The Biden administration on Wednesday issued a comprehensive order requiring almost all federal agencies to repair hundreds of cyber vulnerabilities that pose a serious risk of harmful intrusions into U.S. government computer systems.
The new directive is one of the most comprehensive cyber security directives ever issued regarding the federal government. It includes about 200 known vulnerabilities identified by cyber experts between 2017 and 2020 and another about 90 discovered in 2021 that were observed in use by hackers with a desire to harm. These flaws were listed in a new federal catalog as involving “significant risk to federal government initiatives.”
The directive – issued by Jen Astrali, director of the Cyber Security and Infrastructure Agency at the Home Office, which issued the order – applies to all executive offices and agencies except the Department of Defense, the CIA and the Office of National Intelligence. The cyber security of civilian federal agencies is usually managed separately from the military and various national defense agencies.
“Organizations of all sizes, including the federal government, must defend themselves against bad cyber players who seek to infiltrate our systems, access our data and endanger the lives of U.S. citizens,” Homeland Security chief Alejandro Myorks said in a written statement issued alongside the order. “From civilian federal offices and agencies to defending against known critical vulnerabilities, in a way that will reduce the risk of bad intrusion and increase the cyber security of us all.”
Federal agencies often run their own cyber vulnerability programs, so it is likely that some of the flaws highlighted in the new order have already been addressed in part by various government departments. But some agencies are chronically underperforming when it comes to dealing with cyber risks, as internal audits have done in recent years, and senior government officials have long said more provision is needed to ensure better practices for closing loopholes and adopting better procedures.
While Congress has the power to pass legislation that would set cyber security standards for the government, lawmakers delegated authority a few years ago to the Department of Homeland Security to issue binding provisions dealing with various vulnerabilities with disclosure. A 2020 review of mandatory cyber security directives conducted by the Government Audit Office found that the level of compliance in various government ministries is high overall, yet there are some agencies that do not meet deadlines for implementing loopholes.
When senior cyber security officials in one ministry or another fail to comply with a instruction, the Department of Homeland Security can notify the heads of that agency, and it is their responsibility to resolve the non-compliance problem. This type of escalation does occur, but rarely, as can be learned from a document produced by the Audit Office in 2020.
In the past, the Ministry of Homeland Security has imposed cyber security provisions on various government agencies, sometimes in the form of emergency requirements to immediately fix an urgent software problem that has been used in an active cyber attack. In 2017, the Trump administration issued an order to remove Russian company Kaspersky’s antivirus software from all federal computers after senior U.S. intelligence officials raised concerns that the software was being used for espionage by the Russians.
In 2015, an order was issued requiring federal agencies to repair critical cyber security flaws within a month at most from the moment of disclosure. The critical risk level is defined according to a public database that catalogs security breaches according to their level of severity. In 2019, the Ministry of Homeland Security extended the requirement for repair within a month also to include loopholes at the level of risk defined as high.
Wednesday’s instruction tries to move away from these categories by recognizing that even seemingly minor flaws can do a lot of damage if hackers exploit them to infiltrate a valuable computing system, especially if they conduct a sophisticated attack that exploits the minor flaws alongside exploiting other failures.
The provision includes all software and hardware components in federal information systems, including those held by third parties – for example, federal contractors – and also includes those that do not necessarily reach the accepted threshold for high or critical risk. Wednesday’s order is the first to require amendments across the government of both Internet-connected and non-network-connected systems.
A significant majority of the flaws published in the Homeland Defense catalog are those not covered by previous orders, a senior official said. Those added in 2021 will need to be repaired within two weeks and in the future, new defects that are discovered will need to be repaired even more quickly from this schedule, the senior said. Agencies will receive up to six months to deal with security vulnerabilities discovered in previous years because of which there is a reduced risk of being exploited and also cyber security teams may be overloaded when it comes to repairing more recently discovered flaws.
President Biden has sought to give priority to cyber security as a threat to U.S. national security since taking office in January. Trains, after some governments of both parties relied for the most part on the industries that would deal with these issues voluntarily.
“While this provision pertains to civilian federal agencies, we know that organizations across the state, including critical infrastructure entities, serve a purpose by exploiting those vulnerabilities,” Astrali said in a statement accompanying the new order. “It is therefore essential that every organization adopts this provision and gives priority to addressing the vulnerabilities listed in the published Cyber Security and Infrastructure Agency catalog.”