US officials issued a sweeping directive on Wednesday requiring federal civilian agencies to promptly update hardware and software that is vulnerable to hacking following multiple breaches of government networks in recent years.
The directive gives agencies just two weeks to remediate newly discovered software vulnerabilities, and requires agencies to have a process in place for mitigating the impact of those security issues. The directive does not apply to the Pentagon, which is in charge of its own networks.
The new policy comes after multiple warnings from US cybersecurity officials and outside experts that federal defenses have not kept pace with attempts by cybercriminals and state-sponsored hackers to access sensitive federal information. Alleged Russian hackers were able to go undetected for months last year in the unclassified networks of agencies such as the Justice Department before a private firm discovered the intrusions.
The directive sends a “clear message to all organizations across the country” to address vulnerabilities that hackers are actively exploiting to access networks, said the US Cybersecurity and Infrastructure Security Agency (CISA), which issued the directive.
The new CISA directive is an attempt to break the US government from a cycle of having to clean up from one big hack after another and instead keep key systems that hackers are trying to breach updated. Left unaddressed, software bugs can linger in systems for years and offer a path for spies and criminal groups to siphon off data.
The Wall Street Journal was first to report on the new CISA directive.
While timely updates of software vulnerabilities alone are not enough to blunt the impact of advanced hacking operations, the Biden administration is hoping a multi-pronged approach will. CISA, which is part of the Department of Homeland Security, is investing millions of dollars in better security technologies and methods to more quickly detect hacks, officials say.
“Every day, our adversaries are using known vulnerabilities to target federal agencies,” CISA Director Jen Easterly said in a statement on Wednesday. “As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors.”
The White House has made cybersecurity a top national and economic security issue, particularly after the May ransomware attack on computers at Colonial Pipeline, the main artery for delivering fuel to the East Coast. Colonial Pipeline was forced to shut down for days, causing long lines at gas stations in multiple states.
President Joe Biden in June called on Russian President Vladimir Putin to rein in the criminal hackers operating from Russian soil that experts believe are responsible for the damaging ransomware incidents at Colonial Pipeline and elsewhere.
Some Russian-speaking criminal groups have gone quiet since the Biden-Putin meeting, while others have continued to hold US companies for ransom.
Chris Inglis, the US National Cyber Director, told lawmakers on Wednesday that the US government had seen a “discernible decrease” in Russia-based hacks against US organizations since the Biden-Putin summit, but that it was “too soon to tell” if that lull in activity was “because of the material efforts undertaken by the Russians or the Russian leadership.”
“It may well be that the transgressors in this space have simply … lain low, understanding that this is, for the moment, a very hot time for them,” Inglis said at a House Homeland Security Committee hearing. “And we need to make sure that that continues to be the case.”
The White House has also sought to rally allies to crack down on the sources of funding for ransomware gangs. The National Security Council last month hosted an initial 30-country meeting where governments said they would do more to strengthen network defenses against the threat. A follow-up meeting with 35 countries was held Tuesday and covered efforts to “accelerate cooperation to counter ransomware,” according to a White House statement.
Meanwhile, US officials say they are doing more to map out the most important US critical infrastructure that needs to be protected.
Easterly told the House Homeland Security Committee hearing Wednesday that her agency expects to identify “150 to 200 entities” in the US that are top priorities to defend against hacking threats.