The defense industrial base vulnerability disclosure program pilot didn’t just validate the belief that contractors faced the same cyber threats as the Defense Department.
It drove home the fact that DoD needs to do more to help companies better protect their networks, systems and data.
Melissa Vice, the director of the Department of Defense’s Vulnerability Disclosure Program, said the goal of the 12-month voluntary pilot with about 41 companies was to identify whether contractors must address the same types of vulnerabilities and attack vectors as the DoD does.
“We found that yes, it’s very much the same,” Vice said on Ask the CIO. “The biggest bucket that we always run into is CWE200, which is a broad range of basically common weakness. It could come through as a lot of different things, but it just means that somebody on the outside is getting in and they are getting valuable information, whether that’s personally identifiable information (PII) or personal health information (PHI). They’re able to get that and extract it. We want to make sure that we’re tightening all of those access points.”
The other thing the pilot highlighted was that while some of the largest DIB members can defend themselves against cyber attacks, there also are a lot of small firms that need help.
Vice said the pilot helped DoD better understand what they need to do to close those gaps and focus on all of the industrial base.
DoD is trying to figure out how to expand program beyond the pilot. Vice said with 300,000 companies in the DIB that becomes a tough question to answer.
“We’re looking at how do we put together that scalability factor? How do we make it not so labor intensive? Those are the things that we’re working on right now to do some more automation, maybe some artificial intelligence, things of that nature, to bring about that change so that we can expand out that program to a much larger base,” she said.
Vice didn’t say when a decision would be made to kick off a second DIB-VDP pilot or effort.
DoD to combine cyber efforts
Ilona Cohen, the chief legal and policy officer at HackerOne, said the success of the DIB-VDP pilot shows that this approach is ripe for expansion to all federal contractors.
“There are sure there are some very, very small contractors who might need some additional support. But there are also a number of contractors who could easily adopt vulnerability disclosure programs for their own systems and try to make sure that they help to improve the cybersecurity ecosystem, not just their own systems,” she said. “The number one [vulnerabilities by bounty paid] for this year is cross-site scripting. Then there’s improper access control, improper authentication and privilege escalation, so you can see exactly what the number one issues are for our customers.”
Outside of the DIB-VDP pilot, Vice said the bug bounty and Defense VDP initiatives over the last seven years has shown the continued challenges of shoring up DoD’s public facing networks.
“One of the areas that we really have to look at is, I think the number is somewhere around 30,000 patches that come out each calendar year, and organizations just do not have enough time or personnel to be able to employ all those patches. Part of what a VDP does is it helps to identify areas within the landscape that are being reported on,” she said. “One of the areas that we’ve seen is that organizations tend to like to go for only the critical and the high patches, but we see a trend where they’re daisy chaining the low level findings by putting three or four or five of those together, you could get to a critical and high. So there’s a gaming of the system that I think you need that continuous view of a vulnerability disclosure program to really see what’s going on in the landscape, not just the big hot buttons that come about each time. You really want to look across as like a single pane of glass and see where those vulnerabilities are hiding.”
This challenge is why DoD also is looking at using a combination of traditional VDPs with bug bounties, which are coordinated vulnerability disclosure (CVD) programs.
Cheaper for DoD to pay ethical hackers
Vice said CVDs give participants a broader scope across all the networks.
“The coordinated vulnerability disclosure is something that was coined by the Office of Management and Budget in a September 2020 memo. It is a marrying of the traditional vulnerability disclosure programs where you’re always looking out at these vulnerabilities and we like to say that we’re keeping that left of boom. So we’re not looking at anything that has already occurred, we’re really going after the remediation of those vulnerabilities before an adversary has gotten their hands on it,” she said. “You marry that up with a more targeted time to based bug bounty program. Those programs are short duration, monetized events, whereas the VDP is non-monetary, we pay reputation points to the crowdsource ethical hackers for submitting those reports.”
Cohen said the use of CVD programs are quickly spreading across all technology types and sectors.
“The government is not just calling for this for their own house, they’re saying all technologies, all sectors, should adopt coordinated vulnerability disclosure programs, and that was reinforced in the White House cyber implementation plan, as well,” she said. “We’re excited to see that because the Defense Department has been seeing widespread success with these programs for years, and we’re looking forward to the rest of the government and the private sector achieving that same success.”
Cohen said it’s clear bug bounty and VDP programs are valuable to all organizations. She said for the private sector, the average cost of a bounty is about $1,000, while the average cost of a breach is somewhere between $4 million and $5 million. She added that figure doesn’t include reputational cost to the organization.
“Now that the Securities and Exchange Commission is requiring public companies to report cyber incidents within four days, perhaps the cost might even go up further. So I’d say it’s money well spent?” Cohen said.