The recent directive from the Cybersecurity and Infrastructure Security Agency (CISA), mandating that all federal agencies patch hundreds of cyber flaws, shocked no one. For years, technology watchdogs and members of Congress have rebuked agencies over their lax cybersecurity.
But while CISA’s Binding Operational Directive 22-01 gives agencies two weeks to six months to fix software vulnerabilities that have been around for years, the underlying problem, in many cases, goes back decades.
In August, the Senate Homeland Security and Governmental Affairs Committee identified “systemic failures” in cybersecurity at seven out of eight federal agencies, noting their reliance on unsupported legacy systems and inability to monitor, track, and “protect America’s sensitive assets.” For cybersecurity maturity, the committee awarded the agencies a dismal C–.
In it’s in-depth review of the eight agencies, HSGAC noted several significant weaknesses:
- Seven agencies used legacy systems or applications no longer supported by the vendor with security updates.
- Six agencies failed to install security patches and other vulnerability remediation controls quickly.
- Seven agencies failed to maintain accurate and comprehensive information technology asset inventories.
The Senate committee’s report is based on an assessment of each federal agency’s cybersecurity status by their own inspectors general (IG) in 2020.
It’s a follow-up to a similar report written by a subcommittee of the same panel in 2019, which assessed the reviews of agency IGs over the prior decade. The findings highlighted in both reports are damning. Many of the security challenges are the result of an accumulation of legacy networks that are difficult to update, monitor, and protect. According to their own IGs, agencies are investing too much of their resources in these outdated systems and leaving themselves vulnerable to attacks waged by cybercriminals.
“Hackers are getting more sophisticated,” says Edward Debish, director of public-sector customer engagement at Tanium and former commanding officer of the Marine Corps Cyberspace Operations Group. “Every piece of software is going to have a vulnerability associated with it. It’s just a matter of time for that vulnerability to be recognized and then exploited.”
Continuous patch management is a key cybersecurity process that agencies often overlook. The Senate panel report highlights this failure across several agencies, including the Department of Homeland Security, the agency tasked with overseeing cybersecurity standards across the federal government. The report found that DHS failed to properly apply security patches for 12 years. Twenty-six “high vulnerabilities” stemmed from the failure, say agency investigators.
The real question is whether the administration has determined how to track compliance more effectively than in the past.The bigger challenge is that federal agencies are working off a patchwork IT environment spread across on-premises and multiple cloud-based platforms. Not only that, but the explosive growth of unmanaged—and often uncatalogued and unseen—endpoints used by tens of thousands of remote federal workers has further complicated endpoint data security.
In fact, the August 2021 Senate report found a troubling lack of visibility on agency networks, which meant agencies couldn’t fully monitor their own platforms for cyber threats.
For example, the State Department couldn’t provide documentation for 60% of employees who had access to its classified network. And tests of its systems turned up 450 critical-risk and 736 high-risk vulnerabilities. Inspectors at the Department of Transportation, which is responsible for the cybersecurity of the nation’s surface transportation infrastructure, found almost 15,000 IT assets—including mobile devices and servers—the agency had no record of. And at the Department of Housing and Urban Development, inspectors found a “shadow” IT network, a situation that puts the personal and financial information of millions of Americans at risk.
Patch management priorities
The answer to all these ills, according to CISA, is for each agency to create a robust and preferably automated patch management solution. The agency previously published a “Capacity Enhancement Guide” to help federal departments implement patch management strategies.
The success of CISA’s approach depends on two factors. The first is compliance—the degree to which agencies will take seriously and promptly comply with CISA’s order. Daniel Castro, vice president at the Information Technology and Innovation Foundation think tank, isn’t convinced this will happen. “Agencies are already required to patch systems under FISMA [the Federal Information Security Management Act],” says Castro. “The real question is whether the administration has determined how to track compliance more effectively than in the past.”
The second factor is CISA’s singular focus on patching. The directive is notable for its lack of other industry-standard cybersecurity strategies, like asset discovery and inventory and the continuous real-time monitoring of all endpoints connected to an agency’s network.
Patching is a good start, but it’s not enough, says Malcolm Harkins, a fellow at the Institute for Critical Infrastructure Technology (ICIT), a security think tank. He says it needs to be embedded alongside other fundamental strategies like threat detection and network monitoring.
In fact, agencies must first identify all of their network endpoints (servers, workstations, network machines and devices), then catalogue a complete inventory of endpoint data. Only then can they install, update, patch, or remove software—in a group or individual machine.
“Patching alone is no panacea,” says Harkins. “Knowing your options, which systems you patch first, which devices are most important,” that’s the key to successful cybersecurity, he says.