White-hat hackers, researchers and academics who probe widely used software for vulnerabilities and alert developers to security flaws are being invited to join an advisory committee at the Cybersecurity and Infrastructure Security Agency, the agency’s top official said Wednesday.
“We want to ignite the passion of hackers, researchers and academics … and tap into the brilliance and the goodness of that community,” Jen Easterly, CISA’s director said at an event hosted by Wired magazine.
Easterly is the first top U.S. cyber official who previously worked as a hacker for the National Security Agency, and she helped establish the U.S. Cyber Command. She is also a former U.S. Army officer who worked in intelligence and cyber operations.
Members of such an advisory committee would find and report vulnerabilities that the government would be obligated to address, Easterly said.
In the absence of such a mechanism, vulnerabilities found by academics and researchers could be sold to the highest bidder, she said.
CISA and several other departments and agencies across the U.S. government are stepping up efforts to combat ransomware and other cyberattacks.
The Justice Department this week announced the arrest of a Ukrainian national associated with the REvil ransomware attack in May. It also issued an indictment of a Russian.
So-called white-hat hackers find vulnerabilities and alert software developers to fix the flaws, unlike their black-hat counterparts, who are criminals that find flaws and use them to attack governments and companies.
Each year, researchers find tens of thousands of security flaws in commonly used software that are the inadvertent result of the software development process. The world’s top intelligence agencies also find and use software flaws to spy on each other without disclosing the gaps to software makers.
Once a software company becomes aware of a flaw, it typically issues a patch that users then have to download and incorporate.
But government agencies and companies often struggle to patch their software because of the time and cost involved in fixing multiple flaws. A software flaw that’s left unpatched often becomes the path for a criminal to stage a cyberattack.
Easterly said that 92 percent of the software flaws exploited by criminals in recent ransomware attacks had fixes but that users had not implemented them.
CISA last week issued an order asking federal agencies to fix the 300 most known software flaws for which patches were available.
By listing the known flaws that are routinely used in cyberattacks, CISA was helping agencies prioritize their time and resources, Easterly said.
In addition to stepped-up efforts to combat ransomware, CISA is also focused on expanding election security and countering mis- and disinformation ahead of the 2022 midterm elections and the 2024 presidential election, Easterly said.
CISA has hired Kim Wyman, Washington’s secretary of state and a Republican, as the agency’s senior election security official.
Easterly said she has had discussions with experts in mis- and disinformation and is looking to expand CISA’s team that operates the agency’s rumor control team during elections.
“We are in the business of critical infrastructure,” Easterly said, referring to the agency’s role in safeguarding key facilities from cyberattacks. “And the most critical infrastructure is our cognitive infrastructure, so building resilience is incredibly important,” she said, referring to the agency’s effort to combat disinformation during elections.