With the new generations of AI models power both rapid discovery of software vulnerabilities and the potential of faster operation by malicious hackers, the United States Cybersecurity and Infrastructure Security Agency has issued a new directive Wednesday, this requires faster and more effective software fixes from federal civilian agencies. The “Binding Operational Directive” (BOD) defines a rubric for how quickly bugs should be fixed, based on four emergency assessments, with a turnaround time in critical cases of just three days.
Chris Butera, CISA’s acting executive deputy director for cybersecurity, told reporters Wednesday that the goal of the directive is to help agencies prioritize, so they can address the most problematic vulnerabilities first while taking more time to fix bugs that pose a less pressing risk. The directive comes as private companies and governments struggle to assess the extent of the cybersecurity challenges that AI vulnerabilities and exploitative development capabilities could trigger.
“Prioritizing IT and security operations on assets most at risk is now particularly important given advances in artificial intelligence, which enable malicious actors to find and exploit vulnerabilities in [federal] “Defenders cannot afford to take weeks to patch systems that can be exploited en masse and autonomously.”
The CISA Directive’s criteria for assessing patch urgency include whether a vulnerability is in a publicly exposed system, whether the bug is listed in the CISA Directive’s patch list. Catalog of known exploited vulnerabilitieswhether an attacker could automate all the steps to exploit the vulnerability, and what access an attacker would gain to the target if the bug was exploited. A vulnerability where all four points apply must be fixed within three days, according to the new directive, and the agency must also perform a “forensic triage» process to determine if systems have already been compromised.
The directive replaces two previous CISA orders related to timelines for updating urgent vulnerabilities: one of 2019 and one of 2021. These established a framework where the most critical bugs had to be fixed within 15 days of detection and another class of high-urgency vulnerabilities had to be fixed within 30 days. And both encouraged faster remediation of serious flaws when possible. Even before the age of AI, in 2021, CISA wrote that “threat actors exploit vulnerabilities of their choice extremely quickly: of these 4% of known exploited vulnerabilities [vulnerabilities]42% are used on day 0 of disclosure; 50% within 2 days; and 75% within 28 days.
U.S. federal cybersecurity has improved significantly over the past decade, but it often lags behind, due to funding shortfalls and competing priorities. CISA’s Butera said the agency developed the new assessment rubric and the directive more broadly with these limitations in mind. He noted, for example, that the three-day turnaround time for the most urgent vulnerabilities is not, say, 24 hours, because such a short turnaround time would not be feasible for most agencies.
New AI capabilities are already change the landscape vulnerability detection and bug hunting. And as this brings new urgency to patching, many researchers have begun to conclude, in essence, that no number of patches will be enough and that the global software development community must strive to adopt new architectural or systemic approaches to invalidating entire classes of vulnerabilities at once.
“The CISA directive has its heart in the right place, but it only addresses half the challenge,” says Emily Long, CEO of cloud security company Edera. “If your architecture doesn’t limit what an attacker can achieve after a breach, you’re just running faster on the same treadmill. Patching will always be important, but we should be talking more about containment by design.”
CISA’s Butera appeared to acknowledge this development on Wednesday. The new directive “is a first step to counter the increased capabilities of emerging AI models,” he says. “Yet there is still work to be done. »