The Cybersecurity and Infrastructure Security Agency since its inception has taken a collaborative approach as part of its mission to lead civilian cybersecurity efforts from within the Department of Homeland Security.
As part of that approach, CISA will open up its upcoming binding operational directive (BOD) on vulnerability disclosure policy for comment in the coming months, giving agency and industry partners an opportunity to compare notes on the best way to securely share threat information.
The updated vulnerability disclosure policy will help formalize the process for researchers and ethical hackers, enlisted through agency bug-bounty programs, to give agencies a heads-up about previously unknown cyber weaknesses without alerting malicious actors.
The upcoming directive, as well as upcoming vulnerability disclosure guidance from the Office of Management and Budget, is part of what Jeanette Manfra, CISA’s assistant director for cybersecurity, called an agency-wide priority to make fiscal 2020 the “year of vulnerability management,” with a particular focus on federal agencies.
In drafting the directive, Manfra said CISA has reached out to other agencies and private-sector companies who already have vulnerability policies in place to hear some of the lessons they’ve learned.
“We’ve never done this before, but we have found that in all of our directive development, we’ve found a lot of value from experts outside of the government, in providing feedback on what to focus on, how to focus on it, and we want to really capture that,” Manfra said Thursday at the Cybersecurity Coalition’s CyberNext D.C. conference.
CISA Director Chris Krebs said that when Congress created the agency out of the National Protection and Programs Directorate (NPPD), lawmakers saw the need for a governmentwide cyber coordinator. But that role, he added, still requires collaboration with agency partners and responding to “demand signals” from industry.
“It’s got to be based on a need, not what we think is needed … What are the policy questions that need to be answered that we engage on and not supplant the marketplace, not drive a private-sector organization out of business or ruin their business model,” Krebs said. “How can we be additive based on distinct, unique capabilities within the federal government?”
The Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Act President Donald Trump signed into law last year requires DHS to establish a security vulnerability disclosure policy and set up a bug bounty program for the agency.
A similar bill introduced by Sen. Cory Gardner (R-Colo.) this year would set up a bug bounty program at the State Department.
Setting a consistent vulnerability disclosure policy may help future bug bounty efforts get off the ground, but Manfra said agencies need more than just insight into the problem.
“One thing we have learned is that it’s very important that people have the resources to do whatever it is that is discovered. And we’re pretty sure that some of these things that will be discovered will not be easy to fix,” she said.
Citing active threats to disrupt or hijack federal agencies’ web traffic, Manfra said CISA has considered centralizing the management of websites with the “.gov” domain and adding new security features.
“The way the federal government manages domains is a bit complicated — probably overly so,” Manfra said. “We think we can reduce some resource investments that agencies have to make individually.”
To get the bigger picture on cyber threats, CISA is piloting an algorithm called AWARE that Manfra said would give agencies a “relative score” of their cyber risk exposure, and “a sense of, in an easy-to-look-at way, how am I doing from a risk exposure perspective, and what could I do to reduce that risk exposure?”
CISA to partner with National Guard Bureau
But beyond its governmentwide cyber coordination role, CISA officials are also looking at ways to solidify its partnerships with industry and other agencies.
Building off of the National Risk Management Center’s efforts on supply chain security, Manfra said CISA is looking at ways to have more of a “scalable impact.”
“There’s multiple sectors in our country that have hundreds of thousands of entities. I can’t get to every single one of those entities, but if I work the vendor of the [industrial control] system that they use, and I have relationship with them … then you can start to have a nationwide, and in many cases, a global impact,” she said.
CISA will also partner with the National Guard Bureau and train six National Guard teams next January on what Krebs described as ways to develop a “unified, effective response” between both agencies, as well as other partners like Cyber Command and the National Security Agency.
“When you think about physical disaster response, there’s a very clear plan under the National Response Framework. There’s emergency support functions, there’s well-built doctrine for incident response. There is not an analog for cybersecurity response,” Krebs said. “There is a National Cyber Incident Response plan, but once we get down below that, it’s still a bit murky in terms of what a state CIO would expect or get from my team, from the Secret Service, from the National Guard.”