Feds Propose ‘911’ Emergency Call for Reporting Security Flaws; Experts Warn It’s Easier Said Than Done


  • CISA drafts directive to create a vulnerability disclosure policy for government websites and apps
  • Agency seeks to centralize the effort via a standard vulnerability disclosure platform service next spring
  • Cybersecurity veteran Katie Moussouris warns that the success of the directive largely hinges on triage and response

The Cybersecurity
and Infrastructure Security Agency (CISA) has announced plans to launch a contact
center – akin to the 911 emergency number – for reporting cybersecurity issues
affecting government web portals and apps.

The
initiative, essentially a full-fledged vulnerability disclosure program, seeks
to explain to those who find flaws in an agency’s digital infrastructure “where
to send a report, what types of testing are authorized for which systems, and
what communication to expect in response.”

CISA uses phishing as an example of how malicious actors could exploit weaknesses in government websites to steal user credentials. It links to the common weakness enumeration (CWE) page detailing URL Redirection to untrusted sites as a vector facilitating phishing attacks.

“An open
redirect – which can be used to give off-site malicious content the appearance
of legitimacy – may not be on par with a fire, yet serious vulnerabilities in
internet systems cause real-world, negative impacts every day,” CISA notes.

“In many
instances, a trained eye can spot critical deficiencies and yet have no one to
report it to. It shouldn’t be hard to tell the government of potential
cybersecurity issues — but it will be unless we’re intentional about making it
easier,” the agency says.

The draft
binding operational directive of the initiative is dubbed BOD 20-01. CISA calls
it part of its “renewed commitment to making vulnerability disclosure to the
civilian executive branch as easy conceptually as dialing 911.”

“That
concept hinges on an understanding that 911 is distributed, and the center your
call is routed to is dependent on physical geography. We’re aiming similarly,” says
the agency, which operates under the Department of Homeland Security.

CISA aims to
centralize the effort, or at least part of it, via a standard vulnerability
disclosure platform service next spring.

“We expect
this will ease operations at agencies, diminish their reporting burden under
this directive, and enhance discoverability for vulnerability reporters,” it
says.

Katie Moussouris, a pioneer in vulnerability disclosure and a key figure in creating the US Department of Defense’s first bug bounty program for hackers, offered her take on the initiative – as reported by UK technology news outlet The Register.

While she
applauds the move, Moussouris feels the feds are biting off more than they can
chew.

“You can’t
just throw a point of contact up to solicit vulnerability reports from the
public with no process behind it and expect good security as a result,” she
wrote.

The success
of the directive largely rests on the ability of agencies and departments to
implement successful triage and response, Moussouris explained.

“It is
imperative that these agencies and departments put in place the tools that they
will need to manage responsive programs before launching their respective vulnerability
disclosure programs,” said the veteran researcher.