The Biden administration is ordering federal agencies to fix hundreds of vulnerabilities in software and hardware that hackers have been known to exploit, according to a new government directive released Wednesday.
The first-of-its-kind directive, issued by the DHS Cybersecurity and Infrastructure Security Agency, includes a list of vulnerabilities "that carry significant risk to the federal enterprise" with technical specifics that agency leaders are required to review and address within 60 days. Some areas will require a more immediate fix, according to CISA.
“Cybersecurity threats are among the greatest challenges facing our Nation," Homeland Security Secretary Alejandro Mayorkas said in a statement Wednesday. "Organizations of all sizes, including the federal government, must protect against malicious cyber actors who seek to infiltrate our systems, compromise our data, and endanger American lives.”
U.S. information systems have fallen victim to an increasing number of cyber attacks in recent years targeting schools, hospitals and critical infrastructure.
A 2020 cyber intrusion into the U.S. company SolarWinds, which sells software to the federal government, was not discovered until months after malicious code was injected into a routine software update. The discovery sent government officials scrambling to determine if their systems were compromised.
Last July, the U.S. and its allies condemned China for a cyber assault on Microsoft email servers and said hackers supported by the Chinese government had carried out ransomware or cyber-extortion attacks for millions of dollars. The Chinese-backed hackers were able to string together multiple, lower-level vulnerabilities to exploit Microsoft systems, according to CISA.
The new directive aims to address this hacker strategy by restructuring its classifications for vulnerabilities and establishing a working catalog of flaws that need to be addressed.
"This directive will significantly improve the federal government's vulnerability management practices and degrade our adversary's ability to exploit known vulnerability," CISA Director Jen Easterly told lawmakers at a House Homeland Security hearing Wednesday.
The directives do not apply to the Department of Defense or U.S. intelligence agencies.
The order is one of the most expansive federal cybersecurity mandates in U.S. history and it's the first requirement of governmentwide fixes that spans both online and internal systems, according to the Wall Street Journal.
At the House hearing Wednesday, Republican Rep. Clay Higgins expressed concern the government was not taking enough proactive, offensive steps to defend critical infrastructure.
"Why are we not lighting these criminals up with a counter strike cyber attack?" Higgins asked.
"It is important to bring transgressors to justice," National Cyber Director Chris Inglis responded.
"Equally important is a campaign that covers all the ways that we can thwart their efforts," Inglis said. "We need to begin with increased resilience and robustness in the technology, in the skills of our people, in the roles and responsibilities."