting buried in a really big backlog of issues that you may never dig yourself out of. And at that point, one of those issues may have been an indicator of a compromise or a breach that may go unnoticed for months or years to come.
SYDELL: Security researchers worry that the shutdown is like putting a red blanket in front of a bull. Nations like Russia, China and Iran could see it as a signal to charge ahead. Ragan says think about the amount of information on government websites that's personal and even classified. And as the shutdown drags on, the likelihood of security lapses increases, says Vikram Thakur, a technical director at the security firm Symantec.
VIKRAM THAKUR: That risk is most definitely going to go up exponentially.
SYDELL: Ironically, Thakur says fewer personnel lowers at least one kind of security risk. One of the most popular hacking schemes is email phishing. That's when hackers send an email to an employee with a link that unleashes malware into the system.
THAKUR: If nobody's opening email and nobody's using the work network, the chances of the success rate for attackers who are using email as their primary mode of attack kind of falls all the way through.
SYDELL: NPR reached out to the cyber division at the Department of Homeland Security for comment but didn't hear back. Democratic aides in the House say they, too, are unable to get information right now about which IT workers are on the job. However, when the shutdown ends, they want to see details. In the event of a future shutdown, Democrats might move to keep IT workers on the job in the name of cybersecurity. Laura Sydell, NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.