The Cybersecurity and Infrastructure Security Agency (CISA) sent out an emergency directive December 17, 2021, requiring federal agencies to immediately patch their networks for the Log4j vulnerabilities. The message: If you can’t patch, remove the affected software from your network. And do it as fast as humanly and technologically possible.
Immediately is the blink of an eye for any IT project, let alone one that spans the massive bureaucracy of the U.S. government and its countless third-party vendors. But it wasn’t the first time CISA asked agencies to patch ASAP. A month earlier, it had issued a binding operational directive (BOD) that applied to about 290 known critical vulnerabilities that threat actors have exploited since 2017. (For some vulnerabilities, CISA gave agencies 60 days and even six months to patch, and for other vulnerabilities, just two weeks.)
The urgency, and CISA’s tight deadlines, are understandable. Its previous directives have shed light on the challenges many federal agencies face in achieving visibility across their networks, especially into the thousands of endpoints used by remote workers and those contained in cloud applications, and in providing rapid and real-time software patching.
In 2015, CISA researchers found that nearly one in three security flaws at federal agencies took an average of 200 days or more to patch. Three years later, the agency tried to accelerate the patching, by issuing a BOD to fix all known vulnerabilities in 15 days.
While only 4% of the security flaws targeted in that directive had been exploited in the wild, hackers targeted 42% of them on Day 0 (the first day of disclosure that a security patch was needed), 50% within two days of that disclosure, and 75% within 28 days.
CISA’s patching directives are “risk management 101,” says Suzanne Spaulding, senior adviser for homeland security and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies. “You look at consequence and likelihood. These are vulnerabilities that are both potentially high-consequence if exploited and are the ones most likely to be exploited.”
CISA’s ongoing catalogue of security flaws listed in its BOD encompasses software and software configurations supplied by a host of major software suppliers, including Adobe, Apple, Cisco, Google, Microsoft, Oracle, and SolarWinds, all of which are deployed on federal networks.
The CISA risk catalogue is a recognition that the current raft of threat actors has been strategically “chaining” multiple vulnerabilities together in their recent attacks.
It’s a tactic that Russia’s Nobelium hacking collective used in exploiting a set of four flaws in Microsoft Exchange Server in multiple attacks earlier this year, taking advantage of low-severity flaws to gain a foothold in a network, then incrementally using other weaknesses to escalate their privilege access to more sensitive data and protocols.
Speed bumps abound
Patching high-risk vulnerabilities, and doing it quickly, is essential. But it is not always easy. “Installing a given patch could disrupt an agency’s entire network,” says Spaulding. Even more challenging: Federal agencies and civilian contractors work in a patchwork IT landscape encompassing legacy platforms, firmware, and software. As the pandemic forced a shift to remote work, cloud-based VPN access routes and device endpoints exploded.
It’s a massive undertaking. You can’t possibly expect agencies to drop everything and get these patches done immediately.
For any agency to meet the requirements of CISA’s BOD meaningfully, it’s going to have to go through a process of inventorying all its network assets and “identifying the systems that need to be patched and identifying the impact of what patching will have on their current software,” says Jamil Jaffer, executive director of the National Security Institute.
That means conducting a thorough discovery and inventory process of all agency and vendor software, firmware, and endpoints—including on-prem and cloud servers, desktop computers, mobile devices, and IoT sensors. Next, agencies must fix, remove, or replace any vulnerable assets, as well as ensure that all software updates and secure configurations are properly installed and working.
“It’s a massive undertaking,” says Bud Broomhead, CEO at Viakoo, which, among other services, helps secure IoT devices. “You can’t possibly expect agencies to drop everything and get these patches done immediately.”
Given the scale of the task, Broomhead posits that tackling it manually is both impractical and unrealistic. “There just aren’t enough bodies to throw at it,” he notes. “The reality is you need automation, but only a very small fraction of agencies have automation in place.”
Even automation of software updates may not be enough. Case in point: In the SolarWinds attack, Russian hackers used a routine software update as a Trojan horse, inserting malicious code into Orion’s software, which was then downloaded by 18,000 users over four months in the spring of 2020.
Where CISA’s BOD falls short
Patching may offer a short-term fix to vulnerabilities, but a more robust overhaul will be needed to truly shore up government cybersecurity over the long haul.
“Every agency is on a security journey,” says Broomhead. “The end goal is zero trust.”
Given that a reported 61% of data breaches are caused by leaked credentials, multifactor authentication (MFA) is a critical step toward achieving zero trust. (The Colonial Pipeline attack has been linked to a single leaked password.) But CISA has been slow to push for MFA. It only added single-use authentication to its “bad practices” list in August 2021.
While the Biden administration’s June executive order mandated that all agencies and vendors implement MFA within 180 days, Biden himself admitted in a press conference that the executive branch can’t “dictate” security protocols to federal civilian contractors.
Another major security weakness the BOD leaves unaddressed: vulnerable VPNs, which offer no way to monitor and audit remote-access activity. If an attack does occur, VPNs don’t preserve a historical log of network activity to track the source of the breach. In October, CISA did provide guidelines to shore up remote-access security. But without a robust framework for monitoring and ensuring compliance, these are little more than ideas.
I do think a compliance and enforcement mechanism is very important. I think that we should look at fines.
Even with CISA’s BOD aimed at patching security leaks, enforcement seems difficult if not impossible. The two-week deadline passed on Nov. 17, but the agency has not yet commented on how many agencies and vendors have complied with the directive, let alone how fully.
“At the end of the day, CISA has limited ability to enforce these things,” Jaffer says. “Ultimately, the president and Congress will have to play a role in overseeing these directives. That’s what will increase the pressure on agency heads to get as much done as quickly as possible.”
CISA director Jen Easterly admitted as much when she testified at a September 2021 Senate Homeland Security and Government Affairs Committee hearing. “I do think a compliance and enforcement mechanism is very important,” she told the committee. “I think that we should look at fines.”
“Fines would, of course, be a worst-case scenario for an agency as they would impact the bottom-line funds available both for operational purposes and cybersecurity,” says Jaffer. “What you want to see is agencies getting ahead of that and implementing CISA directives, ideally before Congress considers providing such authority.”
The best-case scenario? In a cyber environment where bad actors are probing for flaws to exploit all day, every day, federal agencies and their third-party partners must move beyond short-term patches to a long-term strategy of zero trust—and they must move fast.