Beyond Biden cyber directive, government agencies need to manage their attack surface
Last week the Biden Administration put out one of the most sweeping cybersecurity directives in history, compelling all federal agencies to rapidly patch hundreds of known cyber vulnerabilities that attackers have targeted (since as far back as 2014).
While this order will disrupt certain ways adversaries have hacked into our systems for the time being, it still doesn’t address the root cause as to why the government has so many easily hackable systems with years-old weaknesses: that government agencies lack visibility into their vulnerable devices living on the open internet.
I saw this problem first hand as one of the cybersecurity leads for Operation Warp Speed, the U.S. government’s program to rapidly develop and distribute COVID-19 vaccines and therapeutics. As part of the Defense Digital Service, a rapid response team of technologists embedded in the Department of Defense, our team deployed attack surface management (ASM) tools that identified vulnerable vaccine-related systems on the internet that cyber adversaries might target. What we found was astonishing: not only the sheer number of publicly accessible government systems that possessed years-old weaknesses but how unaware many government security teams and leadership were of these devices or the scope of the problem.
U.S. government agencies need to do more than wait to be compelled to patch known vulnerabilities; they need access to ASM tools to help them rapidly find and fix their vulnerable devices on the open internet. By rapidly scanning segments (if not the entirety) of the internet, these tools can help governments identify systems they own on the internet, and can detect weaknesses that attackers could take advantage of. One might think of it like a home alarm system, which automatically finds any way a burglar could enter the home and indicate any weaknesses in those entries, like an unlocked door or an open window.
When a cyber vulnerability is discovered, there is essentially a race between attackers and defenders to be the first to find devices with that vulnerability. If the attackers win this race and hack into a government system before defenders can protect it, they could get access to our power grid, our medical records, or our tax information. Without having visibility into what devices it owns and which are vulnerable, the U.S. government is left scratching our heads at the starting line while our adversaries have already taken off.
ASM tools will enable government agencies to defend at the speed that adversaries attack. Currently, cyber adversaries, from nation-states like Russia and China to ransomware gangs, gain a speed advantage by using automation to rapidly identify vulnerable government systems. ASM tools, which leverage similar technology, would put the U.S. on more equal footing. Given that there can be dozens, if not hundreds, of critical new vulnerabilities released every year, the U.S. can’t afford to keep losing this race.
ASM tools’ use of automation and prioritization would also be a boon to under-resourced government security teams. Government agencies are known to be sprawling bureaucracies, making it nearly impossible for security teams to know when a distant department in their agency unintentionally publishes a new website with known weaknesses. Security teams of all sizes could use ASMs to develop accurate inventories of their internet-facing devices and maximize their efficiency by focusing on the most vulnerable systems first.
Aspects of ASM already exist in the U.S. government but are antiquated or not fully mature. The Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Hygiene program has tried to provide this capability to other agencies, and Congress nearly allocated $50 million to CISA to build out a voluntary, self-service ASM tool, Crossfeed, originally developed by the Defense Digital Service. However, the funding was omitted from the latest version of the “Build Back Better” bill. Clearly, CISA sees the value of ASM to secure government systems, but agencies may not necessarily adopt a voluntary tool — which requires additional personnel (and therefore money) to operate — unless compelled or otherwise incentivized.
While forcing government agencies to patch vulnerabilities targeted by adversaries is a win for government cybersecurity, the Biden administration must still address the lack of visibility into the government’s internet footprint and enable individual agencies to obtain the proper tools. Beyond its continued investment in CISA and the Crossfeed tool, the administration should find ways to incentivize and measure agencies’ use of ASM and their effectiveness.
Our goal should be to have agencies — not adversaries — be the first to know about their vulnerable devices so they can take action quickly. Until government agencies are able to effectively manage their internet footprint, adversaries will continue to hack into our systems before we can defend them, leaving the safety, security, and privacy of Americans at risk.
Daniel Bardenstein is a Fellow at the Aspen Institute’s Tech Policy Hub and leads government cybersecurity projects at the Defense Digital Service.