The headline paints a grim picture of cybersecurity. There has been another major cyberattack, this time targeting Change Healthcare, which processes insurance and billing for hundreds of thousands of hospitals and pharmacies across the United States. This recent ransomware attack reportedly compromised a large amount of personal data (approximately 4Tb stolen). Additionally, FBI Director Christopher Wray publicly warned in an April speech that a China-based cyber hacking campaign targeting U.S. critical infrastructure was underway.
The attack is relentless.
As a former lawmaker who has worked extensively on cybersecurity law and policy issues for two decades, I know the challenges we face are difficult. But I'm also optimistic that we're making progress.
investment is paying off
A new study from cyber risk management firm BitSight reveals that some U.S. government programs and investments are paying off, particularly in the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. In recent years, Congress has made significant investments in CISA, granting it new operating authority and providing significant financial resources to carry out its mission. It hasn't always been easy for CISA. Some of these decisions are controversial. The agency was given new regulatory powers to collect data on cyber incidents affecting critical infrastructure, a move opposed by some in the private sector. The so-called “binding operational authority” that directs federal agencies to implement cybersecurity protections in emergency situations was also perceived by some as an unnecessary overreach.
Nevertheless, the same data shows that many of CISA's priority focus areas are producing positive results. One area of success: Vulnerability prioritization has long been a pain point for today's defenders. Securing organizations remains a challenge, often challenged by a lack of resources, talent, and time. Nowhere is this more evident than in vulnerability management.
Hundreds of thousands of vulnerabilities have been discovered in software, but only a small percentage of these vulnerabilities are actively exploited by malicious actors. In theory, focusing on patching and remediating vulnerabilities that are known to be exploited could reduce the burden faced by security leaders.
KEV catalog
In 2021, for the first time, CISA published a list of known exploited vulnerabilities (KEVs) to assist with this prioritization. This list is created based on information and information from CISA and other law enforcement agencies and is updated regularly.
The same KEV-focused study shows that cataloging by CISA has a clear positive impact on global remediation rates. In 2023, a whopping 35% of organizations had at least one KEV, but organizations were developing these at a significantly faster rate (3.5x on average) than non-KEVs of the same severity. Fixed the vulnerability. By creating a prioritized list of vulnerabilities known to be used by malicious attackers, CISA can help organizations focus on remediating these vulnerabilities and avoid becoming the next headline. We support you.
CISA's focus on identifying vulnerabilities used in ransomware attacks also helps reduce risk levels in the global ecosystem. His aforementioned KEV study found that 20% of organizations have at least one vulnerability known to have been used in a 2023 ransomware incident. But thanks to CISA's priority list, these “known ransomware vulnerabilities” were patched 2.5 times faster than others.
Interagency dispute?
Another notable area of success concerns the relief obligations of U.S. federal agencies. The Federal Information Security Modernization Act of 2014 gave the Department of Homeland Security the authority to issue “binding operational directives” to federal agencies to address specific vulnerabilities in a timely manner. . This caused some controversy at the time, as other government agencies felt it gave DHS unnecessary authority and could be mismanaged.
However, the same report shows that government agencies have faster KEV remediation times than other organizations, another sign of CISA's positive impact.
There's more to do
Let me be clear: there is still much work to be done. Research focused on KEV shows that more than a third of the world's organizations have at least one vulnerability related to his year 2023, leaving most organizations at significant risk. It highlights what we are facing. Vulnerability remediation speed remains too slow. 60% of vulnerabilities remained unaddressed past the CISA deadline. And federal agencies aren't perfect either. CISA disclosed a breach of its network in March.
Still, the data supports CISA's focus and should prompt us to redouble these defense efforts.
How can we continue to move forward? I am a strong believer that data can help us make better decisions about cybersecurity, not only at an operational level but also from a national policy perspective. Security has always been difficult to measure, especially on a nation-state basis. Systems and assets are primarily owned by the private sector, and information sharing with governments is largely voluntary. Without data, policymakers must act in a vacuum, without a complete or partial understanding of what is actually happening. This can lead to overreaction and underinvestment.
Data can help guide a variety of decisions that may advance national cybersecurity interests. Along with many policymakers, I have pushed for the creation of a cybersecurity statistics bureau similar to labor and crime statistics. Additionally, President Biden's National Security Telecommunications Advisory Council (NSTAC) recently recommended the creation of a Cybersecurity Measurement Center of Excellence. I am a strong supporter of these efforts and believe they will help close this data gap.
Private sector investment can be leveraged to stimulate data collection. For example, cyber risk management companies collect data from organizations around the world to measure their cybersecurity performance. These datasets are now widely used by insurance companies and investors, and should be leveraged by governments as well.
CISA's important future role
As we look to the future of U.S. cyber defense, CISA must continue to play a critical role. And thanks to the strong leadership of Director Jen Easterly and her team, we are certain to fill that role.
Overall, I would like CISA to focus on three key areas:
- Track global cybersecurity performance. CISA needs to provide policymakers with ongoing insight into the current state of cybersecurity performance across critical infrastructure sectors and industries. Data and analytics will help sector-specific agencies, regulators and others track the effectiveness of their efforts.
- Leverage data to identify and remediate risks. CISA consumes large amounts of data to identify organizations at risk and risky behavior. This data can be used to make better risk remediation recommendations for individual organizations and broader sectors and industries.
- Strengthening the supply chain. Supply chain incidents can have devastating effects on national security and the economy. CISA needs to assess systemic cyber risks and work with policymakers to develop remediation plans.
We are at a challenging time in cybersecurity, but we are confident that our strategic direction is the right one. The more data we can leverage to inform policy decisions, the more our country will be in a strong position to succeed.
James R. Langevin is a former member of Congress and co-founder of the Congressional Cybersecurity Caucus.
Copyright © 2024 Federal News Network. All rights reserved. This website is not directed to users within the European Economic Area.
