US Govt Agencies Told to Patch Vulnerabilities, While Aussie Govt Agencies Ignore Cybersecurity Targets
On Nov. 3, 2021, the US's Cybersecurity and Infrastructure Security Agency (CISA) issued a compulsory directive to federal, executive branch, departments and agencies, stating that all vulnerabilities needed to be patched ASAP.
Vulnerabilities assigned prior to 2021 need to be patched within six months and all others i.e. 2021 and into the future, have to be patched within two weeks. If there is a "grave risk to the Federal Enterprise", these timelines will change. Currently there are more than 400 vulns listed on the CISA Known Exploited Vulnerabilities Catalog.
It's good to see firm action taking place, although you may wonder why 'so late'? Major cyber attacks occur almost on a daily basis and have been increasing yearly. Then again, Government(s) move slowly and it will be interesting to see if, and how many, of these entities comply. Perhaps the fact that the US is the most targeted nation by cyber attack will lead to action. Still, this directive has been published for a reason.
Government's around the world also have similar cybersecurity standards in place for their departments, agencies and the like.
The UK Government published its 10 steps to cyber security in 2012, with many references to vulnerabilities ("address known vulnerabilities promptly"), and followed this up in 2018 with its Minimum Cyber Security Standard, which contains 10 measures, one of those being "Vulnerability Management".
The Australian Government's cybersecurity program began in 2010, with a list of 35 strategies aimed at helping government departments and entities reduce the risk of cyber intrusions. That list was narrowed down to the "top four cyber mitigation strategies" in 2013, and then four more were added - including vulnerability management - in 2017 to form the Essential Eight.
Unfortunately, compliance with both the Top Four and Essential Eight has been lacking at both federal and state level. In 2019, nearly a decade after the federal cybersecurity program was introduced, 25 Commonwealth entities were assessed and none achieved the recommended maturity level for the Essential Eight. All were found to be vulnerable to cyber threats.
In Oct. 2021, government departments in New South Wales, Australia's most populous state, were found to be severely lacking in their Essential Eight compliance, leading the state's auditor-general to comment: "Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW Government agencies."
While Australia isn't as targeted (by cyber attacks) as the US and UK, the fact that the national Parliament House was the subject of a state-sponsored cyber attack in February, 2019, should have caused alarm bells to ring throughout all levels of government. But nearly three years on, complacency remains.
Hopefully the new directive from CISA will see US government agencies be more proactive.