It may not be the long-dreaded “cyber Pearl Harbor,” but the recent worldwide ransomware attack on healthcare, telecom and other entities is sharpening cybersecurity policymakers’ focus on the related issues of software vulnerability disclosure and ensuring that holes in systems are patched.
Applying patches seems a no-brainer, but it is still not happening to such a degree that 300,000 computers in more than 150 countries can be locked up and their owners blackmailed in one fell swoop.
Senate Intelligence Ranking Member Mark Warner, D-Va., said the “WannaCry” attack raised key questions about how to ensure available patches are used to address vulnerabilities, in both government and private-sector computer systems.
“You know, this to my mind raises questions about … have all of the federal government and for that matter, the state and local government put in place the patch that Microsoft provided?” Warner told reporters last week, referring to security tools that Microsoft circulated to fix a vulnerability in an operating system. Microsoft took that step two months before “WannaCry,” but the tools may have gone unused in some cases.
“Has the Department of Homeland Security reached out to critical infrastructure across the country — private sector and critical infrastructure to see if they’ve installed the patch?” Warner asked. “This again shows the vulnerability of many of our systems.”
With billions of interconnected devices making up what’s known as an “Internet of Things,” policymakers have begun grappling with how to ensure security upgrades are installed as bad cyber actors seize control of systems for various reasons and take aim at everything from your mobile device to your refrigerator. Such upgrades typically haven’t been a major concern either for manufacturers or consumers.
“The big issue here is the lack of enterprise policies requiring updates and patches,” said Kiersten Todt, who last year served as executive director of former President Barack Obama’s commission on enhancing cybersecurity. “Again, as we have seen before, this ransomware attack is not a ‘sophisticated’ attack that required engineering genius. It was the result of very simple exploitation of an outdated system, for which a patch had been issued two months ago.”
She noted that the cyber commission “addressed this issue by recommending risk management policies that address the need to have regular checks on updates and patches for all systems an enterprise is running.”
The Commerce Department has also been leading a public-private effort to help vendors of tech products and cyber researchers collaborate on exchanging information about vulnerabilities identified in software.
“Stakeholders in the [National Telecommunications and Information Administration] multistakeholder process have been working on issues around coordinated vulnerability disclosure,” according to a spokesperson for NTIA, a Commerce Department agency. “Participants have focused exclusively on the private sector, working to find common ground and make it easier to share vital security information. … Vulnerabilities are a reality of the digital ecosystem, but the more collaboration and communication we can encourage between security researchers, developers, and operators, the better chance we have of staying ahead of illegal exploitation of those vulnerabilities.”
That process is aimed at the private sector, and there is not, as of yet, a corresponding effort to ensure the government provides timely information about vulnerabilities to private companies.
To address that, Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis., and Sen. Brian Schatz, D-Hawaii, last week introduced the “Protecting Our Ability to Counter Hacking Act” which would create an interagency board led by the Department of Homeland Security to set policies on when and how to release such information to the private sector.
Johnson said in a statement: “It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process.”
Vulnerability disclosure is a part of the cyber policy equation that hasn’t gotten the kind of high-level, focused attention that may be needed. For instance, patching and vulnerability disclosure weren’t addressed in President Trump’s recent executive order.
But the most recent attack may change the equation for policymakers and create the impetus for addressing what seems to be a fixable challenge in the cybersecurity puzzle.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
