U.S. government agencies are not addressing known software vulnerabilities that leave them open to cyberattacks, according to a sweeping directive issued Wednesday by the government's top cybersecurity watchdog.
The directive, from the Cybersecurity and Infrastructure Security Agency, is one of the largest ever issued on the topic of computer security. It orders all federal agencies to create a process to systematically update software and hardware, and begin patching known flaws.
“Every day, our adversaries are using known vulnerabilities to target federal agencies,” CISA Director Jen Easterly said in an emailed statement.
The mandate is meant to help government agencies block some of the most common entry points for hackers. It takes effect at the beginning of 2022.
“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks,” Easterly said.
CISA will now keep a regularly updated catalog of major software vulnerabilities that it sees as a major threat, and listed around 200 of them in its initial publication.
U.S. federal agencies are a natural target for hackers who work for foreign governments. In the past year alone, investigators discovered large-scale hacking campaigns from both China and Russia, both of which broke into and stole information from multiple agencies.
While both of those campaigns hinged on creative, previously unknown software vulnerabilities, the vast majority of hacks rely on known software flaws, and can be prevented by updating to the latest version of a program.
CISA’s powers to regulate other agencies are limited, but are meant to provide a guidepost for cybersecurity practices for the entire country.
“While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities,” Easterly said. “It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”