Two DoD agencies team up to collect software vulnerabilities

Vulnerability Disclosure Program started in April, the DoD Cyber Crime Center, DC3, working with the Defense Counterintelligence and Security Agency.

Defense contractors now have a place to voluntarily report cybersecurity flaws. The Vulnerability Disclosure Program started last month under the Department of Defense Cyber Crime Center, the DC3, working with the Defense Counterintelligence and Security Agency. For details, the Federal Drive with Tom Temin turned to the program director, Melissa Vice.

Interview Transcript: 

Tom Temin Now this is a vulnerability reporting program and not an incident reporting program. That’s probably a big difference, isn’t it?

Melissa Vice That is a very distinct difference. Yes. Adversaries are keenly aware of the defense industrial base, or what we call the dibs strategic value to the US national security. So private sector companies are often at risk from malicious cyber activities conducted by nation, state, and even non-state actors.

Tom Temin This vulnerability disclosure program, it’s a joint venture. Tell us how the partnership was set up for two. Even though you’re both under the DoD umbrella, you know, that’s not so easy to get together all the time.

Melissa Vice Exactly. Now, it was a really a natural fit for, the DoD Cyber Crime Center and the Defense Counterintelligence and Security Agency, or DCSA to come together on this, because we are two of the entities that serve the defense industrial base. And, really what happened was we wanted to find a way to, protect and secure the cyber hygiene of the defense industrial base. So, a year ago, we, we launched on a one-year pilot to see if we could take what we had been doing in the enduring DoD VDP and bring that to the defense industrial base. And that pilot was so successful that luckily, it did get the attention of some folks, at the Pentagon and throughout the, the federal government. And so, we are very pleased to announce that, it’s becoming a program. And so, we’re voluntarily, accepting participants from the defense industrial base to, to join and, take advantage of this free opportunity.

Tom Temin And just for people tuning in that might not have heard our earlier interviews. Recently, you had reported 50,000 vulnerabilities under another program. So, this is a new venture for DC three.

Melissa Vice Absolutely, yes. Our enduring program, which, you know, your listeners have heard me talk about, probably for the last four and a half years. So, we’re really proud that we have, surpassed 50,000 reports in seven years. And so, it really was a chance to take a look and see if we could port that magic over to the defense industrial base. And we’re really looking to be able to, thwart those cyber adversaries, decrease the attack surface by using the same tried and true processes that we do for the DoD, for the defense industrial base. But I will point out that we, did create a completely separate system, for anyone thinking that those eight dangerous words. I’m from the government. I’m here to help, might come out, but this is a completely separate, system that is focused solely on the defense industrial base. It is completely anonymized, but we’re using those same processes that we do for the DoD.

Tom Temin And how are you getting the word out to the defense industrial base? That’s a big base of companies.

Melissa Vice It is a big base and ever growing, after the recent, 32 CFR 236 initiative that was expanded, it is definitely a growing set. So, what we do is certainly we have, a lot of communication with, the defense industrial base within our, our own programs that, that go to service that the DoD CIO’s cyber security program. So, members of that program, certainly are hearing about this and our partnership with DCSA, they are sending it out to, any of their companies. But we’re really making some public announcements. So, if your, organization does produce, work for the DoD and you feel that you are defined under, the defense industrial base definitions, then please feel free to come to our website. Take a look at, and we’ll find information right there.

Tom Temin We are speaking with Melissa Vice. She is the director of the Vulnerability Disclosure Program at the Department of Defense Cyber Crime Center, the DC3. And how does it work? Someone submits something. Is it shared with the whole industrial base or what happens to it once they say, hey, we found this flaw, then what?

Melissa Vice Okay, so, basically what will happen is we are taking in assets from, the Defense Industrial Base Company, and they do need to be publicly accessible assets. And we can help you define what that what that means when you, contact us. But basically, what will happen is those assets happen to go out, and they will be publicized to a crowdsource ethical researcher community. That community then looks at the assets they will probe and test and see where they can find those vulnerabilities, just like the adversary does. They will then submit a report if they find something that they think is a vulnerability, and our internal staff will then take that, triaged the report validated to make sure it is truly a vulnerability against Stig violations and other things that we do, for the DoD. And, if so, we contact the system owner, and they have this cradle to grave tracking system that they can work and communicate with us. You know, basically anonymously. So, again, we can help them with the remediation. We also, once they have done a fix, action, will come back and retest and revalidate that vulnerability. So, we don’t closeout reports until they’re 100% taken care of.

Tom Temin Right. So, because there is on the way from CISA and also from the DoD breach reporting programs, this might be a way of helping people stay out of that matrix by fixing vulnerabilities before they can be exploited.

Melissa Vice Absolutely. And that’s really what we’re trying to do. Stay left of boom. You know, we are, as you pointed out, a vulnerability disclosure program, not, an incident, reporting program. So again, this is helping those organizations take care of the problems in a timely manner based on the severity level of the finding. So that’s really the goal of this program.

Tom Temin And as the reports accumulate, do you expect to do some kind of analytics on them to see what patterns might be out there?

Melissa Vice Well, that often happens. Sometimes there are things that show up. And so that can help to inform the DoD cybersecurity programs. And again, totally anonymized and aggregated data. But that does help with, any type of tippers or other notifications that can help a larger set who may not be in the program to also go out and look for those same vulnerabilities.

Tom Temin And since you stood up the program now, it’s just been barely a month. Have any reports come in?

Melissa Vice Well, so far we were just doing the onboarding phase. So, we’ll be onboarding probably for the next month. So, it takes a bit of time to go through, folks’ assets and then we won’t be performing, rolling on board. So, it’s not just a one time. You missed it. Oh, my gosh, I can’t get in. Just keep those, those interest forms coming in, and we are working through getting folks onboarded and put into the system. Once that’s completed, then yes, we will, turnkey. Boom. Once we get enough assets into the system, we’ll open it up for our researchers and they will be on it like sharks.

Tom Temin All right, well, we’ll have you back when you reach 50,000 of this. I’m not sure that’ll be good news or bad news, but it’ll be interesting.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Navy used threat of cyber vulnerability to expand VDI

    Read more
    Sexual Assault Military

    Pentagon’s vulnerability disclosure program developing expansion plans to cover more contractors

    Read more
    Amelia Brust/Federal News NetworkCDM

    ‘Groundbreaking’ CISA directive to overhaul cyber vulnerability management process

    Read more