One of the main areas of focus both during and after the May 2017 global ransomware attack, dubbed WannaCry, was that it exploited a known Microsoft vulnerability for which the company released a patch three months prior to the attack.
Several affected organizations fell victim to the attack because they failed to implement the patch. Large organizations such as the Department of Defense are not exempt from protecting against such known vulnerabilities.
“That’s something we’re still struggling with,” Rear Adm. Kathleen Creighton, deputy commander of Joint Force Headquarters-DoD Information Networks, Cyber Command’s operational defensive arm, said during an AFCEA DC-hosted lunch Jan. 11.
Creighton said her organization fires off roughly one military order a day across the department on a global scale to the effect of: “Patch this, secure this, direct your attention to this.”
“It’s a constant barrage of orders that are coming out of the defensive side,” she said, adding that this is a good thing because they’re actual military orders, “it’s not just like an IT thing.”
Working with intelligence partners to understand both known and unknown threat vectors, JFHQ-DoDIN can put out mitigation efforts as orders, meaning “it’s not a just bulletin or nice to do when you get a chance. It’s: You will implement this by a date,” Creighton said.
Many inside and outside the DoD have noted the importance of cybersecurity to mission assurance, pointing to senior Pentagon leadership beginning to grapple with these challenges and make them a top priority, something not seen in prior years.
However, one of the challenges in mitigating known vulnerabilities currently from JFHQ-DoDIN’s perspective is a lack of situational awareness on the network.
Some organizations might say they’re complying, she said, rhetorically asking whether that’s true. Maybe only 70 or 80 percent, which makes them vulnerable. Given that a risk to one organization is a risk to all from a cybersecurity perspective, Creighton explained that she’d like better situational awareness tools across the entire network to ensure organizations are complying — whether they say they are or not.
“We’re still working to gain that capability to be able to say: ‘Yeah, I know you’re only at 80 percent because my system, my tool told me,’ ” she said.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.