Study Finds Minimal Cyber Impact From Fed Shutdown

.gov website cybersecurity government

A new report from cybersecurity firm Security Scorecard released this week found that the partial Federal government shutdown had minimal negative effects on Federal network security, and even found some positive impacts on patching and endpoint security.

But the study also reckoned that a more prolonged government shutdown would be likely to produce more serious impacts on network security.

The study, which collected data “externally, non-intrusively, and without prior authorization,” found that there was a small dip in network security scores at Federal agencies, from a high of 92.2 percent in September to a low of 90.7 percent during the shutdown. The decline was mainly attributed to a rise in expired SSL certificates.

However, the decline “does not appear to be any better or worse than when the U.S. government is operating as usual,” according to Security Scorecard.

“When the network security score shift is put into context with historical remediation timelines, it seems that the duration of the shutdown was not long enough from the standpoint of average timeframes for enterprise vulnerability management to have made much of a negative impact,” the report notes.

On the positive side, the shutdown may have actually aided patching efforts. Security Scorecard found that the Federal government’s patching cadence score increased from 85.99 percent in September to 87.37 percent during the shutdown.

“It is possible that there was more ability to implement overdue patching during the shutdown, as the traffic being passed through all the systems was significantly reduced, and by extension the overhead for on-shift system administrators becomes reduced as well,” the report noted.

On endpoint security, the Federal government saw a major improvement, from 81.37 percent in September to 91.07 during the shutdown. However, the study noted that with fewer users at work, it made sense that endpoints would be at less risk.

“An attacker cannot successfully spear phish a target if the target isn’t checking their email or turning on their laptop,” they noted.

However, Security Scorecard put the results in context, noting that while the 35-day shutdown “is not a long period of time from the standpoint of enterprise cybersecurity vulnerability management lifecycles,” the impending threat of another shutdown could cause more serious issues.

“A shutdown of 60, 90, or 120 days would likely have much more measurable impact on the overall scoring of U.S. federal government networks,” the report notes.

Recent