Security holes going unpatched

The CIO Council is asking every federal chief information officer to find

and fix the lapses that made a top 10 list of critical Internet security


The list, released Thursday, includes problems that have solutions,

but the solutions have not been put in place by federal systems administrators.

So agency World Web Web sites keep getting hacked, and agencies keep ending

up in the news after being hit by attacks that should not have happened,

said Allan Paller, director of research at the SANS Institute, a group of

federal, industry and academic experts that coordinated the list.

The CIO Council's Security, Privacy and Critical Infrastructure Committee

is sending the list to all federal CIOs with a memorandum asking them to

take immediate action, said John Gilligan, CIO at the Energy Department

and co-chairman of the committee.

"Our intent is, "This is not a one-shot [deal where] we're going to

fix everything.' The intent is to begin the process," Gilligan said.

It also will help CIOs and systems administrators answer a common question

from management, Gilligan said: "The question that is asked often after

an investigation, after an audit, is, "Why is it that we continue to have

these problems? It seems so simple.'"

The top 10 list will change as new vulnerabilities are discovered and

new attacks are made, so simply listing the top vulnerabilities and threats

will not make every agency more secure. However, the review it starts will

be "enormously valuable," Gilligan said.

"It's not that all of the vulnerabilities have been summarized in the

top 10, although many of them have, but it gives us a place to start beginning

to fix the problems and also to define our processes," he said.


  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

  • IT Modernization
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    VA plans 'strategic review' of $16B software program

    New Veterans Affairs chief Denis McDonough announced a "strategic review" of the agency's Electronic Health Record Modernization program of up to 12 weeks.

Stay Connected