HERSHEY, Pa. — The exploitation of zero-day vulnerabilities is on the rise globally and directly impacting federal agencies, part of what a senior Cybersecurity and Infrastructure Security Agency official called a “very eventful past six months” in the cyber threat landscape.
Michael Duffy, the associate director for capacity building within CISA’s cybersecurity division, said that in the past month or so, the agency has seen “a really high increase in zero-day activity, exploits that we’re seeing across the globe, really affecting the federal government networks throughout the federal government.”
Duffy’s comments, made during a cybersecurity governance panel this week at ACT-IAC’s Imagine Nation ELC conference in Hershey, Pa., come following a notable decline in so-called in-the-wild zero days last year. According to a July report from Google’s Threat Analysis Group, 41 zero days were detected and disclosed in 2022, down from 69 in 2021.
Despite the decline, the number of zero-day exploits observed in the wild remained the second-highest number since TAG started tracking such exploits in 2014. U.S. government officials recently have described a tendency toward growing sophistication in the state-backed hacking campaigns, one hallmark of which is the use of the previously unknown vulnerabilities known as zero days.
Having observed “several individual zero days,” Darren Turner, the National Security Agency’s cybersecurity directorate chief of critical networks defense, spoke of the need for “alignment and unification” when it comes to combating those threats. That includes not just all government agencies, but also “the defense industrial base and industry writ large.”
Turner said that once one zero day has been discovered, that can help generate other, similar vulnerabilities — which may be one reason why the use of such vulnerabilities are increasing over the long term.
“You ever wonder how they can be kind of cascading on the same general area?” Turner said of zero-day activity. “Often when you do the analysis of what is occurring, then what you find is, if there was an issue here in a zero day, then there was probably a shortcut somewhere else in the process, which is why you tend to get several out of the same area.”
Duffy also noted that in fiscal year 2023, CISA saw “among the first instances of ransomware within the federal government” as well as “an uptick in DDoS activity” that is “actually disrupting a lot of federal activity.”
Federal agencies were hit in a global cyberattack conducted by a Russian hacking group last June, but a senior CISA official told CNN at the time that the ransomware gang had made no ransom demands of the government.
Though the past half-year has been an especially busy one for government cyber officials, Duffy said the Biden administration, Congress and federal agencies are now better coordinated on cybersecurity issues. Broadly speaking, there’s ideal “alignment” on everything “from the national cyber strategy to the cyber executive order to the new CISA cybersecurity strategy,” he said.
“As we are working through all of those threat actions, all of those concerning things that we’re seeing through zero days and through advanced persistent threat activities, we know that we’re taking the right foundational steps, and that’s extremely meaningful,” Duffy said. “The government right now has a thoughtful approach to its cybersecurity strategy.”