When the Cybersecurity and Infrastructure Security Agency released its third emergency cyber directive in the last five months, agencies were once again on notice to fix yet another critical vulnerability.
Last week’s directive detailed a potential major problem with the virtual private network software from Pulse Secure. CISA gave agencies until April 23 to identify all instances of the software and run the Pulse Connect Secure Integrity Tool. Along with this latest directive, CISA told agencies to patch Microsoft Exchange servers in March and another one for the SolarWinds vulnerability in December.
This type of fire drill is becoming far too common for agencies, and really every business, as the cyber threats seem to be ramping up, particularly against companies with global install bases.
“In thinking like an attacker, they go after Microsoft Windows because everyone has Windows. Now they are saying, who else has the biggest market share of infrastructure or products and let’s go after them,” said John Pescatore, a director at SANS. “With one exploit, they can get into 70% of the networks. That is a big target. ServiceNow is another one that we have been warning about.”
The large install base combined with the greater reliance on technology, specifically software, means agencies aren’t necessarily facing more cyber attacks, but the potential for serious harm is much greater. This is especially true as agencies relay on connected devices and internet of things sensors or control systems that are connecting to the network or public internet.
Pescatore and other cyber experts agreed that the current cyber threats are no worse today than they have been, but with the sharp increase of supply chain attacks combined with the pandemic forcing employees to work from home, CISA and agency chief information security officers seem to be constantly on high alert.
“Vulnerabilities have been and will continue to be a long standing problem. There aren’t more vulnerabilities than before, but there is more software and as our dependence on it grows those vulnerabilities are more wide spread. Solarwinds is a perfect example where a single vulnerability created a massive exposure,” said John Banghart, the senior director of technology risk management at Venable and the former National Security Council’s director for federal cybersecurity during the administration of President Barack Obama. “We saw the same thing with the Heartbleed vulnerability in 2014. That was the first time the government, and really everyone, had to think about cybersecurity attacks at this kind of scale. We knew there was a vulnerability, but we didn’t know who was or wasn’t vulnerable.”
Banghart said CISA is in better shape today than in 2014 with the authority to scan civilian agency networks and issue directives. At the same time, however, the agency’s insight into civilian agency networks remains limited.
“DHS is more effective in recognizing and sharing what the vulnerabilities are and how to fix them. But currently their only course of action right now is the ‘hair on fire’ approach where they push out this directive and rank it high because they don’t know how vulnerable agencies are so they just have to push out because it’s severe and everyone is in this worse-case scenario,” he said. “That is why we need a lot of effort to get to the fundamental problem of who is vulnerable and who isn’t and what the potential impact is. We need to be able to score it in a way that is more nuanced and more applicable to a specific organization. We have a lot of different scoring systems today and the problem isn’t just for the U.S. government, but a problem across the entire internet.”
Banghart said he is organizing a group of private sector companies and other experts to come up with a new standard vulnerability scoring system.
“Our goal is to help ensure that end user organizations have the ability to influence the standards on which they depend. If you look at a lot of work Common Vulnerabilities and Exposures database or the Common Vulnerability Scoring System (CVSS), a lot of it is being done by academics and security tool vendors and government folks but other critical sectors are all underrepresented. How do we ensure they are getting valuable and meaningful information?” he said. “We need a better refined and more nuanced scoring system that is not just a number that says this is a 9.5 out of 10. That isn’t super helpful, but that is what we have today.”
This type of scoring system would help address other challenges these emergency directives highlight.
Frank Cilluffo, the executive director of the McCrary Institute at Auburn University, said there is some concern over alert or threat fatigue.
“The threats are dictating the pace, but from another perspective we need to be able to walk and chew gum because other shoes may have dropped that we are unaware of or could drop soon enough,” he said. “In a weird way, we are letting our adversaries define our strategy. We are shaping our strategy around them, and it should be the other way around. To do that, it’s partially a matter of greater awareness, partially more clarity around incidents because of situational awareness improvements and partially the adversary has a vote in how they are acting.”
Banghart added any new directive will interrupt a security office’s workflow and force them to make resource decisions that may have unintended consequences later on.
“A good chief information security officer is ensuring the mission of their agency is able to function. That can sometimes mean making a decision to patch something or not,” he said. “When you get back to back to back directives, that is on top of other vulnerabilities that don’t just come from an emergency directive, you have decide what else doesn’t get done today or this week”
Pescatore said the directives highlight the workforce challenge agencies, and really every organization, faces for cyber talent.
The Center for Strategic and International Studies says in 2019, CyberSeek, an initiative funded by the National Initiative for Cybersecurity Education (NICE), estimated the United States faced a shortfall of almost 314,000 cybersecurity professionals. CSIS also says according to data derived from job postings, the number of unfilled cybersecurity jobs has grown by more than 50 percent since 2015.
In the public sector, the workforce challenge is even bigger. The Cyberspace Solarium Commission says more than one in three cybersecurity jobs in the public sector go unfilled.
“Private industry was hit hard to apply the same patches, but the government, in particular, is suffering from brain drain with skilled security people leaving. They have not invested in hiring or training people. They have spent a lot of money that has been budgeted for cyber buying products for initiatives under the Continuous Diagnostics and Mitigation (CDM) or EINSTEIN programs, which focused on detecting the bad guys but not focused on fixing the computers. The patching is something an IT organization does and the government has been slow to address the patching side of the problem because patching needs skilled people and agencies don’t have enough of them.”
Cilluffo said the directives are forcing agencies to improve their situational awareness. While CDM and other tools have helped over the years, the urgency of these threats gives agencies a more granular view.
“You have to understand what is the real intent behind the adversary’s attack. Is it IP theft or secrets from espionage or criminal enterprises using for ransomware? You’ve got to look at it through these lenses and then decide how to respond,” he said. “From an adversarial perspective, what is the cost and the consequences of an attack that will induce change? People have been getting away with cyber murder and I’m hoping to start to see actions and steps that are not only reacting, but proactively shaping our deterrence mechanisms.”