US President Joe Biden and CISA gives all US federal agencies six months to patch hundreds of known cybersecurity flaws to prevent future intrusions
The Biden administration has ordered US Federal Agencies to tighten up cybersecurity loopholes, to prevent damaging intrusions into government computer systems.
The directive orders US federal agencies to patch hundreds of cybersecurity vulnerabilities that are considered major intrusion risks within a six month period.
It comes after report from a US Senate committee in August painted a damming assessment of the cybersecurity readiness at multiple US federal agencies.
That bipartisan report revealed the details of an investigation by the Senate Committee on Homeland Security and Government Affairs, into the cyber security measures in the federal government.
Alarmingly, the ‘Federal Cybersecurity: America’s Data Still at Risk’ report found that seven out of eight federal agencies failed to protect critical data due to inadequate cyber security measures.
The report found there were still systemic failures to safeguard American data at the Department of State; the Department of Transportation; the Department of Housing and Urban Development; the Department of Agriculture; the Department of Health and Human Services; the Department of Education; and the Social Security Administration.
Only the Department of Homeland Security had an effective cybersecurity program for 2020, according to the report.
But seven federal agencies failed to protect personally identifiable information adequately; failed to maintain accurate and comprehensive IT asset inventories; failed to maintain current authorisations to operate for information systems; failed to install security patches quickly; and failed to retire legacy technology no longer supported by the vendor.
Worse still, the report inspectors identified many of the same issues that have plagued federal agencies for more than a decade.
Cybersecurity has been a priority for President Biden and he signed an executive order in May to help prevent future cybersecurity incidents.
That order mandated two-factor authentication across the federal government, established a protocol for responding to cyberattacks, among other safety measures.
And now the CISA has issued a sweeping directive ordering all agencies to patch known flaws and vulnerabilities.
“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy,” noted CISA. “The federal government must improve its efforts to protect against these campaigns by ensuring the security of information technology assets across the federal enterprise.”
“Vulnerabilities that have previously been used to exploit public and private organisations are a frequent attack vector for malicious cyber actors of all types,” it added. “These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents.”
CISA has a catalogue of known exploited vulnerabilities that carry significant risk to the federal enterprise, and federal agencies have six months to apply patches and plug the vulnerabilities.
“This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf,” said CISA.
“These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”
Patching known vulnerabilities does not on the surface sound like an erroneous undertaking, but in reality it is much more complex than many people think, given the disparate number of IT systems and legacy equipment being used by federal agencies.
But patching known flaws is needed, as demonstrated earlier this year.
The SolarWinds compromise revealed how vulnerable many IT systems of the US government remain vulnerable to outside hackers, which includes nation state hackers.
The hackers inserted backdoor code into SolarWinds’ Orion platform in March of 2020 (or possibly earlier according to one US senator) and used this to access the systems of at least half-a-dozen US federal agencies, as well as potentially thousands of private firms before the attack was discovered in December 2020.
The scale of the US government compromise is still being investigated, but just before Christmas US Senator Ron Wyden revealed that dozens of email accounts at the US Treasury Department were compromised.