Department of Defense Cybersecurity Division Reaches Unusual Milestone

tom temin Let's take a quick look at what DC3 does in the vast cyber world. Next, proceed to the Vulnerability Reporting Program.

melissa vice absolutely. The Department of Defense Cyber ​​Crime Center (DC3) leads law enforcement, counterintelligence, training, and cybersecurity across the U.S. government.

tom temin That means we need to know what people have to fight against through vulnerability assessments.

melissa vice absolutely.

tom temin Okay. Please tell me more about the vulnerability disclosure program. Where does disclosure come from? Now let's talk about that 50,000 mark and what trends we see. But let's start with how they occur.

melissa vice For vulnerability disclosure programs. We have a truly unique history. We joined the Hack the Pentagon bug bounty event in 2016. In other words, this is his 7th year of activity. That's what makes it so interesting that he's already received 50,000 reports. We are the single point of contact for all vulnerability reports to Joint Force Headquarters, DODIN, and U.S. Cyber ​​Command. So how do these things come in? There's a third-party front end that is hosted by a hacker. We receive vulnerability reports from crowdsourced ethics researchers around the world. And that goes into the Vulnerability Report Management Network, which we affectionately call VRMN. From there, it moves up to the high side and becomes government information. That system is a cradle-to-grave tracking process that receives those reports, an integrated system where in-house researchers triage those reports, verify them, and own the mission orders that find and give those system owners. Hand over the report to military headquarters, DODIN. The task of fixing them. Now, timely remediation will occur based on the severity level of the ingested report. Depending on the importance of these reports, the duration may be 7 days or less.

tom temin And the repair comes in the form of a patch. In other words, is there a closed loop between discovering a vulnerability and reaching out to the vendor and saying, “Look what we found?”

melissa vice that's right. This may not just be a software situation called a CVE or a common vulnerability listed. What you often find in CWE is a list of common weaknesses. Basically, what this means is that it's often a very different problem based on the system. Other applications around it, the entire life cycle of the environment. So it's a little bit different than just having a CVE and saying, “Okay, let's go get this patch.” It is up to the system owner to resolve this issue. Currently, our VRMN system provides a very rich report that has a lot of information to help you understand how you need to repair it, but the most important part is: Once you feel you have taken remedial action, it is time to submit a report. Reply via VRMN and request to close. Our internal team then re-verifies those findings. The report will not close until it is 100% repaired. That means rinsing, repeating, and trying again from time to time. We're still having issues here, but what I can tell you in the four and a half years I've been with him in his DC3 is that he's gone from about 30-something percent, 34 percent when he first arrived to less than that. did. That's about 10% compared to the previous month. As a result, these system owners are becoming more skilled at fixing the errors they find.

tom temin Yeah. So you're expecting the item to enter his VRMN as a rat and what comes out is a nice soft bunny?

melissa vice absolutely.

tom temin I'm talking with Melissa Bice. She is the Director of the Vulnerability Disclosure Program at the Department of Defense Cybercrime Center. Then there was an additional question about enumerating common weaknesses. This means that vulnerabilities do not necessarily arise from bugs in specific applications, but can arise from configuration interactions with other system elements. So this may be a weakness here, but not with the same software on another system.

melissa vice absolutely. Well, that might be the way it was installed. Software or hardware configurations often come with some defaults. There may be a default password set in the background, or there may just be a default setting. I'm an administrator. These can create gaps and weaknesses within the system that system owners and users may not be aware of or need to change. Therefore, it is easy to see that unauthorized access is occurring within the system. Therefore, we need to thoroughly strengthen it, fix it and explain what its weaknesses are.

tom temin In fact, as of last month, 50,000 reports had been processed. So now it's 50,000 plus a little bit. What do you think that number means?

melissa vice More than half of them were what we call actionable. So real issues with them were found and they were fixed. What about the rest, you might say? Well, sometimes it's a duplicate of a report you've already received. Again, we provide crowdsourced ethical hackers. Submitting these reports will earn you reputation points. That is, they see something and say something. They have been hacking our systems forever. This is not to be confused with a bug bounty event. Bug bounty events are often short-term monitored features that pay money to find bugs. As I said, this is a permanent program that he has been on for 7 years. At first, we often thought about quitting our jobs on our own. we clean everything. However, in today's world it turns out that you can always find something new. There are always weaknesses to discover.

tom temin Software is like a highway. No matter how much you clean, the trash will always be there. The next day, I'm sure there will be many more in the same location. And I was interested in interacting and sharing information with CISA (Cybersecurity and Infrastructure Security Agency). CISA has become something of a hub for the civilian side of government to discover and publicize what's going on when it comes to software vulnerabilities.

melissa vice yes. The road lanes are very different from CISA. But of course, we will adjust whenever possible. But fundamentally, because we're focused, our programs are specifically focused on Joint Forces Headquarters DODIN and U.S. Cyber ​​Command. We are firmly in the DoD lane and less so in the public sector.

tom temin But if I saw someone on my team say something terrible that could put the entire Department of Defense at risk, I would probably call CISA. Because teams are used everywhere.

melissa vice absolutely. We have connections with CISA. We are actually in the process of re-positioning her LNO, a liaison officer, within the office to ensure that information is shared equally and that there is no duplication of our efforts.

tom temin Let's talk about data analysis and 50,000 report body issues. These are multi-element reports. There's a lot of data. Nowadays, everyone is talking about using artificial intelligence to perform predictive analysis. Are you thinking about it because you have 50,000? There may be some learning or predictions there.

melissa vice Yes, it is. That really highlights a good point. We're getting to the point where we have a very robust dataset. Now, one of the challenges we face is that these are very specific in that they are specific vulnerabilities for specific settings. So this is non-minority reporting, where I can look at the entire platform and say, “Oh, I know what's going to happen next.'' That's usually what they want, a bit more of a predictive model, but providing trend analysis. And each year, we analyze trends and celebrate the year's best researchers in our annual report, which you can read by visiting dc3.mil. So part of our program is really to help these researchers get the recognition that they deserve. That's the disclosure part of our process. Allow researchers to request an edited version of their report once that report is her 100% complete. This will give you access to Black Hat and Defcon, post to your girlfriend's Twitter page, and do whatever you want. It's to help their reputation. Because again, the more eyes that monitor these publicly accessible Department of Defense information systems and networks, the safer we'll all be.