House bill seeks a cyber playbook

The House passed legislation Sept. 26 that would open up a treasure trove of technical guidance about cybersecurity vulnerabilities housed at the Department of Homeland Security to other federal agencies and the broader public.

The Cybersecurity Vulnerability Remediation Act, sponsored by Rep. Sheila Jackson Lee (D-Texas), would require DHS and the Cybersecurity and Infrastructure Security Agency to disseminate and share its cybersecurity mitigation protocols with other agencies, industry, academia and other sectors.

CISA would be charged with developing and distributing "playbooks" detailing the most critical known vulnerabilities as well as strategies to thwart them. It covers hardware and out-of-date applications that are so old they no longer receive patching or support from the vendors who created them, a problem that plagues the government and many critical infrastructure sectors.

The bill would empower the Science and Technology Directorate of DHS to establish a program that would pay private companies and academics to develop their own remediation solutions to the same vulnerabilities. It also requires the director of CISA to submit annual reports to Congress on how it is coordinating vulnerability disclosure programs with industry and other stakeholders.

"The vulnerabilities that will receive an entry in the playbook are serious and, if used by an adversary, can lead to significant costs and disruption of vital goods and services to the public," Lee said in floor remarks yesterday. "Just think of your water system, run mostly by local entities, or the electric grid, run mostly by the private sector."

Basic cyber hygiene failures, like failing to patch systems or phishing attacks, remain the primary attack vector for most successful cyberattacks against government and industry. The National Security Agency has said publicly that it hasn't had to respond to a zero-day vulnerability in more than four years, largely because attackers are having so much success using commonly known vulnerabilities that aren't addressed due to negligence or other complications that prevent timely patching.

Unsupported hardware and software continues to be a major problem in the federal space. A 2016 Government Accountability Office report surveyed a dozen government agencies and found all 12 were using unsupported operating systems that no longer received updates from their provider. The Departments of Commerce, Defense, Health and Human Services, Treasury and Veterans Affairs all reported using Microsoft operating systems from the 1980s and 1990s that hadn't been patched in more than a decade.

Last month, DHS kicked off an initiative to set up a SecureDrop portal to anonymously report bugs found in the systems of government agencies, critical infrastructure entities and other sectors. The Department of Justice has put out its own framework for how public and private sector organizations can organize similar programs.