The U.S. Lags Behind China in Spotting Cyberthreats
In March, the Apache Software Foundation announced it had discovered a critical flaw in its software, one now famous as the unpatched Achilles’ heel of Equifax Inc. that allowed hackers to make off with sensitive information on 145 million Americans. We don’t yet know who got into Equifax, but we do know Chinese hackers looking to exploit the bug, and Chinese companies defending against attacks, had a head start. Details of the flaw were published to China’s National Vulnerability Database within a day of Apache’s announcement. It didn’t show up in the official U.S. database for three days. By then, researchers were already documenting a wave of global attacks exploiting the faulty code.
China’s advantage is usually much greater, according to research published on Oct. 19 by Recorded Future, a cybersecurity company. There’s an average 20-day gap between when China’s database publishes information on newly discovered bugs and when its U.S. equivalent does, based on 17,940 vulnerabilities added to both databases over the past two years, the analysis showed.
“It’s sort of brutal, the difference in time,” says Christopher Ahlberg, chief executive officer of Recorded Future. “Hackers are amazingly fast about taking advantage of vulnerabilities, and that’s because hackers know that one of the best ways of getting into systems is finding ones that are unpatched.”
The research from Recorded Future is just the latest evidence of a flailing U.S. system of public reporting of software bugs. America’s National Vulnerability Database (NVD), a project run by the U.S. Department of Commerce’s National Institute of Standards and Technology, builds off a catalog of “common vulnerabilities and exposures” (CVEs) maintained by the nonprofit Mitre Corp. (Simple, right?) When Mitre created the catalog in 1999, it gave experts common names for threats that had various aliases. Starting in 2005 the NVD has added context and resources that organizations can use to address vulnerabilities. It should be the gold standard for those trying to keep their cybersecurity current.
But the database depends on voluntary submissions, mostly from the makers of the buggy software. The Chinese use a wider variety of sources and methods, including technical testing. Matt Scholl, chief of the division overseeing the NVD, says the U.S. process ensures vulnerability reports come from reliable sources. “This is one of the trade-offs between speed and accuracy,” he says.
Speed, or lack thereof, is just one issue for a system that urgently requires updating to handle new threats and vulnerabilities in industrial control systems, medical devices, and connected home appliances. The Recorded Future analysis found 1,746 CVEs in the Chinese database that don’t appear at all in the U.S. database, and the NVD is also falling behind commercial services. VulnDB, a database maintained by Richmond, Va.-based Risk Based Security Inc., published 9,690 vulnerabilities during the first six months of 2017, 4,092 more than the NVD in that period, according to the company’s analysis.
Consulting firm Risk Based Security estimates that organizations relying solely on the CVE system are missing almost half the vulnerabilities disclosed. VulnDB also charted a 29 percent increase in reported bugs in the first half of the year from the same period in 2016. The rise in overall vulnerabilities is accelerating with the growth of web-connected home appliances and the rest of what’s known as the internet of things, says Joshua Corman, chief security officer for software company PTC.
The government system, however, is still skewed toward business software vulnerabilities, with inadequate coverage of industrial control systems and medical devices, Corman says. The scoring system for impact and severity hasn’t kept pace with technology, either. Flaws that make an application crash get a relatively low score, but those sorts of things can yield devastating problems in a self-driving car or a smart medical device. “What scares me is that the vulnerabilities with the highest consequences of failure are also the least covered,” Corman says. “If it’s a denial of service on a bedside pump, it’s a fatality. Or if it’s a turbine, it’s an explosion.”
In March, the House Committee on Energy and Commerce sent letters to Mitre and the U.S. Department of Homeland Security, which oversees Mitre’s contract to run the CVE program, requesting information on what the nonprofit is doing to safeguard and improve U.S. cybersecurity practices. “The explosion in connected devices and services that has been associated with the CVE program’s shortcomings, while rapid, did not occur overnight,” the members of Congress wrote. Starting last year, Mitre has tried to improve speed and coverage by expanding the group of vendors and researchers authorized to add flaws to the CVE system. Coordinated vulnerability disclosures, such as an Oct. 16 announcement about a flaw in common Wi-Fi network security, show the security food chain working as intended, giving software makers a chance to fix things ahead of time.
Corman says the IT community may have to contribute more, either in manpower or funding. Recorded Future’s chief data scientist, Bill Ladd, has an impolitic idea for a shortcut: assign interns to copy stuff from the Chinese database. “I think the mission is clear, and it’s to be as comprehensive as possible,” he says. China’s system is proof, at least, that there’s room for improvement.