Several federal agencies track, and try to do something about, the cybersecurity threat. Among them, the Department of Defense Cyber Crime Center, known as DC3.
Several federal agencies track, and try to do something about, the cybersecurity threat. Among them, the Department of Defense Cyber Crime Center, known as DC3. Its’ vulnerability disclosure program started back in 2016. How many reports do you think it’s issued? 100? 6,000? Wait ’til you hear how many. The Federal Drive with Tom Temin spoke with DC3’s director of vulnerability reports, Melissa Vice.
Interview transcript:
Tom Temin How many reports have you put out since 2016?
Melissa Vice Well, we have surpassed 45,000 since 2016. From 39 over 3900, crowdsource ethical hackers. Basically, we do count it every 5,000, but this was pretty significant to us. One of the things that happened is during COVID, we saw an amazing uptick in reporting. Pre-COVID numbers averaged about 300 reports a month. The first year of COVID, we went up to about 900 a month. And in the second year of COVID, we went over 2,000 a month and averaged out at least 1500. So we wanted to count that meteoric rise over the last two years. And now is where normalizing back down to pre-COVID numbers, we just wanted to celebrate how much growth we’ve had in that short span of time.
Tom Temin All right. Well, now that we’ve admired the numbers, let’s back up a step. Tell us about the vulnerability reporting program that you direct. What vulnerabilities do you look at and how does this all get generated?
Melissa Vice Yes. So a little of our history is that we came out of the Hack the Pentagon program back in 2016, and it was a bug bounty event. What happens with bug bounties, is everybody at the end of them high fives and they get the big payouts, but then you’re left with all the vulnerabilities. And at the time, Ash Carter, the SecDef, was asking, Well, who’s going to take care of these remediation’s? And so that’s how DC3 was tapped for the Vulnerability Disclosure program. So we are codified in the 8531.01, DoDI manual, as the sole focal point for all vulnerability reporting to the Joint Force headquarters, [Department of Defense Information Network (DODIN)] and U.S. Cyber Command.
Tom Temin We also have the Cybersecurity and Infrastructure Security Agency regularly issuing vulnerability reports and patches coming out. Do you find that you are also, sometimes reporting the same things?
Melissa Vice We have very unique lanes in the road then [Cybersecurity Infrastructure Security Agency (CISA)], basically because we are focused solely on the DODIN. And a lot of what is reported to us, are common weakness enumerations or CWE. Not necessarily the CVE’s or common vulnerabilities. So it’s a very different mindset. We’re looking at the broad picture on the DODIN. And also last year, we were given a big scope expansion. In the early years, we were looking only at DoD websites. Last year we were actually looking at all publicly accessible DoD information systems and networks. So we ostensibly say that we’ve gone from 2400 units to about 24 million units overnight. So we’re looking at very exquisite things.
Tom Temin Well besides websites, what are publicly accessible DoD systems?
Melissa Vice It could be industrial control systems, mobile devices, a broad range of different things. If it touches the network, it’s available to us.
Tom Temin And we should define the term DODIN, you’re referring to DoD Information Network. That’s kind of a Pentagonish type of term for something that every agency has. We’re speaking with Melissa Vice. She is director of the Vulnerability Disclosure Program at the Defense Department’s Cyber Crime Center of the DC3. And how do the vulnerabilities get known? What’s the mechanism? Do people say, Hey, Melissa, I’ve got this?
Melissa Vice Well, what happens is we’re using crowdsourced ethical hackers out of 45 different countries all around the globe. We’re not giving them any special accesses, hence the publicly accessible portion of our scope. And what they’re doing is, sure, they might be running some scans or doing, basically, adversary emulation. They’re using the same [Tactics, Techniques, and Procedures (TTPs)] that the bad guys would be using, but they’re hacking for good. This is a see something say something program. It allows them to enter it into our front end system, which happens to be by Hacker one, which is a third party product. And then we ingest that, multiple times a day, into the our DoD network, which is on our Vulnerability Report management network, which we lovingly call VRMN. And that brings it into the federal space. As these reports are worked through the system, through the work flow, they’ll move up to the SIPR. And so that’s the Secure Internet Protocol. And those will be worked and sent through over to the system owners. The system owners will be tapped by Joint Force headquarters DODIN on that side of the fence. Once they’ve made those remediation’s, they can send it back and say, OK, we want to close our report. We will revalidate that information before we close any report.
Tom Temin And the people that are doing the ethical hacking for you, are they DoD employees? Are they contractors? Are they volunteers who also knit caps from Maine or something? Or who are they?
Melissa Vice Oh, like I said, there there 3900 entities across the globe. So, no, they are not DoD employees. And that’s the uniqueness of the program, really taking a look at that crowdsource ethical hacking. And we were the first federal VDP program to be stood up. It was pretty unique in 2016. You can imagine folks are a little incredulous. But I think we’ve proven that it’s a success story, and that’s why you do see things like the BOD 20-01, the binding operational directive 20-01 that came out from CISA asking the other federal entities to stand up, VDP’s. But we’re definitely the grandfather and the success story.
Tom Temin And as you explain, there is a mechanism for ensuring that the vulnerabilities are known to the systems owners and they get a chance to close them. So does that mean out of 45,000 reports, only a couple of hundred are still open at a given moment?
Melissa Vice Well, not every report that comes in the door is actionable, it’s how we term it. So one of the benefit that we provide for Joint Force Headquarters DODIN, is we’re skimming off and analyzing, in the validation and triage process, of what is actually something we would call a vulnerability against SRG’s, 800, the NIST 800-171 and so on. So we look at it from a DoD perspective, is this truly a vulnerability? If it’s not actionable, we will just close that out as a non- actionable report, or we might close it out as informational only. Keep in mind too, that the researchers are not being paid. They are being granted reputation points. So in this process, it’s not costing the taxpayers dollars to give out these awards like in a bug bounty. They are getting these reputation points that help them climb those leaderboards, at the hacking companies, that then they can be invited to those more lucrative projects.
Tom Temin All right. But maybe they could get a Starbucks certificate or something once in a while. A five bucker. Not in the budget.
Melissa Vice Well, what we do is we recognize them every month. We recognize the best report that has come in as our researcher of the month. And at the end of the year, when we do our annual report, we award to the researcher of the year. And we give them a pretty cool little swag package.
Tom Temin All right. Well, that sounds good, something with some camouflage on it. How do you explain the rise in numbers of reports coming in from the pandemic? Because the pandemic didn’t itself affect information systems.
Melissa Vice No, but it did affect the research community. If you take those cheated us fingered monster drink drinking researchers and hackers, and you lock them in their domicile, guess what they’re going to do? While we were all watching Netflix every day, they were scanning the network and finding those vulnerabilities.
Tom Temin But do you wonder now that the numbers are coming back to normal historically, that you’re missing thousands and thousands of vulnerabilities?
Melissa Vice I think we have to keep in mind that a lot of other vulnerability programs have also sprung up in the last two years. And we anticipated that would probably be the case after the BOD was instituted. So there’s a lot of different opportunities for the researcher community. They can be looking at private sector, they can be looking at the the DoD. So I think it’s a natural progression.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED