Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said November 10 that the agency’s Binding Operational Directive (BOD) issued earlier this month to Federal agencies to remediate against a list of 300 known exploited cyber vulnerabilities appears to be getting a good reception from government and industry as an effective roadmap on how to prioritize action against prevalent cyber threats.
The BOD gives agencies six months to remediate against a relatively short list of common vulnerabilities and exposures (CVEs) identified by CISA before 2021 and two weeks to remediate any CVEs identified during this calendar year. The order also gives agencies 60 days to update their internal vulnerability management procedures.
Speaking at an event organized by Wired, Easterly said the BOD “really is game-changing, and I was so glad that it got the reception that it deserved from across the community and some of our partners” in the Joint Cyber Defense Collaborative (JCDC) formed earlier this year by CISA and a number of private-sector firms.
“At the end of the day, this is a signal of prioritization and focus” for Federal agencies on threats they need to focus on first, she explained. “There are so many vulnerabilities that are out there, it’s almost hard to get your arms around how do you effectively prioritize.”
“If you know that of the 18,000 vulnerabilities in 2020, only four percent were actively exploited in the wild, then you have this very strong signal about where you need to put your resources and time,” she said.
“This was incredibly helpful in terms of helping our … executive branch partners manage their resources and focus,” she said.
Easterly said the BOD also represents “a real signal to industry and to critical infrastructure owners and operators about how they should prioritize.” She said CISA has seen the BOD document downloaded nearly 1,500 times since it was issued, which she said is “super positive to me.”
“Something called the binding operational directive” isn’t “terribly sexy,” she said. “But this one landed in a way and received the reception that it deserved,” Easterly said, adding that the BOD is “really trying to do things differently and send a signal … you can prioritize resources to ensure that you are safer and more secure on your networks and systems.”
‘Kitchen Table’ Issue
Elsewhere during her remarks, Easterly ticked off a blizzard of statistics to illustrate the scope of the larger, global cybersecurity problem – 4.7 billion people use the internet, 4.3 billion use social media, and there are 21 billion internet-connected devices. “We have everything connected … we are a world digitized, and the attack surface has grown [with] volume and variety of data exponentially, and at the same time we have seen threat actors, nation-states, and cybercriminals alike become better resourced, more sophisticated, and more capable,” she said.
“The consequences of cyber intrusions are increasing,” Easterly said, with ransomware attacks, in particular, helping to transform cybersecurity into a “kitchen table issue.”
“We’ve seen ransomware impact on people’s lives whether that’s gas at the pump, food in the grocery store, money from the bank, to disruptions against hospitals and schools and municipalities,” she said. “It’s really starting to have a wake-up effect,” the CISA director said, along with “positive downstream consequences on the realization of what we need to do as part of the collective defense of the nation.”
Advisory Committee Preview
Finally, Easterly hinted at some news to come in the form of a possible cybersecurity advisory committee that may include hackers and researchers.
Asked about her outreach to the hacking community through events, including this year’s Black Hat USA convention in August, Easterly replied, “at the end of the day … I feel like that’s my community, man.”
“We want to ignite the power of hackers and researchers and academics because at the end of the day, the world is full of vulnerabilities, and I feel like the offense is dominating the defense,” Easterly said. Being able to tap into the hacker and academic community to help close those vulnerabilities is “incredibly important,” she added.
“I had some really good outreach after that, and we are going to continue to recognize great folks that reach out to us to identify vulnerabilities; there are many of them. I think it’s hugely important. I’m very much hoping to what I call ‘ignite the community,’ and I will be bringing some folks on our soon to be announced Cybersecurity Advisory Committee” to help in that effort, she said.
“We have to do things differently,” Easterly said. “In many ways, the status quo [of security] is unacceptable.”