Presses heads of OMB & DHS on steps to ensure that vulnerabilities were addressed across federal & contractor systems
May 15 2017
WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-founder of the Senate Cybersecurity Caucus, wrote to Office of Management and Budget Director Mick Mulvaney and Secretary of Homeland Security John Kelly, asking what steps the federal government has taken to ensure that federal IT and contractor systems have installed critical security updates to defend against the WannaCry ransomware that has attacked and disabled hundreds of thousands of computers in 150 countries since Friday.
“Both within the federal government and across critical infrastructure sectors, IT security has too often been either, at best, addressed as an afterthought in the product development cycle or, at worse, simply neglected. While appropriate policy responses will depend on a fuller accounting of this outbreak’s attribution, an inescapable conclusion is that we must immediately address the insecurities embedded in commercial software,” wrote Sen. Warner. “This devastating ransomware worm propagates within networks by exploiting a vulnerability in the network protocol that hosts running Windows operating systems used for providing shared access. As you know, Microsoft issued a security update to remediate this vulnerability two months ago. Ensuring that patches are implemented in a timely, and secure, manner is an entirely different matter, however.”
While the National Institute of Standards and Technology recommends security-related software updates to be installed within a defined timeframe, the Government Accountability Office found numerous instances where federal agencies failed to comply with those deadlines.
Today Sen. Warner pressed the agency heads responsible for federal IT management and cybersecurity to share information about the government’s response to the WannaCry outbreak, including how OMB and DHS are ensuring that appropriate security patches have been applied to legacy IT systems across the federal government as well as federal contractor systems, and whether they have taken steps to work with the private sector to identify whether sensitive or critical systems are at risk for the WannaCry ransomware.
The full text of today’s letter appears below.
Dear Secretary Kelly and Director Mulvaney,
The global ransomware outbreak dubbed WannaCry has directed renewed attention to the unfortunate state of our nation’s legacy IT systems. As the sponsor of legislation introduced in two prior Congresses that would finally devote overdue resources to agencies to modernize their legacy systems, this is an issue of great concern to me. Both within the federal government and across critical infrastructure sectors, IT security has too often been either, at best, addressed as an afterthought in the product development cycle or, worse, simply neglected.
While appropriate policy responses will depend on a fuller accounting of this outbreak’s attribution, an inescapable conclusion is that we must immediately address the insecurities embedded in commercial software. This devastating ransomware worm propagates within networks by exploiting a vulnerability in the network protocol that hosts running Windows operating systems use for providing shared access. As you know, Microsoft issued a security update to remediate this vulnerability two months ago. Ensuring that patches are implemented in a timely, and secure, manner is an entirely different matter, however.
Patch management is a complex undertaking, particularly for large organizations and enterprises. Large organizations, including federal agencies, often do not know what insecure endpoints (and associated software) may be operating on their networks. Indeed, just last month the Department of Homeland Security reported that the Continuous Diagnostics and Monitoring tools had revealed the average agency to have 44% more so-called ‘shadow IT’ on their networks than their records indicated. Needless to say, ensuring that all of an agency’s information systems implement up-to-date security updates is made infeasible if an agency does not have an accurate inventory of endpoints connected to its network.
Further, these events have revealed that in some cases patching may have significant operational implications. While maintaining unsupported, end-of-life systems reflects clear mismanagement, there exists a limited number of instances where IT professionals may be unable to implement patches due to other constraints. For instance, patches can break concurrently operating programs, or render a system inoperable for periods of time. Further, a piece of capex-intensive equipment may have been designed with embedded software that is now end-of-life, meaning that one cannot upgrade component software, or the operating system, without replacing the entire machine. We have what appears to be a major, long-term economic problem when costly, critical systems with double-digit expected lifespans are supported by software only expected to be supported for four or five years.
For all of these reasons, I authored provisions that would direct DHS’s R&D grant activity towards research to drive greater software assurance and to assist in the development and acceleration of tools to securely and automatically update software with limited impact on concurrently operating systems and processes. These pending legislative efforts, however, cannot address the ransomware outbreak that is currently impacting systems worldwide.
While the National Institute of Standards and Technology (NIST) recommends security-related software updates to be installed within a defined timeframe (in many cases seven to 30 days for critical patches), the Government Accountability Office (GAO) has found numerous instances where agencies failed to comply with those deadlines. For instance, a report from May of last year noted that agencies consistently failed to apply critical security patches in a timely matter, including sometimes years after a patch has been made available. GAO also identified instances where agencies were using software no longer supported by its vendors.
This afternoon, I was pleased to hear that the President’s Homeland Security Advisor had announced that no federal systems had been infected by the WannaCry ransomware. Given the continued problems with maintaining secure federal information systems, however, I respectfully request your response to the following questions:
- 1. What steps did you take to ensure that the critical security update issued for the Microsoft Windows SMB vulnerability was implemented on all federal information systems?
- 2. As you know, FISMA requires agencies to ensure security for information and systems maintained by or behalf of agencies by contractors. What steps have you taken to ensure that the critical security update was implemented by relevant federal contractors?
- 3. To the extent that any federal information systems continue to use end-of-life software, including operating systems, have your agencies ensured that patches available for those products have been implemented?
- 4. Has DHS worked with private sector critical infrastructure providers to assess the threat of the WannaCry ransomware (in its current form, and anticipating potential variants) posed to sensitive, life-critical, and/or critical systems?
Thank you for your consideration of this important matter. I look forward to your response within the next two weeks.
Mark R. Warner
United States Senator