2 min read

Feds Propose "911" Emergency Call for Reporting Security Flaws; Experts Warn It"s Easier Said Than Done

Filip TRUȚĂ

September 04, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Feds Propose "911" Emergency Call for Reporting Security Flaws; Experts Warn It"s Easier Said Than Done
  • CISA drafts directive to create a vulnerability disclosure policy for government websites and apps
  • Agency seeks to centralize the effort via a standard vulnerability disclosure platform service next spring
  • Cybersecurity veteran Katie Moussouris warns that the success of the directive largely hinges on triage and response

The Cybersecurity and Infrastructure Security Agency (CISA) has announced plans to launch a contact center – akin to the 911 emergency number – for reporting cybersecurity issues affecting government web portals and apps.

The initiative, essentially a full-fledged vulnerability disclosure program, seeks to explain to those who find flaws in an agency”s digital infrastructure “where to send a report, what types of testing are authorized for which systems, and what communication to expect in response.”

CISA uses phishing as an example of how malicious actors could exploit weaknesses in government websites to steal user credentials. It links to the common weakness enumeration (CWE) page detailing URL Redirection to untrusted sites as a vector facilitating phishing attacks.

“An open redirect – which can be used to give off-site malicious content the appearance of legitimacy – may not be on par with a fire, yet serious vulnerabilities in internet systems cause real-world, negative impacts every day,” CISA notes.

“In many instances, a trained eye can spot critical deficiencies and yet have no one to report it to. It shouldn”t be hard to tell the government of potential cybersecurity issues — but it will be unless we”re intentional about making it easier,” the agency says.

The draft binding operational directive of the initiative is dubbed BOD 20-01. CISA calls it part of its “renewed commitment to making vulnerability disclosure to the civilian executive branch as easy conceptually as dialing 911.”

“That concept hinges on an understanding that 911 is distributed, and the center your call is routed to is dependent on physical geography. We”re aiming similarly,” says the agency, which operates under the Department of Homeland Security.

CISA aims to centralize the effort, or at least part of it, via a standard vulnerability disclosure platform service next spring.

“We expect this will ease operations at agencies, diminish their reporting burden under this directive, and enhance discoverability for vulnerability reporters,” it says.

Katie Moussouris, a pioneer in vulnerability disclosure and a key figure in creating the US Department of Defense’s first bug bounty program for hackers, offered her take on the initiative – as reported by UK technology news outlet The Register.

While she applauds the move, Moussouris feels the feds are biting off more than they can chew.

“You can”t just throw a point of contact up to solicit vulnerability reports from the public with no process behind it and expect good security as a result,” she wrote.

The success of the directive largely rests on the ability of agencies and departments to implement successful triage and response, Moussouris explained.

“It is imperative that these agencies and departments put in place the tools that they will need to manage responsive programs before launching their respective vulnerability disclosure programs,” said the veteran researcher.

tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Israeli Authorities Seized Severs of Breached Company for Not Cooperating Israeli Authorities Seized Severs of Breached Company for Not Cooperating
Silviu STAHIE

July 04, 2022

1 min read
FTC warns LGBTQ+ community of extortion scams targeting them on dating apps FTC warns LGBTQ+ community of extortion scams targeting them on dating apps
Graham CLULEY

July 01, 2022

2 min read
OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you? OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you?
Radu CRAHMALIUC

June 30, 2022

3 min read