On November 3rd, the Biden Administration issued a sweeping directive for federal agencies to fix nearly 300 known cyber vulnerabilities that hackers can use to infiltrate and damage government computer networks. Taken together, these vulnerabilities represent a daisy chain of cyber disaster.
“A lot of these critical vulnerabilities and exploits can be connected to create a bigger effect,” says Edward Debish, former commanding officer of the Marine Corps Cyberspace Operations Group and now director of public-sector customer engagement at Tanium. “That’s why you want to close as many of these down as you can.”
Issued by the Cybersecurity and Infrastructure Security Agency (CISA), the new directive seeks to close about 200 security gaps—all well known to malicious hackers—that cybersecurity pros identified between 2017 and 2020 and an additional 90 vulnerabilities they discovered in 2021.
The directive comes six months after President Biden issued an executive order compelling agencies to share cybersecurity information and adopt new cybersecurity protocols. It caps an unprecedented year of cybercrime when organizations from utilities to telecoms have fallen prey to supply chain attacks, ransomware, and extortion.
“This is another way to maintain a drumbeat,” says Debish. “Cybersecurity is crucial. It touches every aspect of our lives. Everything we do now is based on cyber. If it’s disrupted in any way, it could cause significant problems, supply chain issues, you name it. This is the president and his team trying to do as much as they can to secure this nation’s critical infrastructure.”
The new directive establishes a CISA-managed catalog of “known exploited vulnerabilities” that carry “significant risk” and establishes requirements for agencies to fix the flaws. The catalog includes software and configurations supplied by software providers like SolarWinds, which was the subject of a high-profile attack last year, and big tech companies like Adobe, Apple, Cisco, Google, Microsoft, and Oracle. It includes all software and hardware on federal information systems, including those hosted by third parties—such as federal contractors.
The new directive and the Biden administration’s May executive order reflect the priority the government is giving to digital security. Debish says that 95% of the new directive is about patching existing software vulnerabilities, but he says it’s “absolutely critical” for agencies to be cognizant of other attack vectors, including third-party assaults.
“There’s an expectation that vendors are trusted and that what you are getting from a vendor site is a trusted capability and you can quickly implement it,” says Debish.
He also says agencies need to securely manage outdated or legacy systems. Such systems may not be compatible with modern cyber hygiene techniques like asset discovery and continuous monitoring, which enable organizations to have visibility across their networks. Otherwise they can be sitting ducks for hackers. Where these systems can’t be removed or easily shut down, Debish says entry points to these networks need to be monitored to keep hackers out.
This is the president and his team trying to do as much as they can to secure this nation’s critical infrastructure.In addition, Debish says, agencies should apply strong cyber hygiene strategies. That means managing administrator privileges, examining network configurations, and using zero-trust protocols. Above all, he says, agencies should be employing tools that can fully monitor network vulnerabilities and proactively hunt down potential intruders before they strike.
“You need real-time visibility and control of your network,” says Debish. “The adversary is actively engaged to access government networks and infrastructure.”
The Department of Homeland Security, CISA’s parent agency, has previously imposed cybersecurity mandates on government agencies, often in the form of emergency requirements to make an immediate fix to a critical software problem. But this new directive is notable for the sheer scope of flaws it seeks to address.
It will require flaws identified this year to be fixed within two weeks. Agencies will have up to six months to address security holes found in previous years. The directive applies to all executive branch departments and agencies except for the Defense Department, the Central Intelligence Agency, and the Office of the Director of National Intelligence. Cybersecurity for civilian agencies is usually managed separately from military and national security bodies.
“With a directive like this, as it’s coming from the president, you can rest assured a lot of people are going to put a lot of energy toward fixing the problem,” Debish says.