SPONSORED:

DHS cyber agency issues order boosting cybersecurity vulnerability reporting

DHS cyber agency issues order boosting cybersecurity vulnerability reporting
© Greg Nash

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a final directive requiring all federal agencies to develop and publish cyber vulnerability disclosure policies. 

The directive, which is the finalized version of a draft order published by CISA in November, is intended to make it easier for the public to disclose cybersecurity vulnerabilities to federal agencies and what types of communication to expect after reporting the issue.  

“Cybersecurity is strongest when the public is given the ability to contribute, and a key component to receiving cybersecurity help from the public is to establish a formal policy that describes how to find and report vulnerabilities legally,” Bryan Ware, assistant director for Cybersecurity at CISA, said in a statement. 

ADVERTISEMENT

In a separate blog post, Ware compared vulnerability disclosure to alerting authorities to a house fire or another emergency. 

“Imagine visiting a government web application – say, website.gov – on a balmy evening and noticing an open redirect on the site,” Ware wrote, referencing a type of cyber vulnerability. “You click around. Nothing on the site hints at how to report this. What do you do? If you’re into cybersecurity, you might send a short email to security@website.gov, pulse some contacts when it bounces, and tweet something spicy about website.gov.”

“It doesn’t have to be this way,” he added. 

CISA asked the public for input on the draft order last year, the first time the agency had taken that step. Ware wrote that CISA received over 200 recommendations, including those from the Commerce, Education, Energy, Justice, and Treasury Departments, House Minority Leader Kevin McCarthyKevin Owen McCarthyTop Republicans praise Trump's Flynn pardon Richmond says GOP 'reluctant to stand up and tell the emperor he wears no clothes' Sunday shows preview: Biden transition, COVID-19 spike in spotlight MORE (R-Calif.), Sen. Amy KlobucharAmy KlobucharHillicon Valley: YouTube suspends OANN amid lawmaker pressure | Dems probe Facebook, Twitter over Georgia runoff | FCC reaffirms ZTE's national security risk Democrats urge YouTube to remove election misinformation, step up efforts ahead of Georgia runoff YouTube temporarily suspends OANN account after spreading coronavirus misinformation MORE (D-Minn.), and Rep. James Langevin (D-R.I.). 

“Even though not all suggestions led to a direct change, every comment helped us think more deeply about vulnerability coordination in the federal enterprise,” Ware wrote. “Our sincere thanks.”

Langevin, a member of the congressionally-established Cyberspace Solarium Commission, applauded the move by CISA on Wednesday. 

“When cybersecurity researchers find a flaw in software, they need to have some mechanism for reporting it so it can be fixed,” Langevin said in a statement. “I have long advocated for vulnerability disclosure policies that provide clear guidelines for such reporting, and, today, the federal government is taking an important step in normalizing them.”