Warner presses federal agencies in wake of WannaCry

U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-founder of the Senate Cybersecurity Caucus, wrote to Office of Management and Budget Director Mick Mulvaney and Secretary of Homeland Security John Kelly, asking what steps the federal government has taken to ensure that federal IT and contractor systems have installed critical security updates to defend against the WannaCry ransomware that has attacked and disabled hundreds of thousands of computers in 150 countries since Friday.

“Both within the federal government and across critical infrastructure sectors, IT security has too often been either, at best, addressed as an afterthought in the product development cycle or, at worse, simply neglected. While appropriate policy responses will depend on a fuller accounting of this outbreak’s attribution, an inescapable conclusion is that we must immediately address the insecurities embedded in commercial software,”wrote Sen. Warner. “This devastating ransomware worm propagates within networks by exploiting a vulnerability in the network protocol that hosts running Windows operating systems used for providing shared access. As you know, Microsoft issued a security update to remediate this vulnerability two months ago. Ensuring that patches are implemented in a timely, and secure, manner is an entirely different matter, however.”

While the National Institute of Standards and Technology recommends security-related software updates to be installed within a defined timeframe, the Government Accountability Office found numerous instances where federal agencies failed to comply with those deadlines.

Today Sen. Warner pressed the agency heads responsible for federal IT management and cybersecurity to share information about the government’s response to the WannaCry outbreak, including how OMB and DHS are ensuring that appropriate security patches have been applied to legacy IT systems across the federal government as well as federal contractor systems, and whether they have taken steps to work with the private sector to identify whether sensitive or critical systems are at risk for the WannaCry ransomware.