56.6 F
Washington D.C.
Tuesday, October 15, 2024

CISA Innovates with a Crowdsourced VDP Cybersecurity Strategy

DHS Agency Leans on Vulnerability Disclosure Program to Protect Americans

Say what you will about the federal government and its challenges in adapting to fast-changing circumstances. Sometimes those same government agencies can still lead the way in the fight against cybercriminals and terrorists.  

Take the Cybersecurity and Infrastructure Security Agency, or CISA, which was recently recognized for the Innovation of the Year by the 2023 CyberScoop 50 Awards, based on CISA’s breakthrough Vulnerability Disclosure Policy (VDP) Platform. The CyberScoop 50 Awards honor the accomplishments of public and private sector cybersecurity leaders who are responsible for protecting critical networks, information, and infrastructure.

CISA is the agency of the Department of Homeland Security that’s charged with overseeing efforts to understand, manage, and reduce risks to the country’s cyber and physical infrastructure. As the operational leader for national cybersecurity, CISA coordinates all the elements of critical infrastructure security and resilience. In the past, cautious federal government officials had long resisted building partnerships with crowdsourced security experts, largely due to lingering fears about the motivations of the global hacker community. That calculation has changed in recent years as CISA has ramped up its VDP Platform to increase vulnerability awareness and remediation across the U.S. government by leveraging the hacker community to improve the nation’s security posture.

The VDP program offers the ability for crowdsourced security researchers to hack into federal IT systems and network infrastructure to identify security vulnerabilities. In this way, the government can find and patch potential vulnerabilities before they are exploited by bad actors. Since 2021, the CISA VDP Platform has onboarded 40 federal agencies and received more than 1,300 valid disclosures, with a significant 85% remediation rate.

Threat experts collaborate through the platform’s centralized dashboard to search for vulnerabilities and disclose their findings for systems across the Federal Civilian Executive Branch. The goal is to encourage good-faith security research through a secure, user-friendly interface that enables better collaboration and quicker sharing of new vulnerabilities.

CISA’s recognition as a security innovator stems from its extensive VDP management offerings, augmented by agency-specific vulnerability disclosure processes. The format enables different agencies to take advantage of the VDP Platform by offering an opportunity to members of the public to research specific systems for vulnerabilities.

More Eyes on the Problem Leads to Better Security Outcomes

The VDP Platform provides multiple tangible benefits to help CISA improve U.S. cybersecurity, such as:

  • Promoting an agency’s launch to attract an elite bench of fully vetted researchers.
  • Allowing agencies to scope and alter their individual VDP programs, and helping them develop engagement rules.
  • Supporting an agency’s ability to intake, triage, and track the remediation of vulnerabilities.
  • Facilitating and tracking vulnerabilities by reporters, based on agency-defined VDP policies.
  • Connecting agencies with the full weight of CISA’s capabilities and resources towards vulnerability identification.

The CISA VDP Platform enhances the government’s ability to define, understand, and mitigate vulnerabilities by triaging each disclosure upon receipt from a researcher. The technology conducts an initial validation of the disclosure’s legitimacy and classification, before assigning a priority rating score based on the threat severity.

All vulnerabilities that exist on federal systems will continue to persist if they are not discovered by threat researchers, so it is clearly in the best interest of the American public to have these vulnerabilities disclosed for remediation. In one example, the platform monitors all incoming submissions for Known Exploited Vulnerabilities, or KEVs, which repeatedly leads to the detection of KEVs not picked up by the government’s prior scanning tools.

The numbers don’t lie: Agencies have recognized 67 more vulnerability disclosure reports on average over the prior quarter in the quarter after they were onboarded to the new VDP Platform. The potential damage caused by any of the identified vulnerabilities identified, especially those categorized as Critical and Severe, could be catastrophic and widespread. Through December 2022, the VDP Platform facilitated the remediation of 1,119 vulnerabilities out of 1,330 unique, validated submissions. If just one of those 1,119 remediated vulnerabilities had been exploited to result in a full data breach, the federal government would have spent an estimated $4.35 million in response and recovery.

In addition to preventing potentially disastrous losses, this process is a force multiplier for government efficiency by conducting the initial intake and validation through the VDP Platform. This saves considerable time and resources for each agency by prioritizing only valid submissions. By attracting a broadly diverse group of public security researchers from around the world, the VDP Platform bridges the gap between the public and private sectors to continually improve the federal government’s security posture over time.

Dave Gerry
Dave Gerry
Bugcrowd Chief Executive Officer Dave Gerry most recently served as Chief Revenue Officer and Head of Global Operations (COO) at WhiteHat Security, where he oversaw global revenue growth, service delivery, and customer-facing operations. Gerry joined WhiteHat in 2017 and helped lead the company through the sale to NTT in 2019, and most recently, the sale to Synopsis in 2022. Gerry has been in the AppSec market for nearly a decade and has held key leadership positions with several cybersecurity companies including WhiteHat Security, Veracode, Sumo Logic, and The Herjavec Group. Gerry is passionate about building programs that are repeatable, scalable, and predictable, helping to drive customer business outcomes and technical value. He holds an MBA from Suffolk University and a BA from Merrimack College, and he lives with his wife, Jaclyn, and two daughters, Caroline (5) and Addision (2), in southern New Hampshire.

Related Articles

Latest Articles