Would a cyber playbook reduce risk?
- By Derek B. Johnson
- Sep 30, 2019
Cybersecurity playbooks may be in the works to help public- and private-sector organizations manage known cybersecurity risks.
Under the recently introduced Cybersecurity Vulnerability Remediation Act, the Department of Homeland Security would open its stores of technical guidance on cybersecurity mitigation to other federal agencies and the broader public.
The House bill charges the Cybersecurity and Infrastructure Security Agency with developing and distributing "playbooks" detailing responses to the most critical known vulnerabilities, including hardware and older applications that no longer receive support from the vendors who created them, a problem that plagues the government and many critical infrastructure sectors.
The bill would empower the Science and Technology Directorate of DHS to establish an incentive-based program that would pay private companies and academics to develop their own remediation solutions to the same vulnerabilities. It also requires the director of CISA to submit annual reports to Congress on how it is coordinating vulnerability disclosure programs with industry and other stakeholders.
"The vulnerabilities that will receive an entry in the playbook are serious and, if used by an adversary, can lead to significant costs and disruption of vital goods and services to the public," the bill's sponsor, Rep. Sheila Jackson Lee (D-Texas), said in floor remarks. "Just think of your water system, run mostly by local entities, or the electric grid, run mostly by the private sector."
Basic cyber hygiene failures, like unpatched systems or phishing vulnerabilities, remain the primary attack vector for most successful cyberattacks against government and industry. The National Security Agency has said publicly that it hasn't had to respond to a zero-day vulnerability in more than four years, largely because attackers are having so much success using commonly known vulnerabilities that aren't addressed due to negligence or other complications that prevent timely patching.
Unsupported hardware and software continues to be a major problem in the federal space. A 2016 Government Accountability Office report surveyed a dozen agencies and found all 12 were using unsupported operating systems that no longer received updates from their provider. The Departments of Commerce, Defense, Health and Human Services, Treasury and Veterans Affairs all reported using Microsoft operating systems from the 1980s and 1990s that hadn't been patched in more than a decade.
Last month, DHS kicked off an initiative to set up a SecureDrop portal to anonymously report bugs found in the systems of government agencies, critical infrastructure entities and other sectors. The Department of Justice has put out its own framework for how public and private sector organizations can organize similar programs.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.