New Directives Seek to Address Discovered Cyber Vulnerabilities Fast

In a blog post for the Department of Homeland Security’s website, CISA’s assistant director Jeanette Manfra added that the agency issued the new directive, “(BOD) 19-02, Vulnerability Remediation Requirements for Internet-Accessible Systems, to enhance federal agencies’ coordinated approach to ensuring effective and timely remediation of critical and high vulnerabilities in information systems.”

The directive was born out of the analysis of communications between the public and private sectors regarding perhaps the most critical factor in ensuring the best possible response: speed. According to Manfra’s piece, for the past several years DHS has been working along with other federal agencies to “identify, prioritize, and remediate critical vulnerabilities.” She also writes that recent reports now indicate that the “average time between discovery and exploitation of a vulnerability is decreasing,” even as “today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities.”

This is important as we continue to see the proliferation of attacks against networks in both the public and private sectors. In the public sector, there have been several instances of email or spear phishing attacks executed against many of our critical infrastructure networks. According to a report from the Russia-based cybersecurity firm Kaspersky Labs, 42.7% of the U.S. industrial control system (ICS) computers that utilized their software last year were attacked by malware, email phishing, or other threats.

In the private sector, an increase in “supply chain” attacks and the potential for lucrative gains for hackers remains a constant threat to consumers. A supply chain attack is normally executed via the insertion of malicious code into a code dependency or third-party service integration.

An example of this has been when several individual groups of cyber criminals that utilize the same family of malicious code known as “Magecart,” started injecting digital credit card skimmers on e-commerce websites in 2015. These credit card skimming operations have successfully stolen the details of at least 420,000 credit cards used by Ticketmaster and British Airways customers.

One of the more technically proficient groups among the Magecart bunch is known as “Magecart Group 12.” This hacking gang recently led an attack against OpenCart online stores, where they injected their digital skimmer via JavaScript after reviewing whether visitors had accessed the checkout or payment page.

Groups like Magecart Group 12 will almost certainly continue to sprout up across the so-called “dark web” in larger numbers. With an eye to the future, CISA directives like BOD 19-02, that seek to ensure that government agencies are meeting a minimum standard of reporting requirement, issuing weekly reports and even developing agency scorecards to identify deficiencies in governmental response to attacks, may prove to be critical.

It can also be reasoned that any new standards and regulations are more easily implemented and later audited within the government structure, so another factor critical to the success of BOD 19-02 will be the extent to which private organizations choose to comply and report incidents to CISA.

Manfra’s piece also noted that, “CISA encourages all partners, across all sectors, to set similar requirements – whether using the CISA directives or guidance from the National Institute for Standards and Technology (NIST).” As a way of preventing negative press, some private businesses may delay or refuse to report breaches, which denies the new directive the opportunity to be useful.

Finding a middle ground between forced compliance and volunteered cooperation will be important as CISA moves forward. Mitigating the next global cyber-attack may depend on it.

Julio Rivera is a small business consultant, political activist, writer and Editorial Director for Reactionary Times. He has been a regular contributor to Newsmax TV and columnist for Newsmax.com since 2016. His writing, which is concentrated on politics, cybersecurity and sports, has also been published by websites including The Hill, The Washington Times, LifeZette, The Washington Examiner, American Thinker, The Toronto Sun and PJ Media and many others. For more of his reports, Go Here Now.