Senior U.S. government officials have urged companies to patch cybersecurity vulnerabilities outlined in a general order for federal agencies to fix known software flaws, some of which have been exploited by hackers for years.
A list released Wednesday by the Cybersecurity and Infrastructure Security Agency highlights software vulnerabilities that government agencies should prioritize. But fixing them under tight deadlines could be difficult for organizations that rely on aging technology, cybersecurity experts say.
The CISA has called on federal agencies such as the Department of Justice, the Department of Commerce and the Department of Homeland Security to review the list and take immediate action to correct it. The order does not cover the Ministry of Defense, the Office of the Director of National Intelligence, or the Central Intelligence Agency.
Jen Easterly, director of CISA, said the mandate “fundamentally changes” the way the federal government deals with cybersecurity loopholes, adding that it shouldn’t just be government organizations joining us.
“We strongly recommend that every network advocate review known vulnerabilities posted on CISA.gov and prioritize urgent corrective action,” Easterly said at a House Homeland Security Committee hearing on Wednesday.
Officials want the private sector to pay attention to the mandate to avoid supply chain attacks that can affect government, such as the SolarWinds hack. Corp.
software in 2020 which led to the breach of several agencies. More than three-quarters of America’s critical infrastructure is operated by private companies, leaving the government with little visibility into how critical businesses such as pipeline operators and logistics companies maintain their cyber defenses.
The CISA directive also applies to systems managed by third parties on behalf of a federal agency.
CISA’s order covers around 290 vulnerabilities exploited by hackers since 2017, including in popular Microsoft tools Corp.
, Kaseya Ltd. and Accellion USA LLC. Piracy of software from these vendors this year has claimed many lives in both the public and private sectors.
CISA requires government agencies to correct the worst flaws on the list within two weeks. Less serious repairs should be done within six months. Companies should use the list to identify the most serious issues among the barrage of vulnerability alerts they receive, said Alex Iftimie, a former Justice Department official who is now co-chair of the global risk management group. and crises at the law firm Morrison & Foerster.
“Companies should fix these vulnerabilities as quickly as possible,” he said.
Updating old computer systems or legacy software products managed in physical offices can be particularly difficult, said Allie Mellen, cybersecurity analyst at Forrester Research Inc.
“The older the software, the more updates it needs to get the latest, best performing version,” Mellen said. “So it will inevitably take longer with some of these legacy code bases. “
A 2021 report from the Government Accountability Office found that computer systems inherited from federal agencies “are getting more and more obsolete,” with some components or programming languages that are decades old. They include a 35-year-old Department of Transportation system that contains sensitive aircraft information, as well as an almost 50-year-old system used by the Department of Education to keep student loan data.
“The cost of operating and maintaining legacy systems increases over time,” GAO said.
Organizations that have not yet addressed the vulnerabilities highlighted by U.S. officials may try to avoid disrupting day-to-day operations, Ms. Mellen said.
“Every time they update a system, it [requires] take it offline for a while, ”she said. “They have to find the right time.”
An organization’s ability to meet CISA deadlines will depend on the number of fixes to be implemented and the staff available to deploy them, said Scott Algeier, executive director of the Center for Information Technology Analysis and Sharing. non-profit.
Updating software can be complex, especially in large companies using a range of technologies. Prioritizing fixes can therefore be a balancing act, he said. “You don’t want to fix one thing if it will break another. “
—Catherine Stupp contributed to this article.
Copyright © 2021 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8