CISA issues sweeping federal directive on government cybersecurity

The Biden administration is ordering federal agencies to fix hundreds of vulnerabilities in software and hardware that hackers are known to exploit, according to a new government directive released Wednesday.

The one-of-a-kind directive, released by the DHS Cybersecurity and Infrastructure Security Agency, includes a list of vulnerabilities “that pose significant risk to the federal business” with technical specifics that agency executives are required to review and process within 60 days. . Some areas will require a more immediate solution, according to the CISA.

“Cyber ​​security threats are among the greatest challenges facing our nation,” Homeland Security Secretary Alejandro Mayorkas said in a statement on Wednesday. “Organizations of all sizes, including the federal government, must protect themselves against malicious cyber actors who seek to infiltrate our systems, compromise data and endanger American lives.

US information systems have been the victim of a growing number of cyber attacks in recent years targeting schools, hospitals and critical infrastructure.

A 2020 cyber-intrusion into U.S. company SolarWinds, which sells software to the federal government, was not discovered until months after malicious code was injected into a routine software update. The discovery sent government officials to scramble to determine if their systems were compromised.

Last July, the United States and its allies condemned China for a cyberattack on Microsoft’s mail servers and said Chinese government-backed hackers carried out ransomware or cyberextortion attacks for millions of dollars. dollars. China-backed hackers were able to bundle several lower-level vulnerabilities to exploit Microsoft systems, according to CISA.

The new directive aims to combat this hacking strategy by restructuring its vulnerability classifications and establishing a working catalog of flaws that need to be corrected.

“This directive will dramatically improve the federal government’s vulnerability management practices and degrade our adversary’s ability to exploit a known vulnerability,” CISA director Jen Easterly told lawmakers at a House hearing on Wednesday. Homeland Security.

The guidelines do not apply to the Department of Defense or US intelligence agencies.

The order is one of the most extensive federal cybersecurity mandates in U.S. history, and it is the first government-wide patching requirement that covers both online and internal systems, according to the Wall Street Journal.

During the House hearing on Wednesday, Republican Representative Clay Higgins expressed concern that the government was not taking enough proactive and offensive measures to defend critical infrastructure.

“Why don’t we enlighten these criminals with a counterattack cyberattack? Higgins asked.

“It is important to bring transgressors to justice,” replied Chris Inglis, national director of cybersecurity.

“Equally important is a campaign that covers all the means by which we can thwart their efforts,” said Inglis. “We need to start with increased resilience and robustness in technology, in the skills of our people, in roles and responsibilities.”