Warner wants updates on feds' software patching

As the WannaCry ransomware hack wreaks havoc worldwide, one senator wants to make sure federal agencies are protected.

Sen. Mark Warner (D-Va.) is worried that federal networks could be vulnerable to malware such as WannaCry, which has been linked to an exploit developed by the National Security Agency.

"Both within the federal government and across critical infrastructure sectors, IT security has too often been either, at best, addressed as an afterthought in the product development cycle or, worse, simply neglected," Warner wrote in a May 15 letter to Homeland Security Secretary John Kelly and Office of Management and Budget Director Mick Mulvaney.

In a May 15 White House press briefing, National Security Advisor H.R. McMaster said that "as of today, no federal systems are affected."

At DHS, Kelly is leading public-private coordination efforts, McMaster said, and is "holding multiple calls per day in operational centers managing our response."

The WannaCry malware spreads from machine to machine without any assistance from users. Unpatched Windows machines are highly vulnerable. New variants of the contagion are reportedly being made by hackers who obtained the exploit via the Shadow Brokers leak in April. The first wave of attacks has been slowed by taking advantage of a "kill switch" inside the malware. New variants have been observed without the kill-switch function, although according to Kaspersky Labs, these have yet to propagate widely.

Warner is concerned about unpatched endpoints on federal networks.

"Patch management is a complex undertaking, particularly for large organizations and enterprises," Warner wrote. "Large organizations, including federal agencies, often do not know what insecure endpoints (and associated software) may be operating on their networks."

Warner wants information on the steps being taken by agencies to implement relevant Microsoft security updates, as well as details on how the government ensures contractors’ systems that connect to federal computers are patched as required by the Federal Information Security Management Act. Warner is also seeking details on patches to federal IT systems that are using out-of-support software like Windows XP and other retired systems.

Microsoft released patches for retired systems to guard against the WannaCry exploit.

According to a March 2017 White House report, 90 percent of agencies are hitting federal CIO targets for vulnerability management. The numbers are up for 2016 over 2015, largely thanks to the cyber sprint initiative that followed the hack of the Office of Personnel Management.

However, an agency-by-agency breakout for the last quarter of FY2016 shows that many large agencies, including the departments of State, Commerce, Energy, Transportation and Interior, were operating with vulnerability management levels far below the federal target of 95 percent.

The official reporting doesn't take into account unauthorized devices, or "shadow IT," operating on federal networks -- a problem noted by Warner in his letter.

"Needless to say, ensuring that all of an agency's information systems implement up-to-date security updates is made infeasible if an agency does not have an accurate inventory of endpoints connected to its network," Warner wrote.

So far, McMaster said in his briefing, "the U.S. infection rate has been lower than many parts of the world, but we may still see a significant impact on additional networks as these malware attacks morph and change."

McMaster also urged vigilance on patching.

"While it would be satisfying to hold accountable those responsible for the attack, something that we are working on quite seriously, the worm is in the wild, so to speak, at this point, and patching is the most important message, as a result," he said.  "Our business and government have responded with upgrades and patches, defensive mitigations, and this has dramatically reduced the vulnerable population over the last three days.  But this needs to continue to be our focus."