For US cyber defense, helpful hackers are only half the battle

With so much attention focused on the SolarWinds attack, and now the Microsoft Exchange attacks, an important government cyber security initiative is progressing without the appropriate resources it needs to ensure it does not do more harm to our nation’s security than good. This new requirement from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency mandated all civilian agencies to launch a vulnerability disclosure program by March 1.

In plain English, this requirement means the agencies are asking the public to help find vulnerabilities in government internet-connected systems and applications. It is the digital equivalent of when you see something, say something.

As the co-author of two ISO standards on this topic (ISO/IEC 29147 Vulnerability disclosure and ISO/IEC 30111 Vulnerability handling processes), it is amazing to see some of my life’s work becoming a norm throughout the U.S. and other governments. I’ve looked at vulnerabilities from all sides now, first as a security researcher reporting vulnerabilities, and then later creating the vulnerability disclosure policies at Symantec, Microsoft, the U.S. Department of Defense and the U.K. government. With that said, I have lingering concerns about how well prepared the agencies are to meet the ongoing Binding Operational Directive requirements, given my experience on what it takes to create vulnerability disclosure programs and bug bounties.

Since the SolarWinds and Microsoft Exchange investigations have the federal government scrambling to deal with its aftermath, it is unclear what steps, if any, federal agencies have taken to systematically assess their ability to carry out their cyber investigation and response duties on multiple fronts at once.

One of my concerns is that any agency that includes too many targets in scope at once at the start of this program may find that they have opened the floodgates to new reported vulnerabilities without having mature processes in place to fix them. This flood of vulnerabilities may not happen immediately but may accumulate a backlog of unfixed issues over time. That could easily sow greater confusion, distract key internal cyber incident first responders and create patching backlogs that could be exploited by the very adversaries that launched SolarWinds and the Microsoft Exchange attacks.

Even if the agency does not experience an initial surge of reports, the hard truth is that most federal agencies do not have the staff, the training, the time, or the resources to deal with an unpredictable volume of newly reported vulnerabilities, especially during and immediately after incidents like the SolarWinds and Microsoft Exchange attacks.

Without planning for this increase in internal operational workload and training in new internal vulnerability handling processes, the cyber security ‘first responders’ in these government agencies almost certainly will not be able to fill the gaps in their people, processes and technology to properly manage all of the vulnerabilities.

While outsourced ticketing and triage platforms may seem like a convenient and easy remedy for the resource shortages, none of these services have the knowledge or expertise to build out an internal remediation process for vulnerabilities. There needs to be in-house personnel and expertise for government agencies to actually fix the bugs.

Measuring the current vulnerability management process maturity is a key performance indicator that can be used to determine the gaps in resources for vulnerability disclosure programs, while not losing momentum for this important directive. These mission-critical gaps will need to be addressed as they are identified in order to run these programs successfully across the entire federal government, which must include filling the critical shortage of trained cyber personnel.

Here’s what the Biden administration should do and what Congress should ultimately support with necessary appropriations:

1)     Begin gathering key performance data to inform a maturity assessment and gap analysis to identify gaps in people, processes and technology. Existing data for vulnerability management can be used immediately to predict vulnerability disclosure program success and highlight resource gaps now;

2)     Congress should provide the appropriate budget resources, directly informed by the maturity gap reports, to bolster U.S. cyber defenses and improve our readiness for future attacks; and

3)     Build a long-term, comprehensive plan to train, attract and retain high-skilled cyber professionals into the federal workforce.

Moving forward with these actions will provide timely planning and support to modernize our investments in cyber infrastructure, strategy and cyber workforce. Vulnerability disclosure done well and integrated with a properly functioning internal investigation team is the ultimate early warning system, ideally preventing many attack vectors. 

Instead of simply opening the floodgates and seeing what happens at the end of the 18-month reporting period, we can proactively use this important initiative to measure and improve our overall cyber readiness, workforce and security starting now.

Katie Moussouris is the founder and CEO of Luta Security. As a computer hacker with more than 20 years of professional cybersecurity experience, Moussouris has experience in security research, vulnerability disclosure and bug bounties. Moussouris also serves as an advisor for several governments and large organizations. Working with the U.S. Department of Defense, Moussouris led the launch of the U.S. government’s first bug bounty program, “Hack the Pentagon.”