This post first appeared on Federal News Network. Read the original article.
The headlines paint a grim picture of cybersecurity. There’s been another major cyberattack, this time targeting Change Healthcare, a processor of insurance and billing for hundreds of thousands of hospitals and pharmacies across the U.S. This recent ransomware attack reportedly compromised a massive amount of personal data (with roughly 4Tb stolen). What’s more, in an April speech, FBI Director Christopher Wray publicly warned of an ongoing, China-based cyber hacking campaign targeting U.S. critical infrastructure.
The attacks are relentless.
As a former member of Congress who worked extensively on cybersecurity legal and policy issues for two decades, I know the challenges we face are difficult. But I’m also optimistic that we are making progress.
Investments are paying off
New research from cyber risk management company Bitsight shows that some of the U.S. government’s programs and investments are paying off, particularly at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In recent years, Congress has invested heavily in CISA, vesting new operational authorities and providing significant financial resources to the agency to fulfill its mission. It hasn’t always been easy for CISA; some of these decisions have been controversial. The agency was granted new regulatory authority to collect data on cyber incidents affecting critical infrastructure, a move that was opposed by some in the private sector. Its so-called “binding operational authority” to command federal agencies to implement cybersecurity protections in emergency situations was also perceived by some to be unnecessary overreach.
Nevertheless, the same data shows that a number of CISA’s priority focus areas are generating positive results. One area of success: vulnerability prioritization, long a thorn in the side of today’s defenders. While organizational protection remains a tall order, it’s often complicated by a lack of resources, manpower and time. Nowhere is that more evident than in vulnerability management.
There are hundreds of thousands of discovered vulnerabilities in software, but only a small fraction of these vulnerabilities are actively exploited by malicious actors. Theoretically, focusing on patching and remediating vulnerabilities that are known to be exploited can reduce the burdens that security leaders face.
The KEV Catalog
In 2021, to help with this prioritization, CISA first published its list of known exploited vulnerabilities (KEVs). This list is developed with information and intelligence from CISA and other law enforcement agencies, and is updated regularly.
According to the same KEV-focused research, CISA’s creation of the catalog has had a clear, positive impact on global remediation rates. Although a whopping 35% of organizations had at least one KEV in 2023, organizations remediated these vulnerabilities at a significantly faster rate (on average, 3.5 times faster) than non-KEVs of the same severity. By creating a prioritized list of vulnerabilities known to be used by malicious actors, CISA is helping organizations focus on remediating these vulnerabilities and avoid becoming the next headline.
CISA’s focus on identifying vulnerabilities used in ransomware attacks is also helping the global ecosystem reduce risk levels. The aforementioned KEV research found that 20% of organizations had at least one vulnerability known to be used in a ransomware incident in 2023. But thanks to CISA’s prioritized list, these “known ransomware vulnerabilities” were patched 2.5 times faster than others.
Interagency controversy?
Another area of success worth highlighting is around U.S. federal agency remediation mandates. The Federal Information Security Modernization Act of 2014 provided the Department of Homeland Security with the authority to issue “Binding Operational Directives” to federal agencies to address specific vulnerabilities in a timely fashion. This sparked some controversy at the time, as other agencies felt that this gave unnecessary power to DHS and could be improperly administered.
However, according to the same report, agencies exhibit faster remediation times of KEVs compared to other organizations – another sign of CISA’s positive impact.
More work to be done
To be clear: There is still much more to do. The KEV-focused research shows that over one-third of global organizations had at least one related vulnerability in 2023, highlighting the significant exposure that most organizations face. Vulnerability remediation rates are still too slow; 60% of vulnerabilities remained unaddressed past CISA’s deadlines. And federal agencies aren’t perfect either; CISA disclosed a breach of its own network in March.
Still, the data validates CISA’s focus and should encourage us to double down on these defensive efforts.
How can we continue to advance? I strongly believe that data can help us make better cybersecurity decisions, both on an operational level but also from a national policy perspective. Security has always been difficult to measure, especially on a national basis: Systems and assets are owned largely by the private sector and information sharing with the government is largely voluntary. Without data, policymakers must act in a vacuum without a full – or even partial – picture of what’s actually happening. The results can lead to overreaction or underinvestment.
Data can help guide various decisions that may advance our national cybersecurity interests. Along with many policymakers, I’ve pushed for the creation of a Cybersecurity Bureau of Statistics, similar to what we have for labor and crime stats. Additionally, President Biden’s National Security Telecommunications Advisory Committee (NSTAC) recently recommended the creation of a Cybersecurity Measurement Center of Excellence. I strongly support these initiatives and think they will contribute to bridging this data gap.
We can take advantage of private sector investments to jumpstart our data collection. For example, cyber risk management companies are collecting data and measuring cybersecurity performance on organizations around the globe. These data sets are being used extensively by insurers and investors today and the government should leverage it as well.
CISA’s crucial future role
As we look to the future of U.S. cyber defense, CISA must continue to play a vital role – and certainly will thanks to the strong leadership of Director Jen Easterly and her team.
Overall, I’ll look to CISA to focus on three critical areas:
- Tracking global cybersecurity performance. CISA should provide policymakers an ongoing view into the current state of cybersecurity performance across critical infrastructure sectors and industries. Data and analytics will help sector-specific agencies, regulators and others track the effectiveness of their efforts.
- Leveraging data to identify and remediate risk. CISA consumes a significant amount of data that identifies at-risk organizations and risky behavior. With this data, they can make better risk remediation recommendations to individual organizations, and broader sectors and industries.
- Strengthening the supply chain. Supply chain incidents can have a catastrophic impact on national security and the economy. CISA should assess systemic cyber risks and work with policymakers to develop remediation plans.
While we find ourselves at a challenging time in cybersecurity, I’m confident that our strategic direction is the right one. If we can harness more data to inform policy decisions, our country will be in a strong position to succeed.
James R. Langevin is a former member of the House of Representatives and Co-Founder of the Congressional Cybersecurity Caucus.
The post Cybersecurity challenges persist, but CISA is up to the task first appeared on Federal News Network.