Democratic Sen. Mark Warner has written to federal officials asking for details about how agencies patched their systems to protect them against the fast-spreading WannaCry ransomware.
White House homeland security adviser Thomas Bossert told reporters during the daily briefing Monday that no federal systems had been infected, but Warner noted in his letter that despite a National Institute of Standards and Technology recommendation that security-related software updates “be installed within a defined timeframe (in many cases seven to 30 days for critical patches),” the Government Accountability Office last year found “numerous instances where agencies failed to comply with those deadlines.”
Microsoft included a fix for the vulnerability in a regularly scheduled patch in mid-March. Over the weekend, the company took the unprecedented step of releasing a patch for several discontinued but still widely used software products, including Windows XP.
In the letter, released Monday afternoon, the Virginia senator asks Homeland Security Secretary John Kelly and Office of Management and Budget Director Mick Mulvaney what steps they took to ensure that the patch Microsoft issued in March was promptly applied to computer networks of federal agencies and their contractors.
A DHS official told CyberScoop that some federal agencies were able to use new capabilities under the government-wide Continuous Diagnostic and Monitoring, or CDM, program to scan their systems and identify any potentially vulnerable machines on their networks.
“A number of agencies are at a level of maturity with already with the CDM tool deployment that they are able to use those tools to look across their [IT] environment to see if they’re vulnerable, if they have the right patch in place,” said CDM Program Manager Kevin Cox.
He declined to specify which agencies, citing security concerns, but said for those that were able to use CDM, it was a huge time-saver.
“Rather than the agencies having to go out and manually determine which of their systems might be affected, they will be able to look out via the CDM tools … and make a determination pretty quickly as to whether they’re impacted and the extent of that impact,” he said.
“Already the value of the program is showing itself,” he concluded.
Warner notes in his letter that last year’s GAO report “also identified instances where agencies were using software no longer supported by its vendors” — like XP — meaning it would generally not be patched against newly discovered vulnerabilities.
Many hospitals in Britain’s National Health Service, for instance, were infected because they continue to use Windows XP. But, as Warner notes, expensive equipment like MRI or CAT scan devices “may have been designed with embedded software that is now end-of-life, meaning that one cannot upgrade component software, or the operating system, without replacing the entire machine.”
The situation appears to be “a major, long-term economic problem when costly, critical systems with double-digit expected lifespans are supported by software only expected to be supported for four or five years,” Warner wrote.
He went on to ask whether out-of-date software still being used by agencies had been patched with the updates made available at the weekend.
Warner concludes: “Has DHS worked with private sector critical infrastructure providers to assess the threat of the WannaCry ransomware (in its current form, and anticipating potential variants) posed to sensitive, life-critical, and/or critical systems?”
The senator asked for a response within two weeks.