Defense Department cybersecurity unit crosses extraordinary milestone

The Defense Department's Cyber Crime Center reached a remarkable milestone late last month. Its Vulnerability Disclosure Program processed report number 50,000.

The Defense Department’s Cyber Crime Center (DC3) reached a remarkable milestone late last month. Its Vulnerability Disclosure Program processed report number 50,000. For more about the program and what it means, the Federal Drive with Tom Temin talked with the Director of the Vulnerability Disclosure Program, Melissa Vice.

Interview Transcript:  

Tom Temin Just quickly review, DC3 what it does in the cyber world, which is a sprawling world. And then we’ll get into the vulnerability reporting program.

Melissa Vice Absolutely. The Department of Defense Cyber Crime Center, or DC3, has the lead on law enforcement, counterintelligence, training and cyber security across the U.S. government.

Tom Temin So that means, then, that you have to find out what it is people have to battle through vulnerability assessments.

Melissa Vice Absolutely.

Tom Temin All right. Well, tell us more about the Vulnerability Disclosure Program. Where did the disclosures come from? And then we’ll talk about that 50,000 mark and what some of the trends are you’ve been seeing. But let’s begin with how they originate.

Melissa Vice For the Vulnerability Disclosure Program. We have a really unique history. We came out of the Hack the Pentagon bug bounty event back in 2016. So we are in our seventh year of operation. And that is what makes it so fascinating that we are at 50,000 reports already. We are the sole focal point for all of the vulnerability reporting that comes in for Joint Force Headquarters, DODIN and U.S. Cyber Command. So how those come in is we have a third party front end, and that would be hosted by a hacker one. We receive our vulnerability reports from crowdsource ethical researchers all over the globe. And then it is ingested into our Vulnerability Report Management Network that we lovingly call VRMN. From there, it goes up to the high side and becomes government information. That system is a cradle to grave tracking process that takes those reports, our internal researchers then triage, validate those reports and toss them over to the fence to Joint Force Headquarters, DODIN, who own the tasking orders to find those system owners and give them the tasks to remediate those. Now they’ll be remediated in a timely manner based on the severity level of that report as it is ingested. The, time frames might be as low as seven days or less, depending on the criticality of those reports.

Tom Temin And the remediation takes the form of patches. In other words, is there a closed loop between the discovery of the vulnerability and contacting the vendor and say, look what we found.

Melissa Vice Yes, absolutely. It may not be just a software situation, which we call a CVE or a common vulnerability that it gets enumerated. What we find a lot of the times our CWEs, common weakness enumerations. And so basically what that means is a lot of times they’re very distinct issues, based on the system it’s on. The other applications around it, the life cycle of the overall environment. So it’s a little different from just having a CVE and saying, ok, go get this patch. It is more in the hands of the system owners to be able to work through that. Now, our VRMN system does give them a very rich report that we have a lot of information that helps them understand how they need to remediate it, but the very most important part is once they feel they have done the fix action, they will send it back through VRMN and ask for it to be closed. Then our internal team, once again, will revalidate those findings. We do not close out any report until they’re 100% remediated. So that does mean sometimes it’s rinse, repeat and let’s try that again. We’re still seeing an issue here, but I can tell you in the four and a half years that I’ve been with DC3, we’ve come down from about 30 some percent when I first arrived, 34%, down to under about 10% pretty much month over month. So these system owners are getting a lot more skilled at correcting the errors that are being found.

Tom Temin Yeah. So you hope that items enter into VRMN as rats, but come out as nice soft bunnies, you might say?

Melissa Vice Absolutely.

Tom Temin We’re speaking with Melissa Vice. She is director of the Vulnerability Disclosure Program at the Cyber Crime Center at the Defense Department. And just had a follow up question on the common weakness enumeration. That means that vulnerabilities can arise not from necessarily specific application bug, but in configuration interaction with other system elements. So that might be a weakness here, but not be an issue with the same software on another system.

Melissa Vice Absolutely. Yeah, it can be the way that it was installed. A lot of times, softwares or even hardware configurations, they’ll come with some defaults. They may have like a default password in the background, or they just have a default setting. I’m admin. Those are things that sometimes the system owners and the users may not recognize that they need to change or alter, and that might create this gap or the weakness within the system. So oftentimes we will find that unauthorized accesses are what we will see in the system. And so we really need to tighten that down, lock that down and explain what the what the weakness is.

Tom Temin And 50,000 reports who have processed as of last month actually. So it’s 50,000 plus a few by now. What can we take as meaning from that number?

Melissa Vice I will tell you that over half of those were what we term as actionable. So we did find live problems with those, and those are remediated. The others, you might say, well what happens with the rest of those? Well, sometimes they’re duplicative of the reports that we already receive. Again, we give our crowdsource ethical hackers. We give them reputation points for submitting these reports. So they’re doing a see something, say something. They are hacking for good on our system. This is not to be confused with a bug bounty event that is oftentimes a short term monitorized feature where you’re paying out money to find these. This is an enduring program, like I said, has been going on for seven years. We often in the beginning thought we were going to work ourselves out of a job. We clean up everything. But I think we see in the world today that there’s always something new to find. There’s always more weaknesses to discover.

Tom Temin Software is like highways. The litter is always there, no matter how much you clean it up. The next day, there’s more in the same spot, I guess. And I was curious about your interaction or information sharing with CISA, the Cybersecurity and Infrastructure Security Agency, which has become kind of the locus for the civilian side of government in finding and promulgating what’s going on, with respect to weaknesses in software.

Melissa Vice Yes. We have very different lanes in the road from from CISA. But of course, we certainly coordinate any time that we can. But, basically because we are focused, our program is specifically focused on Joint Force Headquarters DODIN and U.S. Cyber Command. We are firmly in the DoD lane, less in the public sector.

Tom Temin But if you saw something, say, in teams that say horrible weakness that could compromise the whole DoD, you’d probably tell CISA, since teams is used everywhere.

Melissa Vice Absolutely. We do have connections with CISA. We are actually in the process of putting in an LNO, a liaison officer within their office, again, to make sure that we are sharing information equally and not being duplicative of our efforts.

Tom Temin And let me ask you about the issue of data analysis and having a body of 50,000 reports, and these are multi element reports. You’ve got a lot of data. Everybody’s talking about trying to do predictive analysis now with artificial intelligence. Is that something you’re contemplating now that you’ve got 50,000, there might be some learnings in there or prediction.

Melissa Vice Well yes. That brings up a really good point. We are getting to the point of having a very robust data set. Now, one of the challenges I think that we face is that these are so specific in being particular vulnerabilities for particular setups. So it’s a little less minority report if you will, where I can look across the platform and say, oh, I know what’s going to happen next. That’s usually what they want, is a little more of a predictive model, but it does give us, trending analysis. And every year in our annual report, which you can go and look at dc3.mil, you can see our annual reports, we do trending analysis, as well as congratulating our researchers of the year. So part of our program is really to help those researchers get their recognition that they deserve. And that’s the disclosure portion of our process. Once that report has been completely remediated 100%, we will then allow the researchers they can request a redacted version of their report so that they can go to Blackhat, Defcon, put it on their Twitter page, whatever they want to do. To help their reputation because again, the more eyes that we have looking at these publicly accessible DoD information systems and networks, the safer we all are.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more