New cybersecurity directive mandates fixes for federal agencies
On November 3, 2021, the Biden administration produced the federal government’s latest directive on cybersecurity. With this directive, civilian federal agencies have a mandate to fix software and hardware vulnerabilities to improve defenses against cyberattacks. Titled BOD 22-01, the directive comes from the Cybersecurity and Infrastructure Security Agency (CISA) and covers more than 200 known threats uncovered in the past four years. It also includes nearly 100 security flaws found in 2021 that require immediate attention. The directive provided agencies two weeks to fix the most recent and pressing flaws, and six months to patch and monitor the older threats. It’s meant to protect agencies from cybersecurity breaches, such as the widespread attacks uncovered in March 2021 where Chinese hackers used Microsoft Exchange Server flaws to access the emails of more than 30,000 organizations.
CISA director Jen Easterly notes, “While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”
The directive does not apply to the Department of Defense or the various intelligence agencies. And it does not mandate the actions of the private industry unless they voluntarily decide to implement the practices. The directive marks a strategic change by the federal government to proactively address cybersecurity risks, modernize agencies, and develop more synchronized responses.
Coordinating Federal Efforts
Federal agencies often manage their functions internally, with limited coordination with other agencies. This includes cybersecurity efforts, which leads to uncoordinated responses, limited information sharing about threats and tactics, and reduced effectiveness. The directive forces agency leaders’ hands by pushing them to fix all threats under aggressive timelines. It marks a concerted effort by the Biden administration to address cybersecurity at federal agencies. These efforts include a May 2021 executive order with multiple initiatives. These include reducing information-sharing barriers between the government and private sector, establishing multi-factor authentication to shore up password security, and creating a Cybersecurity Safety Review Board to investigate incidents and help create more standardized and coordinated responses.
The Downside Risks of Digitization
Software is now digital. It follows the broader digitization of services, applications, and communication. With this digitization comes vulnerabilities and exploits because humans still create software. Developers do make mistakes. Unintended consequences from various development and engineering choices that might create an opening. And the sophistication of hacking groups and the technology at their disposal lowers the chances the vulnerabilities will escape notice. That’s where directives and other guidance from the federal government must push agencies to adopt best practices and stay current on flaw remediation.
Increased Focus on Operational Technology (OT)
The mix of increasing digitization and vulnerabilities is especially impactful within OT. There are multiple benefits of digitization of these critical infrastructure environments. And there’s a significant push for embracing this digitization, to share data, realize process efficiencies and gain visualization and awareness about what’s happening with the organization. Because there are vulnerabilities inherent in software and agencies connect more “things” through IoT, there’s more data flow and connections, which then correlates to attacks. As the United States is one of the countries at the forefront of digital innovation bodes well for its capabilities, it does mean it needs to focus on the related risks for OT. With critical infrastructure, the stakes for fixing security problems and reducing risks are extraordinarily high. It covers the core functions of our society such as drinking water and electricity that powers modern society.
Vulnerability management is critically important. The more agencies manage vulnerabilities, they will lower their risks. This directive marks a different track for the government because it mandates actions. Agencies already have resources about vulnerabilities. For example, the CIS Top 20 Controls features an entire section on vulnerability management, which discusses different steps to mitigate vulnerabilities. It recommends organizations first identify their hardware and software assets, patch on a regular basis, and stay on top of the latest known threats. Organizations and agencies know about such resources but knowing about them does not always drive the needed actions in the required amount of time.
Flaws Inherent in Vulnerability Management
Despite its importance, vulnerability management can be seen as a “shuffling the deck chairs on the Titanic” type of activity. Vulnerabilities within software are a reality and will always occur. To complicate matters more, there is also a bit of nuance to the identification and reporting of vulnerabilities. As an example, many vulnerabilities are not even identified, nor reported, by the original developer or manufacturer. Many times, it is a third-party researcher that finds and reports the issue. Sometimes it is not the developer, the manufacturer, or even a third-party researcher that finds the issue -- it’s discovered by an adversary. These are what’s known as a “zero-day”, where the adversary (and possibly their affiliates) is able to exploit the vulnerability for some period of time before someone finds it. In the case of SolarWinds, the vulnerability is believed to have been exploited for many months, even years.
Disagreement about what even constitutes a vulnerability is another issue that sometimes exacerbates the issue. For example, a researcher might identify a method for operators to gain “back door” access to the Distribution Control System (DCS) that is meant for the system operator within an operations setting only. There have been situations like this where both software and the method for accessing the system have existed for years and have long been considered a feature that enabled higher resiliency. This is because the DCS manufacturer/developer and the operational system owner are approaching the system from strictly an operational perspective. But now a third-party security researcher is reviewing that access method from a security perspective, and now they identify the access method as a vulnerability. This underscores the nuances around vulnerability identification, which further creates risks and uncoordinated responses.
A better way to approach these conflicting dynamics about vulnerabilities is through CCE or Consequence-driven Cyber-informed Engineering. CCE begins by recognizing and even accepting that adversaries will likely succeed in accessing mission-critical systems if they launch dedicated and well-funded attacks. It recognizes risks remain because of human development and choices and organizations operate in an imperfect world. As organizations accept these risks, they can still perform vulnerability management to limit risks, but also need to accept vulnerabilities will exist forever.
Taking those realizations as an assumption, then what are organizations left to do? CCE provides engineering, operations, and support backstops within this imperfect world, so that mistakes (uncovered vulnerabilities), won’t ruin the organization. Or in the case of a water district, CCE encourages the district’s team to think like an adversary and ask questions like “What are the most critical systems that cannot fail? Then, it suggests understanding how an attacker could sabotage those systems and instructs the agency to employ engineering protections to remove systems from a hacker’s reach. In some cases, this could mean limiting digitization if that’s the best route indicated through a consequence-based risk management review.
A History of Attacks Drives Action
The directive to federal agencies could have gone out in 2010, or any of the proceeding years before 2021. Ever since the Stuxnet attacks which have been around since 2005, there was a need for addressing vulnerabilities and better protecting critical infrastructure. More recently, the massive SolarWinds hack from 2020 served as a primary impetus for this directive and an increased focus from the federal government. SolarWinds, a major software provider from Oklahoma, offers system management tools that monitor networks and infrastructures. It’s a large firm that offers services to hundreds of thousands of clients. Since it monitors IT systems, the SolarWinds Orion platform has direct access to log and performance data, which makes it an enticing target for hackers. Hacking groups did gain access to the systems and data of thousands of SolarWinds customers when the company launched an update to the Orion software that delivered the hacker’s malware as a backdoor.
It’s likely that the scale, impact, and consequences of the attack prompted the directive and raised calls for improving the ways federal agencies coordinate and manage vulnerabilities. Because CISA does not have the resources to manage the risks associated with vulnerabilities across both public and private sectors, the directive also presents an opportunity for private industry to prioritize cybersecurity and focus their efforts. One way that the federal government could further enlist action with respect to the private sector, excluding legislative action, would be to incentivize private organizations by either lessening regulatory burdens on private organizations that verifiably implement cybersecurity risk management or offering cost-sharing approaches whereby the government offers some percentage of matching funds to organizations who implement cybersecurity controls. Offering a carrot for organizations tends to work better than taking more of a dictatorial and/or punitive-based approach. I’m hopeful that the new directive will measurably improve vulnerability management across the US government, but I also hope that more impactful disciplines and approaches like CCE will also be considered, and hopefully implemented, across both the public and private sectors to prevent cyber sabotage.
About the author: Matt Morris is a Digitalization and Cybersecurity executive and author. Matt is currently the Managing Director for 1898 & Co. Security, where he leads a diverse team of ICS cybersecurity practitioners. His mission is to serve humanity by improving safety, security, and reliability of the world’s critical infrastructure through resiliency, improved situational awareness and preparedness.
An industry luminary, Matt previously spearheaded ICS cybersecurity programs at Cisco, Siemens, and NexDefense. At Cisco, Matt architected and led the world’s first managed industrial cyber security service, among other major achievements. Matt has 26 years of strategy and technology leadership.
Matt is a highly sought-after speaker on ICS cybersecurity and an accomplished author. He has been published in SecurityWeek, USA Today, FoxNews.com, International Business Times, CIO Insights, CIO Review, and many other notable publications. Matt is a Certified CISO (C|CISO), holds 12 DHS ICS-CERT certifications and an MBA degree from Emory Goizueta Business School.